Guide

How to Recognise a Phishing Email: Guide for UK Staff

A practical guide for UK businesses — explaining what this means, why it matters, and what you should do about it.

Overview

43% of UK businesses experienced a cybersecurity breach or attack in the past 12 months, equating to approximately 612,000 businesses (DSIT Cyber Security Breaches Survey 2025). 67% of medium businesses and 74% of large businesses reported breaches in 2025.

Learn more

What are the warning signs of a phishing email?

Six signals catch most phishing: a sender domain that does not match the display name, manufactured urgency, links that hover to a different URL, unexpected attachments, sloppy grammar or branding, and any request for credentials. Real attackers usually combine several. The fastest, most reliable check is the sender domain.

Phishing is not a fringe risk. According to the DSIT Cyber Security Breaches Survey 2025, 85% of breaches experienced by UK businesses involved phishing (DSIT 2025), and 43% of UK businesses experienced a cybersecurity breach or attack in the past 12 months — approximately 612,000 businesses affected (DSIT 2025). Teaching every member of staff to spot these signs is one of the highest-value controls a business can buy, and it sits at the centre of a sound managed cybersecurity programme.

  • Spoofed sender — the display name reads "John Smith - Finance Director" but the address is an unrelated domain
  • Urgency — "Your account will be suspended within 24 hours" or "Immediate action required"
  • Bad links — the visible text says "Microsoft 365 Login" but the URL points elsewhere
  • Unexpected attachments — ZIP/RAR archives, macro-enabled Office files, or `.exe`/`.bat` executables
  • Branding errors — wrong logo, off colours, awkward non-British phrasing
  • Credential requests — no legitimate service asks for your password by email

How do you check a suspicious sender address?

Read the actual email address, not the display name. Attackers set the display name to a trusted brand — Microsoft, Royal Mail, a colleague — while sending from a different domain. On mobile, the address is often hidden behind the name, which is why mobile users are caught more often.

Look for lookalike domains: `amv1a.co.uk` instead of `amvia.co.uk`, or `micro-soft.com` instead of `microsoft.com`. Watch for added words like `-secure`, `-support` or `-login` bolted onto a known brand to look official. If the domain is even slightly wrong, treat the whole message as hostile and verify through a channel you already trust.

How do you spot a malicious link or attachment?

Before clicking, hover over the link to reveal the real destination. A link labelled "Microsoft 365 Login" may resolve to a credential-harvesting page. Be wary of shortened URLs (`bit.ly`, `tinyurl.com`) and misleading subdomains like `microsoft.login.malicious-site.com`, where the true domain is `malicious-site.com`.

If you need a service mentioned in an email, type the address into your browser or use a saved bookmark instead of clicking. For attachments, the highest-risk types are archive files, macro-enabled Office documents that ask you to "enable content", executables, and double extensions such as `invoice.pdf.exe`. If an attachment arrives unexpectedly — even from a known contact — confirm with them on a separate channel before opening, because their account may already be compromised. Microsoft documents the full attack surface in its phishing guidance.

How is spear phishing different from mass phishing?

Mass phishing blasts an identical email to thousands of recipients and relies on volume. Spear phishing targets one person, using LinkedIn, company websites and social media to reference your job title, current project or manager by name — so it slips past the obvious red flags of generic phishing.

Business email compromise (BEC) is the most damaging variant: the attacker impersonates a CEO, finance director or supplier to authorise a fraudulent payment. BEC often carries no malware, no links and no attachments, making it invisible to technical filtering — the only defence is a recipient who questions the request. If your finance team is a target, pair this awareness with our business email compromise protection and broader email security controls.

Mass phishingSpear phishing / BEC
AudienceThousands, untargetedOne named individual
PersonalisationMinimalJob title, projects, real contacts
PayloadLinks / malwareOften none — pure social engineering
Filter detectionUsually caughtFrequently invisible
Primary defenceEmail filteringTrained, sceptical recipient

What should you do with a suspicious email?

Do not click, reply or open attachments. Report it through your organisation's process — in Microsoft 365 that is the Report Message button in Outlook — and forward it to the NCSC. Prompt reporting protects colleagues who received the same message and feeds national threat intelligence.

  • Do not click links or open attachments, and do not reply
  • Report it via the Report Message button in Outlook
  • Verify any request through a known phone number or a separately typed web address — never details in the email
  • Forward suspected phishing to report@phishing.gov.uk, the NCSC Suspicious Email Reporting Service (SERS)
  • For messages claiming to be from HMRC or your bank, go to their website directly

What should you do if you have already clicked?

Act immediately — time limits the damage. Tell your IT team or managed provider before checking whether anything "happens", change any exposed passwords from a clean device, and keep the email so it can be investigated. Speed of response is the single biggest factor in containing a successful phishing attack.

Yet only 14% of UK businesses have a formal incident response plan (DSIT 2025), and the average cost of the most disruptive breach is £3,550 (DSIT 2025). A clear, rehearsed procedure — backed by AMVIA's incident response team and managed detection and response — turns a panic into a contained event.

  • Notify IT or your MSP first — do not wait
  • Change exposed passwords (and any reused ones) from a different device
  • Do not delete the email; it is evidence
  • Note the time you clicked and what you entered

How does phishing simulation training help?

Reading about phishing helps; practising beats it. AMVIA's phishing simulation training sends safe, realistic test emails — impersonating delivery alerts, IT notices or Microsoft 365 messages — and measures who clicks. Staff who fail get immediate, contextual coaching at the point of failure, which sticks better than annual classroom sessions.

Quarterly reports break results down by department, seniority and theme, so you can target follow-up training where risk is highest. With 85% of breaches involving phishing (DSIT 2025), lowering staff susceptibility directly lowers breach risk. AMVIA pairs this human layer with Microsoft Defender and Barracuda email filtering — one accountable provider, security-first, staffed by Microsoft-certified engineers.

Key Points

What you need to know.

Why It Matters

43% of UK businesses experienced a cybersecurity breach or attack in the past 12 months, equating to approximately 612,000 businesses (DSIT Cyber Security Breaches Survey 2025).

How It Works

67% of medium businesses and 74% of large businesses reported breaches in 2025.

UK Requirements

Relevant UK regulations, standards, and compliance considerations.

Getting Started

Practical first steps for businesses of any size.

Key Considerations

Assess your current position and identify gaps

Understand relevant UK regulations and standards

Implement appropriate technical controls

Train staff on security awareness

Review and update regularly

Consider managed service options for specialist areas

Frequently Asked Questions

Need Help With This?

AMVIA can assess your current position and recommend practical next steps.