How to Recognise a Phishing Email: Guide for UK Staff
A practical guide for UK businesses — explaining what this means, why it matters, and what you should do about it.
Overview
43% of UK businesses experienced a cybersecurity breach or attack in the past 12 months, equating to approximately 612,000 businesses (DSIT Cyber Security Breaches Survey 2025). 67% of medium businesses and 74% of large businesses reported breaches in 2025.
Learn moreWhat are the warning signs of a phishing email?
Six signals catch most phishing: a sender domain that does not match the display name, manufactured urgency, links that hover to a different URL, unexpected attachments, sloppy grammar or branding, and any request for credentials. Real attackers usually combine several. The fastest, most reliable check is the sender domain.
Phishing is not a fringe risk. According to the DSIT Cyber Security Breaches Survey 2025, 85% of breaches experienced by UK businesses involved phishing (DSIT 2025), and 43% of UK businesses experienced a cybersecurity breach or attack in the past 12 months — approximately 612,000 businesses affected (DSIT 2025). Teaching every member of staff to spot these signs is one of the highest-value controls a business can buy, and it sits at the centre of a sound managed cybersecurity programme.
- Spoofed sender — the display name reads "John Smith - Finance Director" but the address is an unrelated domain
- Urgency — "Your account will be suspended within 24 hours" or "Immediate action required"
- Bad links — the visible text says "Microsoft 365 Login" but the URL points elsewhere
- Unexpected attachments — ZIP/RAR archives, macro-enabled Office files, or `.exe`/`.bat` executables
- Branding errors — wrong logo, off colours, awkward non-British phrasing
- Credential requests — no legitimate service asks for your password by email
How do you check a suspicious sender address?
Read the actual email address, not the display name. Attackers set the display name to a trusted brand — Microsoft, Royal Mail, a colleague — while sending from a different domain. On mobile, the address is often hidden behind the name, which is why mobile users are caught more often.
Look for lookalike domains: `amv1a.co.uk` instead of `amvia.co.uk`, or `micro-soft.com` instead of `microsoft.com`. Watch for added words like `-secure`, `-support` or `-login` bolted onto a known brand to look official. If the domain is even slightly wrong, treat the whole message as hostile and verify through a channel you already trust.
How do you spot a malicious link or attachment?
Before clicking, hover over the link to reveal the real destination. A link labelled "Microsoft 365 Login" may resolve to a credential-harvesting page. Be wary of shortened URLs (`bit.ly`, `tinyurl.com`) and misleading subdomains like `microsoft.login.malicious-site.com`, where the true domain is `malicious-site.com`.
If you need a service mentioned in an email, type the address into your browser or use a saved bookmark instead of clicking. For attachments, the highest-risk types are archive files, macro-enabled Office documents that ask you to "enable content", executables, and double extensions such as `invoice.pdf.exe`. If an attachment arrives unexpectedly — even from a known contact — confirm with them on a separate channel before opening, because their account may already be compromised. Microsoft documents the full attack surface in its phishing guidance.
How is spear phishing different from mass phishing?
Mass phishing blasts an identical email to thousands of recipients and relies on volume. Spear phishing targets one person, using LinkedIn, company websites and social media to reference your job title, current project or manager by name — so it slips past the obvious red flags of generic phishing.
Business email compromise (BEC) is the most damaging variant: the attacker impersonates a CEO, finance director or supplier to authorise a fraudulent payment. BEC often carries no malware, no links and no attachments, making it invisible to technical filtering — the only defence is a recipient who questions the request. If your finance team is a target, pair this awareness with our business email compromise protection and broader email security controls.
| Mass phishing | Spear phishing / BEC | |
|---|---|---|
| Audience | Thousands, untargeted | One named individual |
| Personalisation | Minimal | Job title, projects, real contacts |
| Payload | Links / malware | Often none — pure social engineering |
| Filter detection | Usually caught | Frequently invisible |
| Primary defence | Email filtering | Trained, sceptical recipient |
What should you do with a suspicious email?
