📋 Quick Summary: Check the sender address, look for urgent language, hover over links before clicking, and never share personal details via email or text. When in doubt, don't click — type the address yourself.

Every day, millions of phishing messages land in UK inboxes and phones. Some are obvious. Others are frighteningly convincing.

Knowing how to spot a phishing scam is one of the most important digital skills you can learn. Here's what to look for — with real-world UK examples.

What is phishing? A scam where criminals send fake messages pretending to be a trusted organisation (bank, delivery company, government service) to steal your passwords, bank details, or personal information. When sent by text it's called smishing; by phone, vishing.

🚩 Red Flag #1: Urgent or Threatening Language

Phishing messages try to panic you into acting without thinking.

Fake email example:

"Your Netflix account has been suspended. Verify your payment details within 24 hours or your membership will be cancelled."

Fake text example:

"HSBC ALERT: Unusual activity detected on your account. Log in immediately to secure your funds: hsbc-secure.co/login"

Why it's fake: Real companies don't threaten to close your account via email or text. The link goes to a fake website designed to steal your login details.

🚩 Red Flag #2: Suspicious Sender Address

Check the sender's email address carefully, not just the display name.

Fake:

Real organisations use their official domain — and they never use Gmail, Outlook, or other free email services for official communications.

🚩 Red Flag #3: Poor Grammar and Spelling

Legitimate companies have proofreaders. Scammers often don't.

Real phishing text seen in the UK:

"URGENT: Your Deliveri has been stop becuse of wrong adress. Please update your info here: bit.ly/dpd-fix"

What gives it away: Spelling mistakes ("deliveri", "adress", "becuse"), awkward phrasing, and the use of link shorteners like bit.ly are telltale signs.

🚩 Red Flag #4: Requests for Personal Information

A bank will never ask you to confirm your full password, PIN, or security details by email or text.

Fake email example:

"Barclays needs you to verify your account. Click here and enter your online banking username, password, and mother's maiden name."

The truth: If a company genuinely needs to verify your identity, they'll ask you to log into their official app or website — not click a link in a message.

🚩 Red Flag #5: Fake Links — Always Hover First

On a computer, hover your mouse over any link before clicking. The real destination appears at the bottom of your screen.

Example: A link might say www.royalmail.com but actually go to www.royalmail-reschedule.top.

On your phone: Press and hold the link to see the real URL before tapping.

🚩 Red Flag #6: Too-Good-To-Be-True Offers

Scammers tempt you with free money or prizes.

Fake text example:

"You've won a £500 Amazon voucher! Claim now: amazon-giveaway.co.uk"

Fake email example:

"Tax refund of £312.50 is available. Complete the form to receive your payment."

No legitimate organisation gives away prizes or refunds via unsolicited text messages.

Real UK Phishing Examples (2025-2026)

Royal Mail text scam:

"Royal Mail: your package has a customs fee of £1.99. Pay now to avoid return: royalmail-payment.co"

Bank impersonation call:

"This is Fraud Prevention from Lloyds Bank. We've detected a £450 payment from your account to a John Smith. To stop it, please confirm your account details."

"Hello Mum" WhatsApp scam:

"Hi Mum, I've broken my phone. This is my new number. Can you send me £200 for a new screen? I'll pay you back at the weekend."

What to Do If You Receive a Phishing Message

  1. Do not click any links or download attachments
  2. Do not reply to the message
  3. Report it:
    • Forward phishing emails to [email protected]
    • Forward scam texts to 7726 (free)
    • Report scam calls to Ofcom and your phone provider
  4. Delete the message after reporting
  5. If you clicked a link and entered details, contact your bank immediately and change your passwords

CyberAware UK recommends enabling two-factor authentication (2FA) on your email and banking accounts. It adds an extra layer of protection — even if a scammer gets your password, they can't get in without your phone.

Related Guides

The Golden Rule

When in doubt, don't click. Go directly to the company's official website — type the address yourself — and check your account from there. A genuine alert will appear in your account messages or inbox.

If you've received a suspicious message, forward it to the reporting services above. Every report helps the UK's cyber security teams track down and shut down phishing operations.