Phishing
Deceptive emails, texts and sites that trick you into revealing passwords, codes or card details.
Last reviewed: 1 June 2026
What this scam is
Phishing uses fake emails, texts (smishing) or calls (vishing) that impersonate trusted organisations to trick you into revealing credentials, codes, or payment details, or into installing malware.
How it works
A message appears to come from your bank, a platform, or a colleague, creating urgency ('verify now', 'suspicious login', 'invoice attached'). A link leads to a convincing fake login page that captures whatever you enter.
Common red flags
- Urgent requests to verify or log in via a link
- Sender address or domain that's slightly wrong
- Requests for passwords, full card details, or one-time codes
- Unexpected attachments
Sanitized example messages
Illustrative, sanitized examples. Personal details are replaced with placeholders such as [phone number] and [fake link].
Security alert: a new device logged into your account. If this wasn't you, verify here: [fake link].
Payment methods used
- Credentials/card details harvested
Who is usually targeted
- Everyone — individuals and employees
What to do immediately
- Don't click; go to the site directly by typing the address
- Never share one-time codes or passwords
- If you entered details, change passwords and enable strong 2FA; contact your bank if card data was exposed
Evidence to preserve
- The message and sender
- The link URL
- Screenshots
Where to report it
- Action Fraud (UK) — UK national fraud & cybercrime reporting centre
- FTC ReportFraud (US) — US Federal Trade Commission fraud reports
- FBI IC3 (US) — US Internet Crime Complaint Center
- Scamwatch (Australia) — Australian competition & consumer reporting
- Report phishing to the impersonated organisation — Most banks/platforms have a report-phishing address
Always verify reporting routes and emergency contacts on the official government or agency website for your country.
Frequently asked questions
How can I tell a real login page from a phishing one?
Don't trust links in messages — type the website address yourself or use your saved bookmark/app. Check the domain carefully, and never enter one-time codes or passwords prompted by an inbound message.