Phishing & Scam Emails

TL;DR

• Phishing is the single most common way ordinary people get hurt online. It is rarely complicated. It almost always uses the same three levers: urgency, authority, an action.
• The attacker doesn't need to fool you for ten minutes — only for the ten seconds between the notification and the click.
• The defence isn't being more "tech-savvy." It's a small habit: when a message asks you to do something right now, slow down and verify through a different channel.
• If you already clicked or typed a password, you are not in trouble yet — the next thirty minutes decide the outcome. There's a calm playbook below.
• AI has made phishing emails grammatically perfect and personalised. Old "look for typos" advice is no longer enough. The new tell is the request, not the language.

What it is

Phishing is any message — email, text message, phone call, WhatsApp, even a QR code — that pretends to be from someone or something you trust, in order to get you to do something you wouldn't otherwise do.

The "something" is usually one of these:

• Click a link that takes you to a fake login page (your bank, your email, a delivery company, the tax office). You type your real password. They now have it.
• Open an attachment that quietly installs software on your device.
• Reply with information — your full name, date of birth, bank details, ID number, two-factor code.
• Buy something — gift cards, cryptocurrency, an emergency transfer — that the attacker can take and disappear with.
• Call a number in the message, where a polite, helpful-sounding person walks you the rest of the way into the trap.

It is called phishing because the attacker is throwing a hook into a vast pond. They don't know if you will bite. They only need a small fraction of recipients to fall for it, and the email cost them nothing to send.

A few names you may hear:

• Smishing — phishing by SMS or messenger.
• Vishing — phishing by voice (phone call).
• Quishing — phishing using a QR code, often in a public place or on a printed sticker.
• Spear phishing — a phishing message designed for you personally, using information from your social media or a recent data breach.
• Business email compromise (BEC) — phishing targeting employees, usually pretending to be the boss asking for an urgent payment.

The technique is the same. Only the channel changes.

How to spot it

Old advice told you to look for spelling mistakes and weird grammar. That advice is now out of date — AI can write a flawless email in any language in two seconds. You have to look at what the message is asking you to do, not how nicely it asks.

The pattern is almost always some version of three things together: urgency, authority, an action.

1. Urgency. "Your account will be closed in 24 hours." "Your package will be returned." "Suspicious login detected — confirm now." Real institutions almost never give you a one-hour or one-day deadline by email. They send a letter. They call you back through their normal app. They wait.
2. Authority. The message looks like it's from your bank, your tax office, your government, a major delivery company, a streaming service, your employer's IT team, your CEO. The familiar logo, the right colours, the right tone. Anyone can copy a logo.
3. The action. Click this link. Confirm this code. Reply with this document. Pay this small fee to release the parcel. This is the part that lets you stop the attack. Whatever the message is, ask: if I do nothing, what actually happens? The honest answer is almost always "nothing bad."

Other tells worth knowing:

• The sender's actual email address doesn't match the display name. "Your Bank" might really be security@your-bank-secure-confirm.com. On a phone, you may need to tap the sender's name to see the real address.
• The link doesn't go where it claims. Hover over a link on a computer; long-press on a phone. The real URL appears. Typosquatted domains (microsft.com, paypa1.com, arnazon.com) are still common.
• The message is too generic. "Dear customer." "Dear user." Your real bank knows your name.
• A login page that doesn't quite look right. A login URL with strange words, an https lock that wasn't there last week, a layout that's been redesigned overnight.
• A request you didn't expect. A parcel you didn't order. A refund you didn't ask for. A login alert from a city you've never visited.
• An attached file you didn't ask for, especially .zip, .iso, .docm, .pdf with no context. Even a real-looking invoice can carry an installer.
• A QR code in a public place that's been stuck over an original. Parking meters, restaurant menus, charity posters — all have been used.

What to do

If you haven't acted yet:

1. Stop. Don't click. Don't reply. Don't call any number printed in the message.
2. Verify through a separate channel. If "your bank" emails you, open your bank app or the website you usually use — by typing the address yourself, not from the email — and check there. If "the tax office" calls, hang up and call back on the official number from their public website. If "your boss" texts an urgent request, walk over or phone them on the number you already have.
3. Report the message and delete it. Most email clients (Gmail, Outlook, Apple Mail, ProtonMail) have a "report phishing" button. Use it. SMS in many countries can be forwarded to 7726 (the digits spell SPAM) to be analysed by your carrier. Then delete the original.
4. Tell the family. If your parents, partner, or children share an email surname or a household address, they will probably get the same campaign within the day. A two-line "watch out for this one" message at home stops more harm than any filter.

If you already clicked or typed your password — the next thirty minutes are what counts. Stay calm. Work through this list in order.

