Phishing emails remain one of the most effective tools in a cybercriminal’s arsenal, and they’re only getting harder to identify.
According to Verizon’s 2025 Data Breach Investigations Report, 60% of breaches involve a human element, with phishing consistently among the leading causes (16%).
For UK businesses, the average cost of a phishing-driven breach is now £3.85 million. Knowing how to spot a phishing email – and making sure your team can too – is one of the most practical steps you can take to reduce your exposure. Combined with phishing testing, it’s the best way to strengthen your business defences.
Key takeaways:
- Phishing emails rely on urgency, trust, and human instinct – slowing down before clicking or replying is your single most effective defence.
- Always check the actual sender email address, not just the display name, and hover over links before clicking to verify where they lead.
- AI-generated phishing content is increasingly polished, so good grammar alone is no longer a reliable sign an email is safe.
- If you receive a phishing email, report it to your IT team and forward it to [email protected] – don’t forward it to colleagues to sense-check.
What is a Phishing Email?
A phishing email is a fraudulent message designed to trick the recipient into:
- Revealing sensitive information
- Clicking a malicious link
- Downloading harmful software
Attackers typically impersonate a trusted brand, colleague, or organisation to make the message appear legitimate.
The goal varies: some phishing emails are after login credentials. Others try to install malware, redirect payments, or gain access to corporate systems as a stepping stone to a larger attack.
What they have in common is that they rely on human instinct – urgency, trust, and the pace of a busy working day – rather than technical exploits.
Phishing is distinct from spam:
- Spam is unsolicited and usually commercial
- Phishing is targeted and fraudulent
Highlighting this distinction is important because phishing requires a different response: you don’t just filter it, but report it too.
Common phishing email examples
Understanding the most common types of phishing emails helps you and your team recognise them in practice:
| Phishing type | How it works | Common tactics | Who is targeted |
| Credential harvesting emails | Fake login pages capture usernames and passwords. | Verify your account’ or ‘Reset your password’ links leading to convincing spoofed pages (e.g., Microsoft 365, Google, banking sites). | All employees, especially users of cloud services and online banking. |
| Invoice and payment fraud (BEC) | Impersonates suppliers or executives to request payments or bank detail changes. | Urgent tone, change of bank details, executive impersonation. BEC attacks rose by 136% in Q4 2025. | Finance teams, accounts payable, senior leadership. |
| HR & payroll impersonation | Poses as HR requesting sensitive employee information. | Requests to review salary info, update payment details, or take urgent action. | Employees and payroll staff. |
| Delivery & service notifications | Fake courier messages requesting fees or confirmation of details. | Claims a parcel is awaiting delivery, then asks for small payment or personal details. | General public and office staff. |
| HMRC impersonation | Pretends to be HMRC requesting sensitive data. | Claims tax refund or penalty, then directs to a fake HMRC portal. HMRC never emails requesting personal or financial details. | UK individuals and businesses. |
How to spot a phishing email: 7 signs to look for
The sender’s email address doesn’t add up
Don’t just look at the display name – check the actual email address it was sent from.
Attackers use two common tactics: using a public domain (like gmail.com or outlook.com) to impersonate a company, or registering a domain that’s slightly off – ‘paypa1.com’ instead of ‘paypal.com’. Hover over the sender’s name to reveal the full address before you do anything else.
It creates a sense of urgency or panic
Phishing emails are engineered to make you act before you think. They’ll claim your account has been compromised, a payment has failed, or you must respond within 24 hours to avoid consequences.
Legitimate organisations rarely communicate with this kind of pressure. If an email is pushing you to act immediately, slow down – that’s the tell.
It asks for sensitive information
Reputable companies – including banks, government bodies, and software providers – will not ask you to confirm passwords, payment details, or personal information over email.
If an email is requesting this, it’s a red flag regardless of how convincing the branding looks.
The greeting is generic ‘ Dear Customer…’
A company you have a genuine relationship with will use your name. Phishing emails, sent at scale, typically resort to “Dear Customer,” “Dear User,” or no greeting at all.
This isn’t a definitive sign on its own, but paired with other indicators, it’s a useful one.
Links don’t match the supposed sender
Before clicking any link, hover over it to see where it actually leads. The text might say “www.yourbank.com”, but the underlying URL is something entirely different.
Even if the domain looks correct at a glance, look carefully – attackers register convincing lookalike domains specifically to fool a quick read.
There are unexpected attachments
An unsolicited attachment is a significant warning sign. Attackers use attachments – particularly ZIP files, Word documents, and Excel files – to deliver malware.
If you weren’t expecting a file and don’t know why you’ve received it, don’t open it. Contact the supposed sender directly via a separate channel to verify.
The grammar and tone feel off
Spelling mistakes, unusual phrasing, and awkward sentence structure have long been giveaways. It’s worth noting that AI-generated phishing emails are becoming more polished – <82% of phishing content now uses AI-generated text – so good grammar alone doesn’t mean an email is safe.
However, poor grammar is still a useful signal, and changes in tone from a trusted contact (such as a colleague or supplier you know well) should prompt a closer look.
What to do if you receive a phishing email
Don’t click, don’t reply, and don’t forward it to colleagues to ask their opinion – forwarding a phishing email increases the risk that someone else clicks on it.
Instead:
- Report it to your IT or security team immediately so they can assess whether others in the organisation have received it and take action if needed.
- Forward it to the NCSC at [email protected] — the UK’s Suspicious Email Reporting Service (SERS) investigates reports and takes down malicious sites.
- Report it in your email client — most platforms (Outlook, Gmail) have a built-in “Report phishing” option that helps improve filtering for everyone.
- Delete it once reported. If you want to keep a record, take a screenshot rather than keeping the email in your inbox.
If you’ve already clicked a link or entered your credentials, act quickly:
- Change your password immediately
- Enable multi-factor authentication (if it isn’t already active)
- Notify your IT team
The faster you act, the more contained the damage can be.
How phishing testing helps protect your organisation
Knowing the signs of a phishing email is one thing. Knowing how your team responds under real conditions is another. Employee awareness training reduces phishing click rates significantly, but the only way to know whether your training is working is to test it.
Phishing simulation tests – where controlled, realistic phishing emails are sent to your own staff – reveal exactly which employees and teams are most susceptible, and give you the data you need to target training where it’s needed most.
Combined with a broader penetration test that assesses your technical controls, you get a complete picture of your organisation’s exposure: where the human risk sits, and where your defences need strengthening.
Start taking the steps to secure your business from phishing emails. Get an instant phishing penetration testing quote today.
