Phishing emails: what you need to know (and do)

Phishing is a major cyber threat where criminals use deceptive messages across email, text, and social media to steal sensitive information or deliver malware. But how can you spot it and prevent yourself from becoming a victim of it?

Over 3.4 billion phishing emails are sent daily, and a significant portion of data breaches and security incidents are linked to successful phishing attacks, often due to human error like fatigue or distraction.

Phishing attacks are evolving with new tactics like AI-driven attacks and quick-to-disappear malicious sites, requiring ongoing vigilance and awareness from individuals and organisations alike. 

In this blog, we take a look at what you should be aware of, the methods used by criminals and the pitfalls of becoming a victim to a phishing attack.

1. What is an example of email fraud?

Email fraud - commonly known as phishing - is when attackers craft deceptive emails to trick you into giving up sensitive information or installing malware. In essence, phishing is a form of social engineering, often appearing as if it's from a trusted organization like your bank, a government agency, or a familiar service.

Illustrative examples include:

• Fake DVLA emails: Scams impersonating the Driver and Vehicle Licensing Agency, claiming your vehicle tax payment failed - linked to fraudulent websites. You can read more via The Sun.

• “Hello Pervert” sextortion emails: Messages that claim to have compromising recordings and demand payment - leveraging fear and urgency. The NCSC warns these are bluff tactics. Recipients are advised not to respond, not to open attachments, but instead to forward them to the UK Suspicious Email Reporting Service and then delete them. More details on this can be found in The Guardian.

2. Signs that a suspicious email might be a phishing email

The NCSC (and related sources) highlight several giveaway signs that an email may be a phishing attempt:

• Generic or impersonal greetings: e.g., “Dear Customer” instead of your actual name.

• Suspicious sender address: Hover over the sender to check if the email truly matches the stated organisation.

• Urgent or alarming messaging: Scammers often urge immediate action - NCSC emphasises that legitimate organisations typically don’t demand urgent responses via email.

• Offers that seem 'too good to be true': Very attractive deals or rewards are classic phishing hooks.

• Requests for personal, financial, or login/passport details: Genuine institutions will not ask for these by email.

• Poor spelling, odd grammar, and low-quality visuals or logos can also betray inauthenticity.

• Suspicious links or attachments: Hover over links to preview the real URL; don’t click if redirected to a strange domain. Attachments may contain malware - don’t open unless fully confident.

  
  

3. Can your email get hacked by opening it?

Yes - merely opening an email (or emailing a fraudulent 'open tracking' pixel) can alert scammers that your account is live. This can make you a target for further scams.

Moreover, if you click links or download attachments, you risk installing malware or being redirected to malicious websites that can compromise your credentials.

4. Tips to avoid becoming a victim of a malicious email

Based on NCSC guidance and allied advice, here are steps to reduce your risk:

• Always be sceptical - question unexpected or unsolicited communications.

• Check the sender - hover to verify email addresses before trusting the sender.

• Don’t click on unfamiliar links or attachments - especially in unsolicited emails.

• Avoid sharing private information by email - banks, government agencies, etc., will not ask that way.

• Use spam filters and privacy settings to reduce exposure, especially on social media.

• Use strong, unique passwords - use three random words coupled with numbers or characters, or generate a password via a reputable password manager.

• Enable two-step verification (2FA), preferably via an authenticator app - not just SMS.

• Enable automatic message deletion in apps like WhatsApp, if possible - this is helpful in case harmful content is shared.

• Think before acting - NCSC's simple advice? "If in doubt, delete."

5. What to do if you become a victim

If you suspect you’ve fallen for a phishing attempt:

1. Immediately change passwords for affected accounts - and any other account using the same password.

2. Enable or reinforce 2FA on those accounts.

3. Run a full antivirus scan on your devices.

4. If sensitive data (e.g. banking info) was shared, contact your bank or card provider promptly to report and secure your accounts.

5. Report the incident:

   • In the UK, forward suspicious emails to the NCSC’s Suspicious Email Reporting Service (SERS) at report@phishing.gov.uk.

   • If you’ve suffered financial loss or possible hacking, report to Action Fraud - online or via 0300 123 2040.

6. Don’t respond to scam emails (including sextortion threats) - this confirms to scammers that your email is live, making you more at risk.

7. Don’t pay ransoms or comply with threats. Most sextortion scammers have no actual video footage - it’s a bluff.

8. If you did pay (e.g., sextortion), contact your local police via 101, and seek emotional support from services like Victim Support.

   
   

Final thoughts

Phishing remains one of the most common and effective cyber threats. The NCSC’s guidance - spotting urgency, validating senders, reporting scams, and reinforcing your defences - is your best ally. If something doesn’t feel right in your inbox, pause and think - then report or delete.

Reporting

Report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to report@phishing.gov.uk. Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).