Online fraud: how to protect yourself against phishing

ByDuncan Heaney

More than three-quarters of Brits have had phishing emails land in their inbox. We explain how phishing works, how you can identify a fraudulent message, and what to do if you receive one.

Phishing scams are one of the most common types of internet fraud you're likely to encounter. In fact, according to research by business advisory company Deloitte, 65% of people in the UK have received phishing emails.

Criminals and general ne'er-do-wells - known as 'phishers'- send out emails that appear to be from a legitimate company or person, and attempt to trick people into giving up sensitive information, such as credit card or bank details, usernames and passwords.

These emails may also contain links that direct users to a fake website, which may contain malware like viruses, or ask for confidential information.

Online security


Another tactic phishers use is sending an email that contains an attachment. Opening the attached file will install a virus or spyware, which could search your computer for valuable information, or even log your keystrokes to record passwords as you enter them.

How do I identify a phishing email?

If you have an email account, you're likely to receive a phishing message at some point. Most should be claimed by your spam filter or end up in your junk folder, but the occasional message may find its way into your inbox.

The quality of phishing emails is variable. Some look like very professional, while others are almost laughably amateurish.

It always pays to be attentive, and there are a number of signs you can look for if you think a message might be dodgy.

Look at the address - Always check the name and email address of the person who sent you the email. If the message clearly isn't from an official company email address, you can be sure it's a phishing attempt. Don't rely purely on this check though - phishers often create faked accounts with names that mimic the real ones.

Check for your name - Unless it's a specific attack, phishers typically send out messages via large mailing lists. If an email isn't directed at you personally, and instead says something along the lines of: "Dear [company name] Customer", it's likely to be a phishing email.

This is a particularly good check for messages claiming to be from a major company. Most corporations target their communications, which means that people tend to get personalised emails with their name on.



Does it want your account details?  - Very few legitimate companies will ask you to send over credit card information, bank numbers, usernames or passwords via email. If the message is asking for these, it's more than likely a scam.

Never send banking or account information via email because someone requested it. Even if you genuinely think the message is legitimate, phone the company to check first.

Are there any attachments?- Not many legitimate companies will send you attachments without warning. If you get an unsolicited email with a file attached, then the chances are that the message comes from elsewhere.

Always remember the golden rule - NEVER open an attachment if you are not 100% sure you know who sent it. If you do you risk letting malware onto your computer.

Look at the links  - If the email contains links, don't click on them. Check where they lead first. Hover the mouse pointer over the link and see what address appears - on webmail through browsers the link usually appears in the bottom left of the screen, and in programs like Microsoft Outlook it usually appears in a pop-up box.

If the link doesn't appear, right click and copy the link's location. Paste it into a word processor or notepad to check it out to see if it leads where the text claims.

Be thorough on your checks - phishers sometimes spoof website addresses. It may look like the address you want, but one or two details might be different: for example, instead of, you might see Spot the difference and always stay alert.

Check spelling, punctuation and grammar - Many phishers operate from overseas, and they don't always have the firmest grasp of the English language. If the message is packed with typos and grammatical errors, it's probably a foreign phishing attempt.


What to do if you receive a phishing message

If you get a phishing email, you can usually report it. If you get your email through your broadband provider, it will likely have its own process in place for reporting phishing and unwanted emails. The best thing to do is check their website for specific instructions.

If you use a webmail service, such as - formerly known as Hotmail - or Google Gmail, you can also report messages as phishing.

If you're using Outlook, click the box next to the message and the tab at the top of the screen that says 'mark as'. Select 'phishing' from the menu and you're done. In Gmail, you can report phishing messages by using the pull-down menu next to the date on an email.

Of course, another solution is to just delete it. Stay safe!


Read more about online security

Compare broadband in your area

We don't share your postcode. More Info
Why do we need your postcode?

Enter your postcode to find the best broadband deals in your area. We value your privacy, please see our privacy policy

Broadbandchoices is accredited by industry watchdog Ofcom