Phishing Scams via Email
How email phishing impersonates banks, retailers, and government agencies to harvest credentials, install malware, and commit financial fraud.
Part of: Phishing
Last reviewed: 1 June 2026
Email remains the single largest phishing vector globally. Despite widespread awareness, phishing emails continue to successfully deceive victims because they have become increasingly sophisticated — using genuine brand assets, personalised details, and technical tricks such as domain spoofing to appear credible.
This guide covers the specific mechanics of email phishing — the tactics that make fake emails convincing, the types most commonly encountered, and the steps that protect you regardless of which brand is being impersonated.
How this scam works on Email
Phishing emails typically impersonate a trusted brand — a bank, an online retailer, a parcel courier, or a government tax authority. The message creates urgency: an account suspension, a failed payment, a refund waiting, or a security alert. A prominent link or button leads to a lookalike site where credentials or payment details are entered.
More targeted 'spear phishing' uses personal information gleaned from data breaches or social media to personalise the attack — addressing you by name, referencing your employer, or mentioning a recent transaction. Business email compromise (BEC) is a high-value variant where an employee receives an email appearing to be from their CEO or finance team, instructing an urgent payment. These emails often arrive with display names that match real colleagues while the sending address is a subtle variation.
Common red flags
- Unexpected email from a bank or retailer urging immediate action on your account
- Sender address that differs from the brand's real domain by one letter or uses a subdomain
- Link destination (visible in hover) that does not match the brand's known domain
- Request for your password, full card number, or account PIN via email
- Unusual payment instruction from a colleague or executive arriving with slight address differences
How to protect yourself
- Enable multi-factor authentication on all important accounts to limit damage from harvested credentials
- Check the sender's full email address character-by-character before acting on any financial request
- Hover over links before clicking to see the real destination URL
- Go directly to the official website in a new browser tab rather than clicking links in emails
- Use email filters and your mail provider's spam/phishing reporting to protect others
How to report it
- Report phishing emails using your email client's 'Report phishing' or 'Report spam' button
- Forward phishing emails impersonating UK organisations to [email protected]; US users can forward to [email protected]
- Report to your national cybercrime agency with the full email headers
Frequently asked questions
How do I check if an email claiming to be from my bank is genuinely from them?
Check the sender's actual email address (not just the display name) for subtle misspellings or an unfamiliar domain, and hover over any links before clicking to see where they actually lead. When in doubt, don't click anything in the email — log in to your bank's website or app directly by typing the address yourself, or call the number on your card.
I clicked a phishing link and entered my login details on a fake page — what should I do first?
Go directly to the real website (typed manually) and change your password immediately, then check your account for any unauthorized activity or changes. If you reused that password anywhere else, change it there too, and enable two-factor authentication on the affected account if it's not already on.
An email looks like it's from a government agency and threatens a fine or legal action unless I click a link — is this normal?
No — legitimate government agencies generally don't threaten immediate legal action or demand payment through an emailed link, and most tax or legal matters are initiated by official mail rather than urgent email. Don't click the link; instead, go to the agency's official website directly to check whether there's a genuine notice on your account.
Can opening a phishing email (without clicking) compromise my device?
In most modern email clients, opening an email without clicking links or downloading attachments does not execute malicious code. The risk comes from following links and downloading files. However, email tracking pixels can confirm your address is active, which may lead to more targeted follow-up attacks.