Original text
Rate this translation
Your feedback will be used to help improve Google Translate
Phishing is the starting point for the vast majority of cybercrime. This guide covers every type of attack, all the warning signs, what to do if you're targeted, and exactly how to report it in the UK.
Phishing is a type of social engineering attack where criminals impersonate a trusted organisation or individual to trick you into revealing sensitive information, transferring money, or installing malware. The name comes from "fishing" — casting a wide net and waiting for victims to bite.
Unlike technical hacking, phishing exploits human psychology rather than software vulnerabilities. It works by triggering emotions: fear (your account will be closed), urgency (act now), greed (you've won a prize), or trust (this is from your bank). Modern phishing attacks are increasingly sophisticated, using AI to write convincing messages and personalising attacks with data gathered from social media.
The old "bad spelling" rule no longer applies. AI tools can write perfectly grammatical, convincing phishing emails in any language. Do not assume a message is safe because it is well-written.
Phishing has evolved well beyond email. Here are the main attack types you need to know about.
The most common form. Mass emails impersonating banks, HMRC, delivery companies (Royal Mail, DPD), streaming services (Netflix), or tech companies (Apple, Microsoft). The goal is to steal credentials or install malware.
Phishing via text message. Increasingly common because people are less suspicious of texts than emails. Often impersonates banks, Royal Mail, or the NHS. The link in the text leads to a fake website.
Phone calls from scammers impersonating banks, HMRC, the police, or tech support (Microsoft, BT). They may already know some of your details from data breaches, making them seem legitimate. Often use spoofed caller ID.
Highly targeted attacks using personal information gathered from social media, LinkedIn, or company websites. The email appears to come from a known colleague, manager, or supplier. Extremely convincing and often used in business email compromise (BEC) fraud.
A legitimate email you previously received is cloned and re-sent with malicious links or attachments replacing the originals. The sender address is spoofed to match the original. Particularly dangerous because the context is real.
Spear phishing specifically targeting senior executives ('big fish'). Attackers research the target extensively and craft highly convincing emails. Often involves fake legal notices, board communications, or regulatory demands.
Click each warning sign to learn more about how to spot it.
Act quickly — the faster you respond, the more you can limit the damage. Follow these steps in order.
Panic leads to mistakes. Take a breath and work through these steps methodically. Time matters but so does doing this correctly.
Disconnect from the internet immediately to prevent malware spreading. Run a full antivirus scan. Change your passwords from a different, clean device.
Change the password for the affected site immediately, and change it on any other site where you use the same password. Enable two-factor authentication if you haven't already.
Call your bank immediately using the number on the back of your card or dial 159 (the Stop Scams UK hotline). The faster you call, the better the chance of recovering funds.
Contact CIFAS (cifas.org.uk) to add a protective registration to your credit file. Check your credit report with Experian, Equifax, and TransUnion for any accounts you didn't open.
Report to Action Fraud (0300 123 2040) and forward the email to [email protected]. Your report helps protect others by enabling the NCSC to take down malicious sites.
Reporting phishing protects others. The NCSC's Suspicious Email Reporting Service has taken down over 235,000 malicious websites since 2020.
Forward any suspicious email to the NCSC's Suspicious Email Reporting Service. They investigate and take down malicious sites.
Forward suspicious texts to 7726 (spells SPAM on a phone keypad). Works on all UK networks and is free.
The UK's national reporting centre for fraud and cybercrime. Report if you have lost money or been a victim.
If you have transferred money or shared financial details, call your bank immediately or use the 159 hotline.
Forward suspicious emails claiming to be from HMRC to their dedicated phishing team.
Report scam websites directly to the NCSC using their online reporting tool.
Even if your password is stolen, 2FA prevents attackers from logging in.
Unique passwords for every site means one breach can't compromise everything.
If your 'CEO' emails asking for a wire transfer, call them directly using a number you already have.
Many phishing attacks exploit unpatched vulnerabilities. Updates close these gaps.
Hover over links to see the real destination. Look for misspellings and wrong domains.
No legitimate organisation will ever ask for a one-time code sent to your phone.
Whether by email, text, or phone — if you didn't initiate the contact, be cautious.
Most email providers have built-in phishing detection. Make sure it's enabled and up to date.