Scams & fraud

How to spot a phishing email (with the red flags that give it away)

By Iulian · Published 4 June 2026

Some links on this page may be affiliate links. If you buy through them we may earn a small commission, at no extra cost to you. We only recommend tools we believe are genuinely worth it. Learn more.

A phishing email is one that pretends to be from a company you trust, your bank, a delivery firm, a streaming service, so you click a link, enter your details, or open a file. They have got far better in recent years, but most still carry a few of the same warning signs. Here is what to look for.

The red flags

  • The sender address does not match the name. The display name might say “PayPal”, but the actual email address is a string of random words or a free webmail account. On a phone, tap the sender name to see the real address.
  • It pushes you to act fast. “Your account will be closed in 24 hours.” “Suspicious login, confirm now.” Urgency is designed to stop you thinking. Real companies rarely threaten you into a quick click.
  • A vague greeting. “Dear customer” or “Dear user” instead of your name. Not proof on its own, but a clue when it stacks up with the rest.
  • Links that do not go where they claim. Hover your mouse over a link (or press and hold on a phone) to see the real address before you tap. If the link text says one thing and the address shows another, stop.
  • An attachment you did not expect. Invoices, “delivery details”, or documents you were not waiting for can carry malware. Do not open them.
  • It asks for something it should not. No genuine bank or company will email you asking for your full password, PIN, or a security code. Anyone who does is a scammer.
  • Small slips in wording. Odd phrasing, a logo that looks slightly stretched, or a sign-off that is not quite right.

The safe move is to never use the link in the email at all. If the message claims to be from your bank or a service you use, open a fresh browser tab and type the address yourself, or use the official app. That way it does not matter whether the email was real or not.

A password manager quietly protects you here. It only fills in your login on the genuine web address it has saved. So if a phishing page is pretending to be your bank, the manager will not autofill, and that silence is a useful warning. See our password guides.

What to do with a phishing email

  1. Do not click anything, do not reply, and do not open attachments.
  2. If you are not sure whether it is genuine, contact the company through their official website or the number on the back of your card, never the details in the email.
  3. If you already clicked and entered a password, change that password straight away and turn on two-factor authentication.
  4. Report it, then delete it.

How to report it in the UK

Forward suspicious emails to the National Cyber Security Centre at report@phishing.gov.uk. For scam text messages, forward them to 7726 (free). Reporting takes seconds and helps get the fake sites taken down.

If you think you have lost money or handed over bank details, read what to do if you’ve been scammed and act quickly. More in our scams and fraud section.