Phishing Scams on Email
How phishing emails mimic banks, couriers, and government agencies to harvest login credentials and card details — the header signals, link tricks, and habits that protect you.
Part of: Phishing
Last reviewed: 1 June 2026
Email remains the single most-used delivery channel for phishing attacks. Its effectiveness stems not from technical sophistication but from volume and mimicry: a well-crafted phishing email can reproduce a bank's formatting, colour scheme, and tone well enough to fool recipients who are distracted or in a hurry. The mechanics of email — sender spoofing, lookalike domains, and embedded tracking pixels — are all exploited to maximise the chance a recipient clicks before they think.
This guide covers the specific features of phishing emails that distinguish them from legitimate messages, the quick checks you can do before clicking any link, and what to do if credentials have already been entered.
How this scam works on Email
Phishing emails typically impersonate a trusted sender — a bank, a delivery company, a government department, or a popular service like Amazon, PayPal, or Microsoft 365. The visual design may be near-identical to genuine communications from those organisations. The email creates urgency: an account will be suspended, a parcel has a customs hold, a payment failed, or unusual activity was detected.
The link embedded in the email leads to a lookalike login page. The domain name is the primary giveaway: it may substitute a zero for an 'o,' use a hyphen in an unexpected position, or use a different top-level domain (e.g., .net instead of .com). Credentials entered on the fake page are captured in real time and used immediately — attackers often log in while the victim is still on the fake site.
Spear phishing is a more targeted variant: the email references specific personal or professional details (your full name, employer, recent transaction) to appear more legitimate. These details are often sourced from data breaches or social media. Spear phishing emails are harder to identify by appearance alone — the domain check becomes even more critical.
Common red flags
- Urgency framing: account suspension, failed payment, or unusual activity detected
- Sender email address that differs from the organisation's genuine domain
- Link URL that does not exactly match the legitimate organisation's known domain
- Generic greeting ('Dear Customer') rather than your name, in an email claiming to be from your bank
- Request to log in or verify card details via a link in the email rather than through the official app or website
- Attached file in a message about an account issue — legitimate account alerts don't attach files
How to protect yourself
- Hover over any link before clicking to preview the destination URL — check it character by character
- For account or banking issues, navigate directly to the official site by typing it — never use a link in an email
- Enable multi-factor authentication on all important accounts so that a stolen password alone is not sufficient for access
- Use a password manager that autofills only on the correct domain — it will not fill on a lookalike site
- Report suspicious emails before clicking using your email provider's 'Report Phishing' option
- If you entered credentials on a suspicious page, change your password immediately and enable MFA
How to report it
- Forward phishing emails to [email protected] (UK) or [email protected] (global) to help block the sending domain
- Report to the FTC at reportfraud.ftc.gov (US), Action Fraud (UK), or your national authority
- Report the phishing email to the organisation being impersonated — most major banks and services have a dedicated abuse@ address
- If credentials were entered, contact the relevant service immediately to change your password and review account activity
Frequently asked questions
How can I tell if an email is really from my bank?
Check the sender's full email address — not just the display name, which can say anything. The domain (the part after the @) should exactly match your bank's genuine domain. Also check the link destination before clicking. When in doubt, log in to your account directly by typing your bank's URL, not via the email link.
Is it safe to open a phishing email, or does opening it infect my device?
Simply opening a plain-text or HTML email in most modern clients carries very low risk. The danger is in clicking links or opening attachments. Some highly targeted emails do attempt to exploit mail client vulnerabilities, but the vast majority of harm comes from user interaction with the content.