Email and SMS phishing: how to spot it and what to do
Phishing and smishing rely on urgency: fake parcels, fake tax bills, fake account alerts. Learn how to recognise them and what to do if you clicked.
Phishing is the art of pretending to be someone you trust so that you hand over something valuable: a password, a card number, a copy of your ID. It arrives by email, by text message (where it is called smishing), or through chat apps. The message changes, but the goal never does, and neither does the trigger it pulls.
It runs on urgency, not persuasion
A phishing message does not need to convince you. It only needs to rush you. A parcel is stuck, an account is suspended, a fine is due tonight, a refund is waiting. The clock is the weapon. When you feel you have to act this second, the careful checks you would normally make quietly disappear.
On top of the pressure sits imitation. Logos, colours, an official tone, a sender name that looks right. Some copies are clumsy. Others are polished enough to fool careful people on a busy day.
What to look for
No single clue proves a scam, but together they tell a clear story.
- Urgency or a threat: a blocked account, a closing case, a penalty.
- A request for sensitive data: password, security code, card number, IBAN.
- A link whose real address does not match the organisation it claims to be from.
- A sender address that is subtly misspelled, or hidden behind a friendly display name.
- Odd details: clumsy phrasing, generic greetings, a layout that is almost but not quite right.
When you are unsure, paste the message into our phishing analyser for a quick risk read, or drop a suspect link into the URL checker before you ever tap it.
The disguises change, the trick does not
Phishing dresses up in whatever pretext is working that week. Fake delivery notices spike around the holidays. Fake tax and fine notices appear near filing deadlines. Fake bank alerts ride on real anxiety about fraud. The decor shifts; the underlying ask is always the same.
If you clicked
Take a breath. The link by itself is usually not the problem.
- If you entered card details, contact your bank right away and freeze the card.
- If you typed a password, change it from a device you trust, and turn on two-factor authentication.
- Watch your accounts and statements over the following days for anything unexpected.
A reputable security suite with anti-phishing protection, such as Bitdefender, can also block many fraudulent pages before they ever load, on both phone and computer.
Where to report
Reporting is quick and it protects the next person in line. Forward the message to your national reporting service, then delete it. In the UK that is Action Fraud; in the US, the FTC. Many scams that begin as a text quickly turn into a phone call from a fake "bank security" team, so it is worth knowing the tactics behind banking scams too, and how phone scams try to finish what the message started.
The thread running through all of it is simple. Trusted organisations do not rush you, and they do not ask for codes or passwords by message. When something insists you act now, that insistence is the warning.
Related reading
Fake bank email: spotting the booby-trapped security alert
An email imitates your bank and asks you to confirm a transaction or your details. Here is how to spot the forged sender and respond safely.
Fake parcel text scam: how to spot it and what to do
A text says a parcel is stuck and asks for a small fee. Here is how this very common scam works and the right way to respond.
Fake streaming email: the suspended account that steals your card
Payment declined, subscription suspended, card to update: this fake streaming email targets your bank details. Here is how to identify it and respond.
Fake tax refund or fine texts: do not fall for the trap
A text promises a tax refund or warns of an unpaid fine with a payment link. How to spot this scam and reach the genuine service instead.
Social media phishing: protecting your account from theft
Fake deletion notices, fake badge verification, fake copyright claims: here is how scammers steal social accounts and how to stop them.