The majority of credential theft begins with a phishing email. Despite decades of awareness campaigns, phishing remains effective because attacks have become increasingly targeted, sophisticated, and difficult to distinguish from legitimate communication. Understanding the specific technical signals — not just "be suspicious of unexpected emails" — is what separates users who get compromised from those who don't.
The Anatomy of a Phishing Email
Modern phishing emails are rarely full of obvious errors. Professional-looking templates, stolen logos, and corporate formatting are freely available. The signals that remain reliable are structural and behavioural, not cosmetic:
| Signal | What to check | Red flag |
|---|---|---|
| Sender address | Actual domain, not just display name | Domain doesn't match the organisation's website |
| Link destination | Hover before clicking — check destination | Domain mismatch, misspelling, URL shortener |
| Urgency / threat | Tone of message | "Your account will be closed in 24 hours" |
| Action requested | What they want you to do | Click a link, download attachment, call a number |
| Salutation | How they address you | "Dear Customer", "Dear Account Holder" |
| Request type | What they're asking for | Password, payment card, security codes |
The Sender Address Trap
Email clients display a friendly "From" name (e.g. "HSBC Bank") that can be set to anything. The actual email address behind it is what matters. To check on most email clients: click or tap the sender name to expand the full address. Look at the domain after the @. For HSBC, legitimate emails come from @hsbc.com or @hsbc.co.uk — not @hsbc-secure.net, @hsbcalert.com, or @notifications-hsbc.co.uk.
The Urgency Mechanism
Urgency is the primary psychological lever in phishing. "Your account has been suspended," "Unusual activity detected — verify immediately," "Your parcel is on hold — pay within 24 hours." This language is engineered to bypass critical thinking by triggering an immediate emotional response. Legitimate services do create urgency for real issues — but they do not require you to verify via email link. If an email creates urgency, navigate directly to the service by typing the address and log in from there.
The Golden Rule
Never click a link in an email to go to a login page. If an email says your bank account needs attention, type your bank's URL directly into the browser address bar. If an email says your Amazon account has a problem, go to Amazon.co.uk or Amazon.com directly. The phishing attempt ends the moment you navigate directly rather than clicking. This single habit eliminates the majority of phishing risk regardless of how convincing the email appears.
Reporting Phishing in the UK
Forward suspicious emails to [email protected] — this is the NCSC's Suspicious Email Reporting Service. Since its launch it has received millions of reports and taken down hundreds of thousands of phishing sites. If you forward a phishing email, the NCSC analyses it and acts on any active attack infrastructure found.