Client Portal

How to Spot a Phishing Email (Before It Catches You Out)

Phishing emails are the number one way attackers get into business systems, and they're getting harder to spot. Here's exactly what to look for, and what to do if one lands in your inbox.

A virus with code and computer screens around it

At some point this week, someone at a UK business will receive an email that looks like it's from HMRC, their bank, or a colleague in senior management. They'll click a link, enter their login details, and not realise anything is wrong until it's too late.

Phishing is the starting point for the vast majority of cyber attacks. It doesn't rely on sophisticated hacking. It relies on a convincing email and a moment of distraction. The good news is that once you know what to look for, most phishing attempts are surprisingly easy to identify.

This guide walks through the warning signs, the most common scams in circulation, and exactly what to do if something suspicious lands in your inbox.

What Is a Phishing Email?

A phishing email is a fraudulent message designed to trick you into doing something you wouldn't do if you knew who was really sending it. That might mean clicking a malicious link, downloading an infected attachment, handing over login credentials, or transferring money.

The name comes from fishing: attackers cast a wide net and wait to see who bites. With modern tools, the same convincing email can be sent to hundreds of thousands of people at almost no cost. Even if only a tiny fraction fall for it, the attackers profit.

More targeted variants exist too. "Spear phishing" is aimed at a specific individual, often using personal details to make the message seem more credible. "Whaling" targets senior executives. "CEO fraud" impersonates a company director to pressure an employee into making a payment. These are harder to spot precisely because they're not generic.

The Warning Signs

The sender address doesn't match the display name

This is the single most reliable thing to check. An email might display the name "HMRC" or "Microsoft Support" but the actual sending address tells a very different story. Click or tap on the sender name to expand the full address and look carefully. Legitimate organisations send from their own domains. An email from "Barclays" that comes from barclays-secure@mail-alerts247.com is not from Barclays.

Watch for subtle misspellings too: support@micros0ft.com, noreply@paypa1.com, or domains with extra words added like amazon-help-centre.co.uk. These are designed to pass a quick glance.

It creates a sense of urgency

Urgency is one of the most reliable tools in a phisher's kit. Phrases like "Your account will be suspended in 24 hours", "Immediate action required", or "Your parcel could not be delivered" are designed to make you act before you think. Genuine organisations give you time. If an email is pushing you to do something right now, that pressure itself is a warning sign.

The greeting is generic

Emails from your bank, your employer, or your cloud provider will almost always address you by name. "Dear Customer", "Dear User", or "Hello" with no name attached suggests the sender doesn't actually know who you are. That's because they don't.

The link doesn't go where it claims

Before clicking any link in an email, hover over it with your mouse and check the actual destination shown in your browser's status bar or as a tooltip. The displayed text might say www.gov.uk/verify while the real URL points somewhere completely different. On a phone, press and hold the link to preview the address before tapping.

Be especially wary of shortened URLs (bit.ly, tinyurl.com and similar) in emails, as these are often used to obscure malicious destinations.

You weren't expecting it

An email about a parcel you didn't order, an invoice for something you didn't buy, a password reset you didn't request, or a security alert for an account you don't recognise: all of these are classic phishing triggers. If it came out of nowhere, treat it with suspicion.

It asks for sensitive information

No legitimate organisation will ask you to confirm your password, full bank account details, or National Insurance number over email. If an email asks you to provide this kind of information, either directly or by clicking through to a form, do not provide it.

Attachments you weren't expecting

Malicious attachments are one of the most common ways ransomware and malware get onto business systems. Be extremely cautious with any unexpected attachment, particularly .zip files, Word documents with macros, and PDFs that ask you to "enable content" or click to view. If you weren't expecting the file, verify with the sender through a separate channel before opening it.

Don't rely on spelling mistakes alone

It used to be said that poor grammar and spelling were reliable signs of a phishing email. That's no longer true. AI tools now allow attackers to produce polished, well-written messages that read exactly like legitimate communications. A fluent, professional-sounding email is not automatically safe.

The Most Common Phishing Scams in the UK

Knowing the most frequently impersonated organisations helps you stay alert when emails from them arrive.