1. From a different device (not the one you clicked from, if you can avoid it) — change the password of the account whose password you just entered. Use a strong unique one.
2. Turn on two-factor authentication on that account if it isn't already on.
3. Sign out of every other session. Most major accounts (Google, Microsoft, Apple, Facebook, your bank) have a "sign me out of all devices" button buried in security settings. Press it.
4. Check the account's recent activity. Login locations, recent emails sent, payment methods added, forwarding rules set up. Phishers often set up an inbox rule to hide their tracks — delete any rule you didn't create.
5. If you typed banking details — call your bank's official number now. Card freeze, password reset, transaction review. The bank cares more about a five-minute warning than a five-day-old surprise.
6. If you typed an ID document or personal data — see the Identity Theft Recovery topic; the response is different and slower.
7. Disconnect the device from the internet if you opened an attachment or downloaded something. Run your operating system's built-in security scan. If anything looks wrong afterwards, treat the device as compromised and seek help.
8. Warn the people in your contacts. A compromised email account is often used to phish the people who trust you. A short heads-up message — sent through a different channel like WhatsApp or text — prevents the second wave.

What NOT to do

• Don't reply to the suspicious email — not even to tell them off. Replies confirm your address is real and active, and you may end up on every other list.
• Don't click "unsubscribe" in a suspicious email. The legitimate unsubscribe button is fine in normal marketing email; in phishing, it's a tracker.
• Don't use phone numbers, links, or QR codes printed in the message. Always find the real contact details independently.
• Don't try to "out-clever" the scammer by typing fake details, calling them back, or playing along. Some of these scams escalate into harassment. Just block and report.
• Don't pay anything — not the small "release fee," not the "tax to unfreeze the account," not the "bond to get the prize." If money has to move to you, there is no upfront fee.
• Don't be ashamed. Phishing fools senior security engineers every week. Falling for a well-crafted message says nothing about your intelligence. Speed of response says everything about your outcome.

Use AI to help you

Two prompts you can copy. Paste the suspicious message in full — including the headers if you can — and let the AI walk you through it. Don't paste passwords or two-factor codes.

Is this message phishing?

"I received the message below. I'm not sure if it's a phishing attempt. Please analyse it from the perspective of an experienced security professional and tell me: (a) what red flags you see, (b) what the sender's domain actually looks like and how it differs from the real organisation, (c) what specifically the message is asking me to do, and (d) on a scale of 1–10, how likely this is to be a phishing attempt, with your reasoning. If I should do something now, list the first three steps in order.

Message: [paste here]"

I already clicked — what now?

"I clicked a link in what I now believe was a phishing email. On the page I clicked, I entered [my email and password / my credit card number / my ID document / a two-factor code]. Please build me a calm step-by-step recovery plan for the next 30 minutes, in order of priority. Then tell me what I should monitor for the next two weeks."

A reminder: AI can be confidently wrong about the legality, contact numbers, or recovery rights in your specific country. Use the AI to think with, not to replace a quick verification with the real bank or authority.

Who to call

The order is almost always the same:

1. Your bank — if money or card details are involved. The official number on the back of your card or in your bank's app, never the one in the message.
2. The real organisation being impersonated. Find their official contact page yourself and report the phishing — they keep records and use them to take down fake sites.
3. The platform the message came from (email provider, SMS carrier, messenger). Most have a one-click "report phishing" or "report scam" feature.
4. Your country's anti-fraud authority.

Find the latest for your country with AI:

"I'm in [your country]. List the official government and law-enforcement bodies I should report a phishing attempt or online fraud to — anti-fraud authority, national cybersecurity centre, police cybercrime unit, banking ombudsman, telecom anti-spam SMS short-code if any. For each, give the official website URL and public phone number, and tell me which to contact first depending on whether (a) money has moved, (b) only a password was given, or (c) an ID document was given. Cite the official source page for each. If anything might be outdated, say so."

A short list, by language and country (curated — prefer the AI prompt above for the very latest):

