Guidance

Phishing emails are one of the easiest forms of cyber attacks for criminals to carry out and unfortunately easy for us to fall victim to.

The term ‘phishing’ is often used when talking about emails, but these can also take the form of a text message or social media post that look like the real thing but are malicious. The criminal will try to convince you to click on links within their message that could lead to a virus being downloaded on to your computer or persuade you to reveal personal, sensitive or financial information.

Criminals are opportunistic and will look to exploit real-world concerns and trick you into interacting. Whether that is convincing you to apply for a tax rebate or offer you a ‘prize’ for completing a survey.

These can be difficult to spot and are designed to get you to interact with the message without thinking.

What should I look out for?

Top tips for spotting tell-tale signs of a phishing attack (fake emails)

  • Authority – Is the sender claiming to be from someone official (like your bank, doctor, a solicitor, government department, or high-ranking person in your organisation)? Criminals often pretend to be important people or organisations to trick you into doing what they want.
  • Urgency – Are you told you have a limited time to respond (like in 24 hours or immediately)? Criminals often threaten you with fines or other negative consequences.
  • Emotion – Does the message make you panic, fearful, hopeful or curious? Criminals often use threatening language, make false claims of support, or tease you into wanting to find out more.
  • Scarcity – Is the message offering something in short supply (like concert tickets, money or a cure for medical conditions)? Fear of missing out on a good deal or opportunity can make you respond quickly.
  • Current events – Are you expecting to see a message like this? Criminals often exploit current news stories, big events or specific times of year (like tax reporting) to make their scam seem more relevant to you.

Be wary of any texts or emails you receive, even if it appears to come from an organisation you know and trust. Your bank (or any other official source) should never ask you to supply personal information from an email.

Don’t follow links in text messages or phone any numbers provided within the message. If you have any doubts, call them directly or visit the official website instead by typing their genuine web address into your browser.

Report suspicious messages

You can help protect others by reporting suspicious emails and text messages by forwarding these on to the NCSC’s takedown service.

Forward emails to the Suspicious Email Reporting Service (SERS) at report@phishing.gov.uk

Text messages can be sent to 7726. This free-of-charge short code enables your provider to investigate the origin of the text and take action, if found to be malicious.

If you have fallen victim to a phishing attack, you can report this to Police Scotland on 101.

Read our blog on Dealing with targeted phishing emails. Unlike standard phishing emails that are sent out indiscriminately to millions of people, these types of attacks are crafted to appeal to specific individuals, and can be even harder to detect.

Back to top of the page