Avoiding phishing email scams

New figures from the National Fraud Intelligence Bureau reveal that email scams or phishing attacks have risen by 21% in just one year 1. Do you know what to check for to know that the email you've received is genuine or is a phishing email? 

Email scams no longer come solely in the shape of a poorly-translated email offering millions of pounds for your bank details but as awareness of attempts to defraud customers has improved, so too has the inventiveness of attackers. If you think you're smarter than a fraudster, test your knowledge against our guide to avoiding falling prey to email scams. You might be surprised.

Generic emails

Common sense can go a long way here. If you receive an email from "BestBank.com" about your current account and you don't have an account with BestBank.com, it's going to be a phishing scam. A genuine email from TSB, and most UK banks, will address you by your name; however you have chosen to be addressed, be it Mr Blogs, Joe Blogs or just Joe, for example. They will also reference either the account they are contacting you about or your postcode. Most UK banks operate in the same way. Retailers are also unlikely to address you with a generic opener like 'Dear Sir/Madam' or address you by your email address.

So if an email from your bank begins with a generic opener, you should ignore anything written in it and ensure not to open any attachments. It's important that if you do receive an email that you suspect is a phishing email that you forward it to [email protected]. Most UK banks have a similar email facility set up; they use knowledge of these scams to understand how to better protect you from these scams. 

Asking for information to verify

Your bank will never ask you to input personal information like your pin number, and they will never ask you to transfer money out of your account from an email or any other communication. If there is something they need to speak to you about they will likely contact you by post, text or phone, asking you to contact the bank yourself. They may even ask you to come into branch, which might seem like a bit of an inconvenience on your part but it's in the best interest of the safety of your account. 

As a rule, you should always be wary of giving out personal information online. The TalkTalk hack in early 2016 resulted in the theft of millions of customers' details. Much of this information - names and email addresses - was not enough to compromise bank accounts alone. Hackers instead used this information to craft personalised email attacks using those stolen details to attempt to fool TalkTalk customers into handing over sensitive information 2- so even if you get an official-looking email, be vigilant.

Ensure the email address is correct

This might seem obvious but if you suspect any foul play with an email you receive, first check that the address that the email is coming from is makes sense. Would your favourite online shop send you an email from a Gmail, Yahoo! or Hotmail account? No, and neither would your bank. Of course it's not always that obvious but you can be assured that an email from your bank will always come from and address ending in their domain name at least. The same is true of reputable retailers. You can also be vigilant with emails from addresses ending in something other than .co.uk or .com if that's not the territory where your bank account originates. 

Following links and attachments

It should go without saying but never click on links in emails or open attachments unless you are sure of the source. If your friend's email account was hacked and you received an email encouraging you to click on a link you wouldn't follow that link or open an attachment on that email. Follow the same rule when it comes to keeping your accounts safe. Attachments downloaded from rogue emails could install spyware and other software on your desktop computer that could track your clicks and render your online transactions vulnerable.

Your bank may sometimes contact you by email about other products or offers, rather than just to tell you to contact them about your account and fraudsters will try to replicate these emails too. Phishers can also create duplicate websites that look identical to the site they're shadowing with the aim of getting you to input your card or bank account details, skimming your bank details in the process. This could be by encouraging you to 'apply' for an offer or requesting payment in order to verify your identify. 

In late 2015, fraudsters successfully defrauded the DVLA and its users. From an email threatening loss of licence if drivers did not verify their licence and payment information, users were directed to an imitation of the official DVLA site. Fraudsters were then able to access money from the payment cards that a user had legitimately put into the fake DVLA website 3. If you're concerned about an offer that you've received in an email, it's best to go directly to your browser and type in the site address yourself. 

Don't feel pressured

Scammers frequently operate through putting you in a pressurised situation. They aim to panic you and push you into making an unwise decision that you would otherwise not have made with time to think. They may call or email telling you that your account is under attack and that you should move your money to an account they have supplied for you, for example.UK banks will never ask you to transfer money out of your account. If you feel as though the person you're corresponding with is trying to hurry you, question why. If it doesn't feel right then it probably isn't. If you suspect any inconsistencies you should always contact your bank - or any other company - directly to check or to inform them that someone is attempting to scam you. Following these measures could save you from being scammed, and protect others as well if you report them. 

FAQ icon

Need to visit us?
Visit our FAQs

If you need help with something specific, let us know what it relates to or search a topic.

Go to help page