  • HMRC. Tax refunds, unpaid tax demands, and threats of legal action are a constant. HMRC will never contact you about a tax refund by email or ask for payment by gift card or bank transfer via email.
  • Parcel delivery companies (Royal Mail, DPD, Evri). "Your parcel is being held" emails with a small customs or redelivery fee are extremely common. The fee is a pretext to collect your card details.
  • Microsoft and Office 365. Fake login pages that mirror the Microsoft sign-in screen exactly. Once you enter your credentials, the attacker has full access to your account and everything in it.
  • Banks and payment services. Urgent security alerts, unusual transaction notifications, and account verification requests impersonating Barclays, Lloyds, PayPal, and others.
  • CEO fraud. An email appearing to come from a company director asking a finance team member to process an urgent payment. These are often sent on a Friday afternoon when people are more likely to rush.
  • IT helpdesk impersonation. An email appearing to come from your own IT team asking you to reset your password, install software, or verify your account. This one catches people out precisely because it seems internal.

A Closer Look: Legitimate vs Phishing

Legitimate email
Phishing email
Sends from an official domain (e.g. @hmrc.gov.uk)
Sends from a lookalike or unrelated domain
Addresses you by your full name
Uses generic greetings like "Dear Customer"
Links go to the organisation's real website
Links go to spoofed or unrelated websites
Gives you time to act
Creates urgency or threatens consequences
Never asks for passwords or full card details
Asks for sensitive information directly or via a form
Attachments are expected and relevant
Unexpected attachments, often with macros

What to Do If You Receive a Suspicious Email

If something feels off, trust that instinct. Here's what to do.

  1. Don't click any links or open any attachments. This sounds obvious, but the temptation to "just check" is real. Resist it.
  2. Don't reply. Replying confirms your email address is active, which can lead to more targeted attempts.
  3. Verify independently. If the email appears to be from your bank, HMRC, or a supplier, contact them directly using a phone number or email address you already have, not one provided in the suspicious email.
  4. Report it. In the UK, you can forward phishing emails to report@phishing.gov.uk, which is run by the National Cyber Security Centre. Most email clients also have a "Report phishing" or "Mark as spam" option.
  5. Tell your IT team. If you received it at work, let your IT support know. They may need to check whether others received the same email or whether any action has already been taken on the network.

What to Do If You've Already Clicked

Don't panic, but do act quickly. The faster you respond, the better the outcome.

  • If you entered a password: change it immediately, on every account where you use the same password. Enable multi-factor authentication if you haven't already. Our guide to multi-factor authentication explains how to set it up.
  • If you entered payment details: call your bank straight away using the number on the back of your card. Ask them to freeze the card and monitor for suspicious transactions.
  • If you opened an attachment: disconnect from the internet and contact your IT support immediately. Do not use the machine until it has been assessed.
  • If you're at work: tell your IT team right away, even if you're not sure anything happened. Early notification can make the difference between a contained incident and a serious breach.
For businesses

The most effective defence against phishing isn't a technical one: it's staff awareness. Regular, short training sessions that show people real examples of phishing emails are far more effective than lengthy annual workshops. A culture where employees feel comfortable reporting suspicious emails without embarrassment is equally important. If people are afraid of being judged for clicking something, they'll stay quiet and the problem gets worse.

Build Good Habits

No filter catches everything, and no training programme makes people infallible. The goal is to make your team harder to fool and faster to respond when something does get through.

A few habits that make a real difference: pause before clicking links in any unexpected email, always check the full sender address rather than the display name, use a password manager so that even if credentials are stolen from one place they don't work elsewhere, and enable multi-factor authentication on every account that supports it. That last one alone stops the majority of phishing attacks from doing any lasting damage, even when someone does hand over their password.

If you'd like to know more about how to protect your business from phishing and other email-based threats, the National Cyber Security Centre publishes regularly updated guidance that's worth bookmarking.

Concerned about phishing risks in your business, or want to run a staff awareness session? The Tranquil IT team can help you assess your exposure and put the right protections in place.

Email us at support@tranquilit.net or call us on 01279 658331.