• English:
  • UK — Action Fraud (actionfraud.police.uk); forward suspicious emails to report@phishing.gov.uk; SMS to 7726.
  • US — Federal Trade Commission (reportfraud.ftc.gov); SMS to 7726.
  • Canada — Canadian Anti-Fraud Centre (antifraudcentre-centreantifraude.ca).
  • Australia — Scamwatch (scamwatch.gov.au).
  • Ireland — Garda National Cyber Crime Bureau.
  • South Africa — South African Banking Risk Information Centre (sabric.co.za); SAPS Cyber Crimes Unit (saps.gov.za).
  • Nigeria — Economic and Financial Crimes Commission (efcc.gov.ng); Nigerian Communications Commission (ncc.gov.ng); Nigeria Police cybercrime unit.
  • Ghana — Cyber Security Authority (csa.gov.gh); Economic and Organised Crime Office (eoco.gov.gh).
  • Kenya — DCI Cyber Crime Unit (dci.go.ke); Communications Authority (ca.go.ke).
• German:
  • Germany — Verbraucherzentrale (verbraucherzentrale.de) for consumer guidance; BSI für Bürger (bsi.bund.de) for technical advice; local Polizei for criminal report.
  • Austria — Watchlist Internet (watchlist-internet.at).
  • Switzerland — National Cyber Security Centre (ncsc.admin.ch); report phishing pages at antiphishing.ch.
• French:
  • France — Pharos (internet-signalement.gouv.fr) for criminal content; Cybermalveillance.gouv.fr for victim guidance.
  • Belgium — Centre for Cybersecurity Belgium (safeonweb.be); forward suspicious mail to suspect@safeonweb.be.
  • Switzerland (FR) — antiphishing.ch.
  • Côte d'Ivoire — Plateforme de Lutte Contre la Cybercriminalité (cybercrime.interieur.gouv.ci).
  • Senegal — Direction Spéciale de Lutte contre la Cybercriminalité (national police).
  • Morocco — maCERT (cert.ma); DGSN cybercrime unit.
• Italian:
  • Italy — Polizia Postale e delle Comunicazioni (commissariatodips.it).
  • Switzerland (IT) — antiphishing.ch.
• Spanish:
  • Spain — INCIBE / OSI (incibe.es, osi.es), or call 017 for free citizen support.
  • Mexico — Condusef for banking fraud; Policía Cibernética via local 911.
  • Colombia — CAI Virtual (caivirtual.policia.gov.co); MinTIC.
  • Argentina — UFECI (mpf.gob.ar/ufeci); specialized cybercrime prosecutors.
  • Chile — CSIRT Gob (csirt.gob.cl); BRICIB (Policía de Investigaciones).
  • Peru — DIVINDAT (PNP); INDECOPI for consumer protection; pecert.gob.pe.
• Portuguese:
  • Portugal — Centro Nacional de Cibersegurança (cncs.gov.pt); Linha Internet Segura (1407).
  • Brazil — CERT.br for reporting; consumer-protection (Procon) for financial loss.
• Polish:
  • Poland — CERT Polska (cert.pl); online reports at incydent.cert.pl; Police Central Cybercrime Bureau (cbzc.policja.gov.pl); dyzurnet.pl for illegal content.
• Japanese:
  • Japan — JPCERT/CC (jpcert.or.jp); Anti-Phishing Council Japan (antiphishing.jp); dial #9110 for police consultation.

If your country isn't listed, use the AI prompt above, or search for "[your country] national cybersecurity centre" or "[your country] anti-fraud reporting". Most have a single official portal.

When to escalate beyond chat

• Money has already moved — speed of bank notification matters more than anything else. Call the bank's emergency line now; chargebacks and reversals get much harder after 24 hours.
• A work or shared account was compromised — tell the IT team or the account owner immediately. Don't try to fix it alone for them; the cleanup needs to be coordinated.
• You handed over an ID document, passport, or full identity profile — this is no longer phishing recovery, it's potential identity theft. See Identity Theft Recovery and contact your national identity authority.
• You are being blackmailed after a phishing site recorded you, or after intimate images were involved — do not pay. Document everything (screenshots with timestamps), and report to your national police cybercrime unit. Paying does not stop the demand; it confirms you will pay again.
• An elderly family member has been targeted in an ongoing scam (the "your grandchild is in trouble" pattern, the fake bank-fraud-department call) — get on the phone with the bank with them, freeze cards, and consider a family conversation about a 24-hour wait rule on any new payment request.

Related topics

• "I've Been Hacked" — what to do when phishing has succeeded and the account is acting strangely.
• Passwords & Two-Factor — the single best protection against phishing is a password manager plus a strong second factor.
• Identity Theft Recovery — if the phisher got your full identity, not just a password.
• Romance & Crypto Fraud — long-form phishing that develops over weeks rather than seconds.
• "Your Data Was Leaked" — many phishing campaigns are personalised using data from past breaches.

Sources & references (internal — not rendered to the live page):

• Anti-Phishing Working Group (APWG) — quarterly trend reports
• European Union Agency for Cybersecurity (ENISA) — Threat Landscape annual report
• UK NCSC, US CISA, Swiss NCSC, German BSI — public phishing guidance
• Verizon Data Breach Investigations Report (annual) — phishing as initial vector