Phishing emails and messages are built to look like they come from a company you trust, so that you click a link, open an attachment, or hand over a password or payment detail. They are one of the most common ways people lose money and access to their accounts.
The good news is that most phishing attempts share the same tells. Once you know what to look for, a suspicious message is usually easy to spot, and this guide walks through the signs and what to do next.
Paste an address for a free safety check: encryption, malware and phishing, domain age and more.
No single detail proves a message is phishing, but a few signs together are a strong warning: a sense of urgency or a threat, a sender address that does not match the real organisation, a generic greeting, spelling or formatting errors, and a link or attachment you were not expecting. Real companies do not ask for your password, one-time code, or full card details by email.
If you are unsure where a link actually goes, do not click it. You can paste the destination site into our free safety check first and see a plain verdict before you trust it.
Your account will be closed, a payment failed, act within 24 hours. Pressure is designed to stop you thinking and checking.
The display name looks right, but the actual email address is odd or on a domain that is not the real company.
Dear Customer or Dear User instead of your name. A company you have an account with usually knows who you are.
Typos, clumsy wording, stretched logos, or layouts that do not match the brand you know.
The visible text says one thing, but hovering over the link shows a different or misspelt web address.
An invoice, receipt, or document you did not ask for. Attachments can carry malware, so do not open them.
Be very cautious with any message that asks you to confirm your password, share a one-time code or verification PIN, or enter full card or banking details to unlock or verify an account. Legitimate organisations do not ask for these by email or text, because they already have what they need and know that codes and passwords should stay private. A request for this information is itself the warning sign.
Phishing links are made to look familiar while pointing somewhere else. The text might read like a real address while the underlying link goes to a lookalike domain, or the address swaps a letter or adds an extra word so it reads as genuine at a glance. On a computer you can hover over a link to see where it really leads before clicking. On a phone, press and hold the link to preview the destination.
If the destination is not clearly the official site, treat the message as suspicious. When you want to be sure, run the site through our free safety check, or read more about how to test a link and general email security.
Look for several signs together: a sense of urgency or a threat, a sender address that does not match the real company, a generic greeting, spelling or formatting errors, and links or attachments you were not expecting. Any request for your password, a one-time code, or full card details is a strong warning sign on its own.
Do not click links, open attachments, or reply. If you need to reach the company, use its official website or app rather than any contact details in the message. Report the email as phishing in your email app and then delete it.
On a computer, hover your mouse over the link and the real destination appears at the bottom of the screen. On a phone, press and hold the link to preview it. If the address is not clearly the official site, do not click, and you can paste the destination into our free safety check to see a verdict first.
If you only opened the page, close it and do not enter anything. If you typed a password or code, change that password immediately, turn on two-factor authentication, and watch the account for unusual activity. If you shared card details, contact your bank or card provider.
No. Legitimate organisations do not ask you to confirm your password, share a one-time code, or enter full card details by email. They already have what they need, so any message asking for this should be treated as phishing.
Free, anonymous, and no signup. Know before you buy.