Phishing is the name given by scammers (fraudsters) to their attempts to steal sensitive information from you, or to trick you into paying them money.
Typically the information they’re after is the login details for your online accounts — your username and password.
In this guide we’ll look at what phishing is, the red flags that give a phishing email away, the most common types of phishing scam, and exactly what to do if you spot one — or if you’ve already clicked something you shouldn’t have.
What Is Phishing?
Phishing in computer terms is pretty similar to the pastime it’s named after. You throw out some bait and hope to get a bite. Simple as that.
Fraudsters will generally use email, though text messages and phone calls work the same way.
What the scammers need, what they’re desperate for, is for you to click the link or button included in the email. That link takes you to a fake website — their website.
Phishing websites are often almost identical to the real one they’re impersonating. In some cases you’d struggle to spot the difference even with both pages side by side.
Common Signs of a Phishing Email
You won’t usually have the fake and the genuine email side by side to compare, so it helps to know the individual warning signs on sight. Look out for these:
Suspicious Sender Address
The name displayed might say “Netflix” or “Amazon”, but the actual email address often doesn’t match.
This is the easiest way to spot around 50% of phishing emails. Most (probably all) large companies have their own email addresses. When you receive an email always check that the domain part of the email address looks correct.
For example, any emails you might receive from Google will end with google.com. You might get emails that have the country specific domain, such as google.uk. But you get the idea.
Don’t take this as a guarantee of authenticity because emails addressees can be faked, it’s called email spoofing. But by simply checking the where the message came from you’ll quickly rule out about half the phishing attempts that you receive.


Urgent or Threatening Language
“Your account will be suspended in 24 hours.” “Unusual activity detected — act now.” Scammers want you to react before you think.
Genuine companies rarely demand instant action, especially on the first message. The best option you have is to stay calm, don’t believe everything you read, think it through. Be suspicious.
Generic Greetings
“Dear Customer” or “Dear Valued Member” instead of your actual name is a common tell tale sign, since scammers are usually emailing thousands of people at once with the same message.
Where you have an online account with a business or website, they have your name (or at least your username) and will use it in any communications with you.
Spelling and Grammar Mistakes
This used to be one of the most reliable signs, and it’s still worth watching for. That said, scammers increasingly use AI tools to polish their writing, so a well-written email is no longer proof that it’s genuine.
But a badly written email is proof that it’s a fake or phishing email.
Suspicious Links
Hover your mouse over any link (without clicking) and look at the web address that pops up. If it doesn’t match the company it claims to be from, don’t click it. On a phone, press and hold the link to preview the address instead.
So this advice is something that’s generally handed out, but these days I think it’s difficult to spot a fake link address because some companies use huge, convoluted link addresses. Try it, but you’ll probably be none the wiser.
My best advice is to NOT click on links.
Unexpected Attachments
An invoice you weren’t expecting, a “delivery document”, or a zipped file — if you didn’t ask for it, don’t open it. This is one of the most common ways scammers deliver malware.
Especially zipped files. Simply by adding a password to a zipped file means your antivirus program (it doesn’t matter which one you use) can’t inspect its contents.
Too-Good-To-Be-True Offers
A tax refund, a prize you never entered, a gift card “just for you”. If it sounds too generous to be real, it almost always is.
Don’t click on links in emails. Ever.
The 3 Main Types of Phishing Email
Phishing emails go by different names depending on who’s being targeted, but they usually fall into one of three types — and they all have one purpose: to get you to respond.
- Claim Yours Now — refunds, bonuses, payments, special offers, service upgrades. Click the link to claim.
- Panic — your account’s been hacked, suspicious activity detected, you’re about to be cut off. Click the link now.
- Curiosity — we tried to deliver your parcel, someone’s received your payment, see these pictures. Click the link to find out more.
Whichever type it is, clicking the link takes you to a fake website where you’ll either be asked to hand over details, asked for payment info, or your PC will quietly pick up malware. Sometimes all three.
Claim Your Money Phishing
This type of attack relies on our greed — and however much we’d like to think otherwise, we’re all a little bit susceptible to it.
We’ve all heard the one about the Nigerian prince trying to move money out of the country. Send a small amount now, gain fabulous wealth later.
Or how about overpaying your tax? We all pay too much tax, don’t we?
Here’s a real example of a fake UK tax refund website. According to the accompanying email, you’ve paid too much tax much and are due a refund. Brilliant, we all want a tax refund.
By filling out that form, you’d lose not just the contents of you bank account, but very possibly your identity too.

Panic Phishing
This type is designed to create a sense of panic or fear. Someone’s gained access to your account. You’re about to be cut off. Your money’s being stolen. You’re being accused of doing something dreadful.
When something’s about to be taken away from you, you’re likely to act fast — without thinking it through. we all do.
Here’s an email, apparently from Netflix, telling me I need to update my card details to keep my service running.
I don’t have a Netflix account, so this one was an easy spot. But plenty of people do. If you’d received this, would you have known it was fake?
Clicking the link takes you to a fake Netflix website. Enter your login and payment details, and you’re done. Well and truly done.

Curiosity Phishing
Curiosity is a powerful thing, and this type of scam relies on exactly that. The email won’t offer to make you rich, and won’t threaten to take anything away — it’ll just seem like an ordinary, informational message.
Maybe someone’s trying to contact you, or deliver something. Or maybe it just doesn’t quite make sense. Curious as to what’s going on?
So when I received an email telling me someone had received my payment, I started to wonder what I’d actually paid for.
Obviously, I hadn’t ordered anything at all — it was just another scam. Sometimes these emails are completely empty except for a link or maybe an attachment. No explanation at all.

