Dealing with a Phishing Attack

What is a Phishing Attack?

A phishing attack is when a criminal communicates with you via deceptive emails, messages, or websites to try and trick you into sharing sensitive information, such as credit card numbers, account usernames & passwords and security information. Phishing emails often try to lure you to a fake website to trick you into entering your login details so the criminals can gain access to the real website. The phishing emails, or fake websites, may also be loaded with malicious software that infects the recipient and enables a wider cyberattack. Scammers may impersonate trusted organisations (such as banks, government agencies, delivery companies, or colleagues) and exploit personal information gleaned from social media or public sources.

We want to better understand the impact of you experiencing this issue, can you share your experience by filling in this online form? This will help us better protect future victims.


How to Spot a Phishing Email

Phishing emails used to be easier to recognise. Years ago, they might have looked clumsy, like a so-called “Nigerian Prince” asking for your help to transfer money. These days, criminals have become much more sophisticated. They work hard to make their emails look genuine, sometimes even researching their victims in advance. 

Common phishing red flags to look out for:

  • Suspicious sender address - At first glance, an email might appear to come from your bank, delivery company, or a colleague. But on closer inspection, the sender’s address often reveals the truth. For example, instead of @barclays.co.uk it might say @barclays-secure.com. Always click on the sender’s name to see the real email address.

  • Requests for secret information - Be on alert if you are asked to confirm a password, bank details, or a security code. Genuine organisations will never ask for this by email.

  • Unexpected attachments - An email with an invoice you weren’t expecting, or a file from someone you don’t know, is risky. Attachments are a common way to deliver malware.

  • A sense of urgency - Messages claiming “your account will be suspended in 24 hours” or “a friend needs money right now” are designed to make you panic and act quickly without thinking. Take a step back and verify first.

  • Strange or misspelt links - Hover your mouse over any link before clicking. A legitimate website should look exactly right. If it looks odd, even slightly, don’t click.

  • Poor spelling and grammar - While not always present, many phishing emails contain awkward wording or errors that legitimate companies wouldn’t send out.

  • The message incorporates links that seem dubious - Hover your cursor over the link to reveal the actual URL. Pay special attention to subtle misspellings in a seemingly familiar website URL, as it’s a red flag for deceit. It’s always safer to manually enter the URL into your browser instead of clicking on the embedded link.

  • The message induces fear - Be cautious if the email utilises charged or alarming language to instil a sense of urgency, urging you to click and “act immediately” to prevent account termination. Remember, legitimate organisations won’t request personal information via email

  • The email presents an offer that seems too good to be true - It might claim you’ve hit the jackpot, won an extravagant prize, or other improbable rewards.

  • Generic greetings - Sometimes, the message or email starts with a generic greeting (e.g., “Dear Customer” rather than your name) is always a red flag.

  • Unusual or unexpected attachments and links, mention of attachments leading to malware.

  • Look out for spoofed sender addresses (domain name similar but slightly different) and use of sub-domains or look-alike domains.

  • Hover over links and check the URL carefully; consider manually typing the official website rather than clicking.


💡 Example: You might receive an email saying:

“Dear Customer, we have detected unusual activity on your account. Please click the link below and enter your details immediately to avoid being locked out.”

This is a classic phishing attempt. If you’re ever unsure, contact the company directly using details from their official website - not the ones in the suspicious message.

Would you like us to review an email and let you know what we think?

We now offer a free phishing email check. You can share the suspicious email with us and one of our volunteers will review it using leading email analysis software. They will then let you know their opinion and help you with the next steps. 

Use our phishing email check service

What to Do if You Fall for a Phishing Scam

Falling for a phishing scam can be frightening, but it’s important to know you are not alone. Even cybersecurity professionals can be caught out. What matters most is acting quickly to limit the damage.

Quick Response Checklist

  • Disconnect from the internet

    • On a computer: turn off Wi-Fi or unplug the cable.

    • On a phone: switch to airplane mode.

      This prevents further communication with the attacker and stops malware from spreading.

  • Change your passwords

    • If possible, use a different device that you trust.

    • If you only have one device, scan it for malware first, then change your passwords.

      Start with the most important accounts: email, online banking, and social media.

  • Contact the organisation that was spoofed

    • Let them know you received the phishing email and what information you shared.

    • If you entered financial details, contact your bank immediately - they may freeze your account or issue a new card.

  • Scan your device for malware

    • Use antivirus software or built-in security tools to check for infections.

    • You can see our guide for finding and removing malicious software here.

    • Remove any suspicious apps/software.

  • Watch for identity theft

    • Check your bank and credit card statements for unusual activity.

    • Where possible, set up alerts for suspicious transactions.

Report it to the National Cyber Security Centre & the Police

If you are in England, Wales or Northern Ireland, you should report all cybercrime to Action Fraud. In Scotland, you can see details of reporting to Police Scotland here

You can also send the email to the National Cyber Security Centre by emailing it to report@phishing.gov.uk. They will work to see if they can stop the phishing scam. You can get more information about how this works here

How to Protect Yourself in the Future

  1. Enable Two-Factor Authentication (2FA) - This adds an extra layer of protection to your accounts. Even if a criminal steals your password, they won’t be able to log in without the second factor (like a code sent to your phone).

  2. Stay updated - Keep your devices (PCs, phones, tablets) fully updated (OS, apps, security patches).

  3. Be suspicious of unexpected messages - Anyone can email or text you. If something feels “off,” pause before responding.

  4. Verify requests - If you get a message you weren’t expecting (from bank, colleague, supplier), contact them via a known official channel (not via the links or numbers in the suspicious message).

  5. Trust your gut instinct - Most victims say they had a bad feeling about the email before clicking. If it doesn’t feel right, it probably isn’t.

  6. Never share sensitive information by email - Banks and other legitimate organisations will never ask for your password or security codes by email.

  7. Type website addresses directly - Instead of clicking links, type the company’s official website into your browser.

  8. Check phone numbers - If an email or text gives you a number to call, confirm it on the organisation’s real website before dialling.

  9. Enable filter - Consider enabling spam/phishing filters, and ensure your email provider’s security settings are active.

  10. Use 159 for bank scams - If someone contacts you claiming to be your bank, hang up and dial 159. This will connect you safely to your bank (if they’re part of the scheme). Find more information here.

  11. Keep learning - Programmes like Friends Against Scams can help you and your family stay alert to the latest scams. Complete their online training here and increase your knowledge on scams to protect yourself and your loved ones. If you are getting inundated with scam messages, then you may also be interested in signing up to be a Scam Marshall here to help fight back against scams.

Other Types of Phishing to Watch For

Phishing doesn’t just happen by email. Criminals use a range of methods to try to catch you off guard:

  • Spear Phishing - Targeted scams that use personal details (like your job role or workplace) to make them more convincing.

  • Vishing - Voice phishing, where criminals call pretending to be from your bank, HMRC, or tech support.

  • Smishing - Phishing sent by text message with links to fake websites.

  • Whale Phishing - is a type of phishing attack that targets high-level corporate officers with fraudulent emails, text messages or phone calls.

Being aware of these variations makes it harder to be tricked.

Donate

Your generosity makes our free support possible. Please consider giving today.

Without donations, we cannot keep our service free or provide help to the most vulnerable victims of cybercrime when they need it most. As a not-for-profit organisation, every donation goes directly towards keeping The Cyber Helpline up and running. Donate now and help us support victims of cybercrime.

Donate Now

To help people like you we rely 100% on donations from people like you.