phishing scams: what are they? and how to avoid them

May 25, 2021

You might have heard about a rise in how many phishing scams people are receiving – maybe you’ve even noticed you’ve been receiving lots lately. That’s why we’re breaking down what a phishing scam is (and a vishing and smishing scam), how they work and how you can spot them 👀

what is a phishing scam?

‘Phishing’ is when a criminal sends an email or text message to trick you into sharing personal information like usernames, passwords or bank details. The attacker often pretends to be a legitimate organisation like the famous DVLA or HRMC phishing scams. The term phishing comes from the idea of someone throwing out a fishing line with bait on it hoping the person bites.

i’ve not heard of vishing scams before – what’s that?

‘Vishing’ is the same as phishing but done over the phone. The attacker impersonates someone or a business and tries to get you to tell them your personal information.

and what’s a smishing scam?

A smishing scam is specifically a scam text message – although people also use phishing to refer to text scams or as an umbrella term.

The best way to avoid being a victim of smishing is to be wary of any text message you get.

how do phishing scams work?

The person sends you an email or text asking you to click a link. The link will go to a website that probably looks a lot like the real one of the company or organisation they’re pretending to be. It will ask you to provide your personal information or banking details or the website will try to download a virus or spyware onto your phone or computer.

how to spot a phishing scam

unexpected message

If you get an email or text from your bank or another organisation – when they don’t normally contact you or they usually contact you via their app or on the phone then be wary. If you’re unsure then log into your account how you usually would and if the same message isn’t there then it’s probably a scam. Banks and other organisations will rarely, if ever, contact you out of the blue asking for your details.

check the sender

When you get a suspicious email check who the sender is. Even if you recognise the name ask yourself – does the email address look a bit mismatched? Would it be unusual for this person to email you? Is the sender’s email address from a suspicious domain? If you don’t recognise the name and they’re not vouched for by someone then best to delete it – especially if it includes a URL or attachment.

Here’s an example of an email that someone in the Honest team received from an attacker pretending to be Andy – one of our Co-founders. It’s great to see that Google is warning it might be dangerous. We can also see that the email address isn’t Andy’s email – or even close! Plus Andy wouldn’t be emailing on this person’s personal account – and already has their phone number.

Example of phishing scams email. Email supposedly from Andy Aitken but with the email address - flagged as dangerous by gmail. Reads 'Hello Beatrice, how are you doing this morning, your assistance is needed, kindly drop your phone number. Andy Aitken'.

Scammers are also able to use identity masking technology to change the name of the sender when you get a text – it’s called ‘number spoofing’.

The best rule of thumb is that if anything seems out of the ordinary, unexpected, or suspicious – don’t click on it!

if it sounds too good to be true… we hate to say it but… it probably is!

If the email, text or person on the phone is telling you you’ve won the lottery, a holiday or a new phone – especially if you haven’t entered a competition for one – then it’s probably a scam.

Lots of people have been receiving messages telling them HMRC is giving them a tax rebate recently – HMRC’s official policy is that you’ll never get an email, text message, WhatsApp or a phone call from them telling you about a tax rebate or penalty or asking for any sensitive information.

hover over the links

In an email, links might look legitimate but the best way to check is to hover over them and see what the actual URL is. If it’s different then that’s a big red flag – don’t click! Look for typos to the normal spelling e.g. HMLC instead of HMRC and if it’s instead of google Amazon and look to see what the real website URL is.

Never click any links in texts. Again if you’re unsure go directly to the website and log in as normal. If you do click the link, be careful. Scammers have developed very close replicas of genuine websites.

check the quality of the communication

Misspelling, poor punctuation and bad grammar are common signs of phishing or smishing scams. Also, look out for low-quality graphics. If the message doesn’t look professional, it’s probably a scam and you should be suspicious of it.

numbers to call

If there’s a bank number for you to call, check it matches with the one on the back of your card. If in doubt, call the number on your bank card to find out if there’s an issue.


If you see an attachment in an email you weren’t expecting or that doesn’t make sense, don’t open it!

sense of urgency

Creating a sense of urgency is a way of pressuring you into giving your personal details. Fraudsters might say ‘failure to respond in 24 hours will result in your account being closed’. No legitimate organisation will put that time pressure on you.

how to report a phishing scam

If you think you’ve received a phishing scam, don’t share any personal information, banking details, passwords or other information. Don’t reply. If you’re unsure get in touch with the organisation or company directly. Banks or HMRC, will never ask for your personal or banking details through a message or text.

To report a suspicious email forward it to the Suspicious Email Reporting Service at

To report a text message forward it to 7726. This short code is free to message and let’s your provider look into the origin of the text.