How to Recognise a Phishing Email: Guide for UK Staff

Why Recognising Phishing Matters

Phishing remains the single most significant cyber threat facing UK businesses. As part of any effective cybersecurity strategy, training staff to recognise phishing emails is one of the highest-value investments an organisation can make. Despite advances in email filtering technology, phishing emails continue to reach inboxes — and a single click by a single employee can lead to credential theft, ransomware infection, data breach, or financial fraud.

The statistics are stark. According to the DSIT Cyber Security Breaches Survey 2025, 85% of breaches experienced by UK businesses involved phishing (DSIT 2025). Across all UK businesses, 43% experienced a cybersecurity breach or attack in the past 12 months (DSIT 2025), and phishing was the primary vector in the overwhelming majority of cases. The average cost of a data breach for UK organisations reached £3.4 million (IBM 2024), making the ability to recognise and avoid phishing a genuinely valuable skill for every member of staff.

The Warning Signs of a Phishing Email

Spoofed or Suspicious Sender Address

The most important habit to develop is checking the actual email address, not just the display name. Attackers routinely set the display name to something familiar — a colleague's name, a bank's brand, or a well-known service like Microsoft or Royal Mail — whilst sending from a completely different domain. The display name "John Smith - Finance Director" might be paired with an email address from a random domain that has no connection to your organisation.

Look for subtle misspellings in the domain: amv1a.co.uk instead of amvia.co.uk, or micro-soft.com instead of microsoft.com. Attackers also use domains with added words like -secure, -support, or -login to appear legitimate. On mobile devices, display names are shown more prominently than email addresses, making mobile users particularly vulnerable to this technique.

Urgency and Pressure Tactics

Phishing emails almost always create artificial urgency designed to prevent the recipient from thinking carefully. Common pressure phrases include "Your account will be suspended within 24 hours," "Immediate action required to avoid penalty," "Your payment has failed — update your details now," and "Respond today or your access will be revoked." Legitimate organisations rarely demand instant action by email without prior notice or alternative communication. If an email creates a sense of panic, that emotional response is exactly what the attacker is engineering.

Suspicious Links

Before clicking any link in an email, hover your mouse over it to see the actual destination URL. A link that displays as "Microsoft 365 Login" may point to a completely unrelated domain hosting a fake login page designed to capture your credentials. Be especially cautious with shortened URLs (bit.ly, tinyurl.com) that hide the true destination, links in unexpected emails from unfamiliar senders, and URLs that use misleading subdomains such as microsoft.login.malicious-site.com — where "microsoft" appears in the URL but the actual domain is malicious-site.com.

If you need to access a service mentioned in an email, type the address directly into your browser or use a saved bookmark rather than clicking the link in the email. This simple habit defeats the majority of credential phishing attacks.

Unexpected Attachments

Unexpected attachments are a primary delivery mechanism for malware and ransomware. Be particularly cautious with ZIP or RAR archive files (often used to bypass email filtering), Microsoft Office documents that prompt you to "enable macros" or "enable content," executable files (.exe, .bat, .cmd, .ps1), and documents with unusual file extensions or double extensions such as invoice.pdf.exe. If you receive an unexpected attachment from a known contact, verify with them directly before opening — their account may have been compromised.

Grammar, Formatting, and Branding Errors

Whilst AI tools have made phishing emails more grammatically polished than in previous years, many still contain telltale signs: awkward phrasing that does not sound like natural British English, inconsistent capitalisation, unusual punctuation, formatting that differs from genuine communications, and branding elements (logos, colours, fonts) that are slightly wrong. A poorly formatted "invoice" from a known supplier, or a message from "your bank" with a logo that looks slightly different from normal, is a red flag worth investigating.

Requests for Credentials or Personal Information

Legitimate services — including banks, HMRC, Microsoft, and your own IT department — will never ask you to provide your password by email. Any email requesting login credentials, credit card numbers, National Insurance numbers, or other sensitive personal data should be treated as highly suspicious regardless of how official it appears. Genuine password reset processes direct you to the service's own website, not to a page linked from an email.

Spear Phishing: The Targeted Threat

Generic phishing campaigns are sent in bulk with minimal personalisation — the same email goes to thousands of recipients. Spear phishing is fundamentally different: the attacker researches their specific victim using LinkedIn, company websites, social media, and publicly available information to craft a message that is personally relevant and therefore far more convincing.

A spear phishing email might reference your actual job title, your manager's name, a project you are known to be working on, or a conference you recently attended. It might appear to come from a supplier you genuinely work with, referencing a real purchase order number obtained from publicly available procurement data. These attacks are substantially harder to detect than generic phishing and are increasingly used against UK SMEs, particularly against finance teams and senior executives.

Business email compromise (BEC) is a form of spear phishing where the attacker impersonates a trusted person — typically a CEO, finance director, or known supplier — to authorise a fraudulent payment or request sensitive information. BEC attacks frequently contain no malware, no malicious links, and no attachments, making them invisible to technical email filtering. The only defence is a vigilant recipient who questions whether the request is genuine.

What to Do If You Receive a Suspicious Email

• Do not click any links or open any attachments in the suspicious email
• Do not reply to the email or provide any information the sender has requested
• Report it immediately using your organisation's suspicious email reporting process — in Microsoft 365, use the Report Message button in Outlook
• If you are unsure whether an email is genuine, contact the apparent sender through a known phone number or a separately typed web address — never by replying to the email or using contact details contained within it
• For emails claiming to be from HMRC, banks, or other official bodies, visit the organisation's website directly by typing the address into your browser
• Forward suspected phishing emails to report@phishing.gov.uk — the NCSC's Suspicious Email Reporting Service (SERS)

What to Do If You Have Already Clicked

If you have clicked a link in a phishing email or entered credentials on a suspicious page, act immediately. Time is critical in limiting the damage from a successful phishing attack.

• Notify your IT team or managed service provider immediately — do not wait to see if anything happens
• Change the password for any account whose credentials you may have entered, using a different device if possible
• If you use the same password on other accounts (which you should not, but many people do), change those passwords too
• Do not delete the phishing email — your IT team needs it to investigate the attack and protect other staff who may have received the same message
• Note the time you clicked and what information you entered — this helps the incident response process

Only 14% of UK businesses have a formal incident response plan (DSIT 2025). Having a clear, communicated procedure for reporting phishing — and acting on reports quickly — is one of the most effective organisational controls against phishing damage.

Phishing Simulation Training

Reading about phishing is valuable, but the most effective training involves realistic, practical simulations. AMVIA's phishing simulation service sends safe, realistic test phishing emails to your team — impersonating delivery notifications, IT alerts, HR communications, or Microsoft 365 messages — and measures who clicks links or enters credentials.

Staff who fail simulations receive immediate, contextual training at the point of failure, which research consistently shows is more effective than annual classroom-based security awareness sessions. Over successive quarterly campaigns, click rates typically decrease significantly, demonstrating measurable improvement in organisational resilience. With 85% of breaches involving phishing (DSIT 2025), reducing your staff's susceptibility to phishing through regular simulation training directly reduces your overall breach risk.

Quarterly reports break down results by department, seniority level, and simulation theme, enabling targeted follow-up training for the areas of highest risk. AMVIA's simulation campaigns use varied and evolving scenarios to maintain engagement and prevent staff from becoming complacent about a single type of test.