How to Spot a Phishing Email

Q: What is a phishing email?

A phishing email is a message that tries to trick you into clicking a fraudulent link, entering personal or financial details, or opening a harmful attachment. It typically pretends to be from a bank, HMRC, a delivery company, or a familiar retailer. The goal is to steal login credentials, card details, or personal information.

Q: How can I tell if an email link is safe?

Do not click the link to check. Instead, hover over it (on desktop) to see the actual destination URL. Check whether the domain matches the official website of the organisation — for example, HMRC links should go to gov.uk or hmrc.gov.uk. If you cannot verify the domain, go to the official website directly by typing it in your browser.

Q: What if the email looks completely professional?

Phishing emails are often extremely convincing. Scammers copy logos, branding, and layouts almost perfectly. A professional appearance does not mean an email is genuine. Focus on the sender domain, the Reply-To address, the link destinations, and whether the request makes sense — not how polished it looks.

Quick answer

A phishing email tries to trick you into clicking a link, sharing personal information, or opening an attachment by pretending to be someone you trust. If the sender address doesn't match the organisation, the message creates urgency, or you're being asked to log in through a link — treat it as suspicious. Go to the organisation's official website directly rather than using anything in the email.

Phishing is one of the most common ways people are defrauded online. The word comes from "fishing" — scammers cast a wide net, sending millions of emails, hoping enough people take the bait. You don't need to be careless to fall for one. Modern phishing emails can be extremely convincing, and they're designed to catch you at an unguarded moment.

Understanding what to look for — and what to do when something feels off — is genuinely useful. This guide covers both.

What does a phishing email look like?

Phishing emails typically pretend to be from an organisation you recognise or already use: a bank, HMRC, Amazon, Royal Mail, Microsoft, PayPal, or your internet provider. The message usually asks you to do something that involves clicking a link — to verify your account, confirm a payment, claim a refund, or avoid a service interruption.

Typical phishing email — example

From: HMRC Refunds <noreply@hmrc-gov-refund.com>

Subject: Important: Your tax refund of £312.00 is ready to claim

Dear Customer,

Our records show that you are entitled to a tax refund of £312.00 for the period 2024–2025. To process your refund, you must verify your details within 48 hours or your refund will be cancelled.

Click here to claim your refund

Notice what's going on here. The sender claims to be HMRC but the actual email domain — hmrc-gov-refund.com — is not a GOV.UK address. The message creates urgency with a 48-hour deadline. It offers money (a refund) to make you want to act. These are classic phishing patterns.

The warning signs to look for

The sender address doesn't match the organisation — look at the actual domain after the @ symbol, not just the display name
The Reply-To address is different from the sender address — this is a strong red flag
The message creates urgency — you must act within 24 or 48 hours, or your account will be suspended, closed or charged
You're asked to click a link to log in, verify your details, or confirm payment
The link destination (visible on hover on desktop) doesn't match the official domain
There's an unexpected attachment — especially a .zip, .pdf, or .docx file you weren't expecting
The message offers a refund, prize, or payment — combined with a link to claim it
The grammar or phrasing is slightly off, or the email addresses you generically ("Dear Customer" rather than your name)
You weren't expecting any contact from this organisation

Any one of these is worth taking seriously. Multiple together is a strong sign you're looking at a phishing email.

How scammers make phishing emails look real

Modern phishing emails often copy the exact branding of the organisation they're impersonating — the logo, colour scheme, font, footer text, even legal disclaimers. They might include your name, pulled from a data breach or public source, to make the email feel more targeted.

Some phishing emails include correct details about you — your postcode, a past order number, the last four digits of a card — to appear more credible. This doesn't mean the email is genuine. It means the sender had access to some of your personal data.

A professional-looking email is not evidence that it's real. The two most reliable things to check are the sender domain and where any links actually go.

The sender address and the Reply-To address

Every email has two addresses worth checking. The sender address is where the email came from. The Reply-To address is where your reply would go — and in phishing emails, these are often different.

A legitimate email from HMRC will come from a gov.uk domain. A legitimate email from your bank will come from your bank's official domain. If the email address ends in anything else — hmrc-refunds.co.uk, gov-uk-verify.net, a Gmail account, a random string of characters — it's not from the organisation it claims to be from.

Display names are easy to fake. The sender might show "HMRC — Tax Refunds" as the display name, while the actual address is something entirely different. Click or tap on the sender name to reveal the full address before trusting the message.

How to check where a link goes without clicking it

On a desktop or laptop, hover your mouse over any link in the email without clicking. The destination URL will appear in the bottom bar of your browser or email client. Check whether that URL matches the official domain of the organisation.

On a smartphone, press and hold the link — most email apps will show a preview of the destination. Do the same check: does the domain look like the genuine organisation's website?

If you can't verify where a link goes, or if the domain looks unfamiliar or slightly wrong — don't click. Go to the organisation's website directly by typing their address in your browser, or use their official app.

What to do if you're not sure

If an email doesn't feel right, do this:

Do not click any links in the email
Do not open any attachments
Do not reply to the email
Check the sender address — the actual domain, not just the display name
Go to the organisation's official website by typing it in your browser, or use their app
If the message claims there's a problem with your account, log in directly through the official website — not through the link
Forward the email to report@phishing.gov.uk and then delete it

What not to do

Do not click a link in a suspicious email to see where it goes. Visiting a fraudulent website can sometimes be enough to trigger a download of harmful software, even without entering any details.

Do not call a phone number from within the email unless you've independently confirmed it matches the organisation's official contact number. Scammers sometimes include phone numbers that connect to their own call centres.

Do not unsubscribe from a suspicious email — clicking unsubscribe confirms your email address is active and can result in more targeted scam attempts.

Not sure if an email is genuine?

Paste the email text into Summarly. It will explain what the email appears to say, flag warning signs like sender mismatches or suspicious links, and give you clear next steps — in plain English.

Check an email

Frequently asked questions

What is a phishing email?

A phishing email is a message designed to trick you into clicking a fraudulent link, sharing personal or financial details, or opening a harmful attachment. It typically impersonates a trusted organisation — your bank, HMRC, a delivery company, or a familiar retailer. The goal is usually to steal login credentials, card details, or personal information.

How can I tell if an email link is safe?

Do not click the link to check. On a desktop, hover over it to see the destination URL in your browser's status bar. On a phone, press and hold to see a preview. Check whether the domain matches the official website of the organisation. If you can't verify it, go to the official website directly by typing the address in your browser rather than following the link.

Should I reply to a suspicious email?

No. Replying confirms your email address is active, which can lead to more targeted scam attempts. Do not reply, do not click unsubscribe, and do not forward the email to friends or colleagues in a way that might cause them to click the link. Forward it to report@phishing.gov.uk and then delete it.

What if the email looks completely professional?

Phishing emails can be extremely convincing — they copy logos, branding and layouts almost perfectly. A professional appearance is not evidence of legitimacy. Focus on the sender domain, the Reply-To address, and where links actually lead. These are much harder for scammers to fake convincingly.

What should I do if I already clicked the link?

If you clicked but did not enter any details, your risk is relatively low. Close the page and run a quick check on your device if you're concerned. If you entered a password, change it immediately from a different device. If you shared card or bank details, contact your bank immediately using the number on the back of your card. Report the phishing email to report@phishing.gov.uk or Action Fraud at actionfraud.police.uk.

↑ Back to top

How to spot a phishing email