A Newer Trick: QR Code Phishing (“Quishing”)
Scammers are increasingly hiding malicious links inside QR codes within emails, betting that you’ll scan it with your phone rather than checking the link on your PC first. QR codes in restaurants and pubs are usually fine — but treat any QR code inside an email with exactly the same suspicion as a regular link.
How to Protect Yourself From Phishing
You can find thousands of articles online, in newspapers, and on TV explaining how to spot phishing emails. I’m not disputing any of that advice — it’s all good stuff. But the truth is, the average user simply can’t rely on spotting every fake email from a genuine email.
The problem is you’ll never have the fake and the real one side by side to compare. Picking out the odd fake from hundreds of genuine emails is a job for professionals, not for the rest of us. We’re too busy, too distracted and just want to get on doing what we’re doing.
What you need is a simple rule that protects you from all email, every time.
The Golden Rule: Don’t Click Links in Emails
Yes, it’s that simple, the golden rule is that you don’t click on links and you don’t open attachments.
Every day you’ll receive dozens, maybe hundreds, of emails. Most are genuine. The odd one won’t be. You just don’t know which is which — so ask yourself: do I really need to click the link in this message? Is that the only way to find out what’s going on?
It almost never is.
What to Do Instead
Sometimes you can simply phone the organisation — especially with banks, who’ll have a customer service number you can call and ask.
If phoning isn’t practical, open a new browser window yourself and log in to your account the way you normally would. Don’t use the provided link.
Whether the email claims to be from Amazon, eBay, Netflix, or your bank, whatever’s supposedly happened will be visible once you log in to your account the normal way — if it’s happened at all.
The important thing is that you get to your account the way you normally would, and never by clicking the link provided in the email.

What to Do If You’ve Already Clicked a Phishing Link
Don’t panic, and don’t feel embarrassed — it happens to careful people too. Full disclosure, I’ve done it myself. Here’s what to do, in order:
- Don’t enter any more information. If you’ve clicked a link but haven’t typed anything in yet, just close the page. If you have entered any details, try to delete them.
- Contact your bank straight away if you entered any card or banking details, so they can watch for or block fraudulent activity. Most financial institutions have dedicated fraud departments that’ll help you. If you don’t have your bank phone number, in the UK you can call 159 to get connected directly to your bank. I’m sure other countries will have something similar.
- Change your password immediately if you did enter login details — and change it on the real website, typed in yourself, not via the email.
- Turn on two-factor authentication for that account if you haven’t already, so a stolen password alone isn’t enough to get in.
- Run a scan with Windows Security (built into Windows 10 and 11) or whichever antivirus software you’ve got installed on your computer to check for anything that may have downloaded in the background.
- Keep an eye out for identity theft in the weeks that follow, particularly if you handed over personal details like your date of birth or address.
You Have Time
Most phishing websites aren’t monitored by the scammers. They simply collect the information you’re entering and then it sits there waiting for someone to do something with it. You have time to do something to correct your mistake.
Act, don’t sit there wandering or second guessing yourself. The moment you become suspicious report it to your bank, change your passwords, scan your PC.
If it all turns out to be a false alarm, then there’s no real harm done. A bit of inconvenience perhaps, but no harm.
How to Report a Phishing Email in the UK
Reporting phishing emails helps get scam addresses and websites taken down, and protects other people from falling for the same trick. It only takes a minute. These addresses and phone numbers are for the UK specifically, but other countries will have similar.
- Forward the email to report@phishing.gov.uk — this goes straight to the National Cyber Security Centre (NCSC).
- Forward a suspicious text message to 7726 — free, and reports it to your mobile provider.
- Lost money or been hacked? Report it separately to Action Fraud at reportfraud.police.uk or call 0300 123 2040 (or Police Scotland on 101 if you’re in Scotland).
- In the UK you can call 159 to get connected directly to your bank. I’m sure other countries will have something similar.
Reporting in Outlook or Windows Mail
If you use Outlook or the Mail app on Windows 10 or Windows 11, right-click the message and choose Report > Phishing (wording varies slightly by version). This removes it from your inbox immediately and helps Microsoft’s filters catch similar emails for other users too.
Frequently Asked Questions
Summary
The sheer amount of scam and phishing emails that are sent everyday is staggering, estimated at around 3.4 billion. That’s everyday.
You will have definitely received some of them. Most of them you’ll quickly spot and dismiss or simply won’t be interested. That doesn’t matter to the scammers. They can send you hundreds, thousands, they never get tired and never give up. It only takes one to catch you’re eye and they win.
But only if you click the link or open the attachment. Don’t do it.
Lesson 32
Course Progress – 31 of 37
Part of the At Home Basic Computer Course — free computer guides for beginners.
Beware of Device Encryption on Windows 11 Home
Device Encryption is silently being enabled on all Windows 10 and Windows 11 Home editions that meet the hardware requirements and you’re signed in with a Microsoft account.
It’s very important that you check whether or not device encryption is enabled on your computer and if it is, then you MUST either disable it or find your recovery key. I’ll show you how to do both.

You can find this and other related step by step guides in – At Home Computer Security Guides
At Home Computer Step By Step Guides
Easy to follow tutorials for users of Windows 10 and Windows 11 computers.
Gmail Storage Full? Here’s Why (and How to Fix it)
A Beginner’s Guide to File Formats and File Extensions
How to Protect Your Data When Sending Your PC in for Repair
Why I Use Virtual Machines and You Should Too
How to Install Windows XP as a Virtual Machine on VMware Workstation Pro
Is VMware Player Coming Back?
How to Setup OneDrive to Backup Your Files
OneDrive allows you to backup files to the cloud. It…
How to Share a Folder in OneDrive
One of the best features of OneDrive is the ease…
How to Setup RealTimeSync
RealTimeSync is a companion tool for the popular sync program…