The idea
A phishing message pretends to be from a company you already deal with. Your bank, a courier, a shop, your email provider, your employer.
It does not need to be clever. It only needs to catch you at a moment when you are busy and the story sounds plausible. You were expecting a parcel. You do use that bank. So you click.
The goal is almost always one of two things: get you to type your details into a fake login page, or get you to open an attachment.
The signs
Most phishing gives itself away if you slow down for ten seconds. Look for these.
- →Urgency and threats. Your account will be closed. Your parcel will be returned. Pay within 24 hours. Real companies rarely put a countdown on it.
- →A sender address that does not match. The name says the brand. The actual address behind it is a free mailbox or an odd domain that just looks close.
- →A generic greeting. "Dear customer" from a company that has known your first name for years.
- →Links that go somewhere else. The text says one thing. The real destination is a completely different domain. This is often a lookalike domain.
- →An attachment you were not expecting. Invoices, receipts and delivery notes are the usual disguises, and they can carry malware.
- →A request no real company makes. Nobody legitimate will ever email you asking for your password, your card PIN, or the one time code you just received.
What to do with one
Do not click, and do not reply. Replying only confirms the address is live.
If you want to check where a link really goes, hover over it on a computer or press and hold on a phone. The true destination will appear. Read it carefully, and read it right to left.
Then verify a different way. Close the message, open the company's official app or type their address in yourself, and look. If the warning is real, it will be there too. Never use the phone number or link in the message itself, because those belong to whoever sent it.
Our guide to spotting a phishing email walks through a real example line by line.
If you already clicked
It happens to careful people. Move quickly rather than quietly.
Change the password on that account, and on anywhere else you used the same one. Turn on two-factor authentication. If you entered card details, call your bank and have the card stopped. Then watch your statements for a while.
There is more in our guide on what to do if you have been scammed online.
The other side: stopping phishing sent in your name
If you run a business, there is a version of this that is your problem rather than your customers'.
Email was built to be trusting. Without the right DNS records, anyone can send a message that appears to come from your domain, and your customers have no way to tell. They get scammed, and your brand takes the blame.
Three records fix that between them. SPF lists who is allowed to send email for you. DKIM signs your messages so they cannot be tampered with in transit. DMARC ties the two together and tells inboxes to reject the fakes.
They are free, they live in your DNS, and most domains still do not have all three set up properly. You can see which ones yours has with a free check.
We have step by step instructions for every major platform, including the ones that will not let you.
See how to protect your domain