How To Spot Phishing Emails

Phishing emails are so-called because, just like dangling a hook into a pond of fish, they're sent to thousands of people at random in the hope that someone bites.

Criminals regularly use email to try to capture our personal details and passwords, as well as to spread viruses.

This page shows how to spot these emails & avoid them. If you've already opened a web link or file in an email that you're now having doubts about, then see our guidance on what to do next.

Jump straight to topic:


What is phishing?

Phishing emails are sent by criminals to thousands of random people in the hope of stealing financial or other confidential information.

They might direct you to a fake website that asks for your personal information, or include an attachment which installs a virus or other malware on your computer when you open it.

A typical phishing email

Phishing attacks aren't just sent by email (although they're the most common) - they can also arrive in an SMS text message (known as "smishing") and even by phone ("vishing").


How to spot a phishing email

Criminals rely on all sorts of human traits to get us to fall for their email scams, whether that's curiosity, panic, or just a desire to help others.

The good news though is that most phishing emails can be easily spotted if you know the warning signs - most will have at least one of the following characteristics:

Check out our gallery of phishing examples (best viewed on a big screen) to see some of the tricks used - do any of these look familiar to you?

You should also take a look at our Email Scams page; here you'll see a collection of other types of email scam that are all too common.


1) Unexpected

An unexpected email

I'm not expecting any payment from this company...

Most phishing emails are sent out at random. Even when (by chance) an email appears to be from a company you have an account with, the fact it's unexpected should always make you question it.

Always pause & ask:

  • Is this email expected? If it's for a delivery you're not expecting, a product you've not bought, a payment you're not owed, or an invoice you know nothing about, then it's probably a scam.
  • Do you even know the company or person it's meant to be from?
An unexpected email that takes advantage of the WannaCry outbreak

A phishing email taking advantage of the global WannaCry outbreak.

Some scammers also take advantage of major news events to make their emails seem genuine. In May 2017, fraudsters made use of the global WannaCry ransomware attack to pose as different companies asking customers to verify their security details. Charities are also often impersonated following major disasters too.

Another way that phishing emails are made to appear legitimate is by hijacking personal email accounts and sending emails to all that persons friends.

If you ever receive anything unusual from a friend then always phone them to ask if they did send it. It's easier to do that than to clean up after a virus infection!

Criminals rely on our natural curiosity to open attachments or follow links. Always stop & think!


2) Impersonal

An impersonal email

Amazon should surely know my name?

Due to the bulk nature of email scams most are generic and don't contain anything personal.

  • How is the email addressed - is it just to a generic "Dear customer"?
  • Does the email contain any other details unique to you? Most legitimate firms will try prove it's a genuine email by including something personal to you which isn't publicly known, such as the last 4 digits of your credit card number.

Be aware that some malicious emails may still be personalised, so just because it contains your name or other details doesn't guarantee that it's legitimate (for example some scams quote the person's password that they've taken from hacking a website). But the absence of even your name in an email from a company you have dealings with should ring alarm bells.


3) Poorly written

An email with poor English

Major corporations would produce professional looking emails - and use spell check!

A lot of cyber crime originates from countries where English isn't the first language. Whilst a lot of phishing emails are very professional looking & believable this isn't always the case - any poor grammar or spelling is always an obvious give-away.

  • Does the email have spelling or other grammatical mistakes?
  • Does the layout look sloppy and poorly formatted?

4) A sense of urgency or worry

An email with a fake sense of urgency

This one is trying to panic me into clicking the link to avoid further fines

To persuade users to open web links or attachments criminals will often give the email a sense of urgency, create worry, or simply try to exploit our natural curiosity.

  • Does the email imply you might lose money if you ignore it? For example is it an email confirmation of an order you didn't make (and hence hoping you'll click on an infected link to cancel it), or is it claiming a security issue on your account?
  • Does it suggest other consequences, such as a court summons or that a bank or other account will be closed if you don't act?
  • Does it prey on your curiosity, for example wanting to know who an unexpected parcel is from or who might be sending you an invoice?

5) An attachment

A virus infected attachment

An unexpected attachment - likely to be loaded with viruses!

The objective of many malicious emails is to spread malware, often by fooling you into opening an attachment which then installs a virus on your PC.

