📋 Quick Summary: Check the sender address, look for urgent language, hover over links before clicking, and never share personal details via email or text. When in doubt, don't click — type the address yourself.
Every day, millions of phishing messages land in UK inboxes and phones. Some are obvious. Others are frighteningly convincing.
Knowing how to spot a phishing scam is one of the most important digital skills you can learn. Here's what to look for — with real-world UK examples.
What is phishing? A scam where criminals send fake messages pretending to be a trusted organisation (bank, delivery company, government service) to steal your passwords, bank details, or personal information. When sent by text it's called smishing; by phone, vishing.
🚩 Red Flag #1: Urgent or Threatening Language
Phishing messages try to panic you into acting without thinking.
Fake email example:
"Your Netflix account has been suspended. Verify your payment details within 24 hours or your membership will be cancelled."
Fake text example:
"HSBC ALERT: Unusual activity detected on your account. Log in immediately to secure your funds: hsbc-secure.co/login"
Why it's fake: Real companies don't threaten to close your account via email or text. The link goes to a fake website designed to steal your login details.
🚩 Red Flag #2: Suspicious Sender Address
Check the sender's email address carefully, not just the display name.
Fake:
[email protected](not the real hsbc.co.uk)[email protected](extra word in the domain)[email protected](not a .gov.uk address)
Real organisations use their official domain — and they never use Gmail, Outlook, or other free email services for official communications.
🚩 Red Flag #3: Poor Grammar and Spelling
Legitimate companies have proofreaders. Scammers often don't.
Real phishing text seen in the UK:
"URGENT: Your Deliveri has been stop becuse of wrong adress. Please update your info here: bit.ly/dpd-fix"
What gives it away: Spelling mistakes ("deliveri", "adress", "becuse"), awkward phrasing, and the use of link shorteners like bit.ly are telltale signs.
🚩 Red Flag #4: Requests for Personal Information
A bank will never ask you to confirm your full password, PIN, or security details by email or text.
Fake email example:
"Barclays needs you to verify your account. Click here and enter your online banking username, password, and mother's maiden name."
The truth: If a company genuinely needs to verify your identity, they'll ask you to log into their official app or website — not click a link in a message.
🚩 Red Flag #5: Fake Links — Always Hover First
On a computer, hover your mouse over any link before clicking. The real destination appears at the bottom of your screen.
Example: A link might say www.royalmail.com but actually go to www.royalmail-reschedule.top.
On your phone: Press and hold the link to see the real URL before tapping.
🚩 Red Flag #6: Too-Good-To-Be-True Offers
Scammers tempt you with free money or prizes.
Fake text example:
"You've won a £500 Amazon voucher! Claim now: amazon-giveaway.co.uk"
Fake email example:
"Tax refund of £312.50 is available. Complete the form to receive your payment."
No legitimate organisation gives away prizes or refunds via unsolicited text messages.
Real UK Phishing Examples (2025-2026)
Royal Mail text scam:
"Royal Mail: your package has a customs fee of £1.99. Pay now to avoid return: royalmail-payment.co"
Bank impersonation call:
"This is Fraud Prevention from Lloyds Bank. We've detected a £450 payment from your account to a John Smith. To stop it, please confirm your account details."
"Hello Mum" WhatsApp scam:
"Hi Mum, I've broken my phone. This is my new number. Can you send me £200 for a new screen? I'll pay you back at the weekend."
What to Do If You Receive a Phishing Message
- Do not click any links or download attachments
- Do not reply to the message
- Report it:
- Forward phishing emails to [email protected]
- Forward scam texts to 7726 (free)
- Report scam calls to Ofcom and your phone provider
- Delete the message after reporting
- If you clicked a link and entered details, contact your bank immediately and change your passwords
CyberAware UK recommends enabling two-factor authentication (2FA) on your email and banking accounts. It adds an extra layer of protection — even if a scammer gets your password, they can't get in without your phone.
Related Guides
- Common UK Scams 2026 — see how phishing fits into the wider scam landscape
- What to Do If You've Been Scammed — emergency checklist if you clicked a link
- How to Report a Scam in the UK — full reporting guide
The Golden Rule
When in doubt, don't click. Go directly to the company's official website — type the address yourself — and check your account from there. A genuine alert will appear in your account messages or inbox.
If you've received a suspicious message, forward it to the reporting services above. Every report helps the UK's cyber security teams track down and shut down phishing operations.