Common forms of this attack include:

  • Fake invoices;
  • Missed parcel notifications;
  • Claims of money you're owed;
  • False booking confirmations.

If you receive an attachment that you're not expecting (regardless of what type it is, for example a Word document, zip file, or spreadsheet) the golden rule is to simply not open it.


One of the biggest giveaways that an email is not legitimate is the presence of web links that don't match the expected source.

For example in an email claiming to be from "Acme Bank", any links within it should go to www.acmebank.com - not to a random looking email address like sdbryjddvsrg.ru

  • Hover your mouse over any link in the email. Either in a little pop-up, or at the bottom (sometimes bottom-left) of your email program, you should see the destination of this link. Is the address what you would expect?
  • The link should always be to a page on the company's own website (such as acmebank.com/somepage.html). Be aware of slight differences that might be trying to fool you, such as "acmebankalerts.com" or "acme-security.com".

If the email is claiming to be from a company that you already have an account with, then the best thing to do is manually type their web address into the browser bar (use an address you know belongs to them - not the one in the email) and log in to your account that way to look for any messages. Never click on any link you're not sure about!

For further advice on how to read & understand domain names see our guidance here.


7) An unusual "From" address

An email with an unusual From address

Why would Apple be sending me an invoice from Shaw in Canada?

Who sent the email? If the "From" address doesn't originate from the same company as the email claims to be then this is another immediate red flag.

'From' addresses can easily be spoofed so never trust these even if it looks legitimate - but if the criminals haven't even bothered trying to mask this then it's an obvious giveaway.


What to do next?

If you've already acted on an email that you're suspicious of, for example following a suspicious web link or opening an attachment, then take a look at what to do next.

If you've not done anything with it yet though then the safest thing is to simply ignore the email & delete it. Easy!

But if you can't obviously classify it as fake, and if it looks like one which perhaps you shouldn't ignore, then try the following:

  • Check online: If the email claims to be from a company you have an account with already then login to it. Don't click on any links in the email - open your browser & type the web address directly. If the email was genuine you'll normally see the same message in your account.
  • Phone them up: Try phoning the company or organisation. Do a web search for their phone number (don't trust anything in the email) or, if you're a customer of theirs already, look for a phone number on a previous email or letter that you know to be from them.

But what if it is a genuine email?

Ignoring emails can feel like the wrong thing to do if there could be consequences should it indeed be genuine.

So, if you've not been able to rule the email out as being malicious, and if it's one that you just don't want to risk ignoring, then follow our advanced steps here for assessing emails. Beware - this page gets technical so it isn't for everyone; you may want a technical friend to help out!


Have any feedback on this page? Let us know - [email protected]

Close gallery

Amazon order
The aim of this email is to persuade us to query the unknown order by clicking on the 'Help Page' link - and thus download a virus in the process.
British Gas invoice
Criminals regularly impersonate popular companies to make their emails appear more believable. Learn to always stop and think - even if you happen to be a customer of British Gas!
DropBox file share
Taking advantage of our natural curiosity is a common theme amongst phishing emails. I don't know a Darren but I'm curious now as to what he might be sending me!
Email error alert
Computer error messages are so common that this one might not look too suspicious at first but the poor English, dodgy destination of the link, and unusual origin email address, all give this one away.
Scanned document
This email is another one that tries taking advantage of our curiosity, hoping that we'll open any attachment (even when we're not expecting one) to see what it is.
Parcel delivery
I don't remember ordering or sending any parcel recently, but clicking the link surely can't do any harm - can it?
Domain name warning
The people behind this email had gone to great lengths to register a genuine sounding domain name, icann-monitor.org (ICANN are the organisation that run the internet). But all is not as it seems - how many clues can you spot?
iMessage sign-in notification
This is another message designed to cause worry and make us think we've already been hacked. The irony though is that clicking the link in this email is what may cause us to get hacked in the first place!
Parcel delivery notice
It's always nice to receive parcels, and even better when it's an unexpected gift! But these fake delivery notifications are a classic scam designed to get us to open the attachment - and install a virus.
Apple invoice
Apple is such a massive company that a large portion of recipients of this email will be genuine Apple customers. Even though this message looks genuine at first glance, the warning clues are all still there.
Hide text