Do not click, reply or open attachments. Report it through your organisation's process — in Microsoft 365 that is the Report Message button in Outlook — and forward it to the NCSC. Prompt reporting protects colleagues who received the same message and feeds national threat intelligence.
- Do not click links or open attachments, and do not reply
- Report it via the Report Message button in Outlook
- Verify any request through a known phone number or a separately typed web address — never details in the email
- Forward suspected phishing to report@phishing.gov.uk, the NCSC Suspicious Email Reporting Service (SERS)
- For messages claiming to be from HMRC or your bank, go to their website directly
What should you do if you have already clicked?
Act immediately — time limits the damage. Tell your IT team or managed provider before checking whether anything "happens", change any exposed passwords from a clean device, and keep the email so it can be investigated. Speed of response is the single biggest factor in containing a successful phishing attack.
Yet only 14% of UK businesses have a formal incident response plan (DSIT 2025), and the average cost of the most disruptive breach is £3,550 (DSIT 2025). A clear, rehearsed procedure — backed by AMVIA's incident response team and managed detection and response — turns a panic into a contained event.
- Notify IT or your MSP first — do not wait
- Change exposed passwords (and any reused ones) from a different device
- Do not delete the email; it is evidence
- Note the time you clicked and what you entered
How does phishing simulation training help?
Reading about phishing helps; practising beats it. AMVIA's phishing simulation training sends safe, realistic test emails — impersonating delivery alerts, IT notices or Microsoft 365 messages — and measures who clicks. Staff who fail get immediate, contextual coaching at the point of failure, which sticks better than annual classroom sessions.
Quarterly reports break results down by department, seniority and theme, so you can target follow-up training where risk is highest. With 85% of breaches involving phishing (DSIT 2025), lowering staff susceptibility directly lowers breach risk. AMVIA pairs this human layer with Microsoft Defender and Barracuda email filtering — one accountable provider, security-first, staffed by Microsoft-certified engineers.
Key Points
What you need to know.
Why It Matters
43% of UK businesses experienced a cybersecurity breach or attack in the past 12 months, equating to approximately 612,000 businesses (DSIT Cyber Security Breaches Survey 2025).
How It Works
67% of medium businesses and 74% of large businesses reported breaches in 2025.
UK Requirements
Relevant UK regulations, standards, and compliance considerations.
Getting Started
Practical first steps for businesses of any size.
Key Considerations
Assess your current position and identify gaps
Understand relevant UK regulations and standards
Implement appropriate technical controls
Train staff on security awareness
Review and update regularly
Consider managed service options for specialist areas
Frequently Asked Questions
The clearest signals are a mismatch between the display name and the real sender domain, manufactured urgency demanding immediate action, links that reveal a different URL on hover, unexpected attachments, and any request for passwords or bank details. With 85% of UK breaches involving phishing (DSIT 2025), training every employee to spot these indicators is one of the highest-value security investments a business can make.
Read the address itself, not the friendly display name. Look for lookalike domains such as `amv1a.co.uk` for `amvia.co.uk`, or added words like `-secure` and `-login` attached to a known brand. On mobile the address is often hidden, so tap to expand it. If the domain is even slightly wrong, treat the message as hostile and verify through a channel you already trust.
Do not click links or open attachments. Use the Report Message button in Microsoft Outlook to alert your IT team, then forward the email to report@phishing.gov.uk, the NCSC's Suspicious Email Reporting Service. Reporting quickly protects colleagues who received the same message and feeds national threat intelligence used to disrupt active phishing campaigns across the UK.
Mass phishing sends identical emails to thousands of people and relies on volume. Spear phishing targets one person using details from LinkedIn, company websites and social media — referencing your job title, projects or manager by name. These personalised messages bypass the obvious red flags, which is why they are increasingly aimed at UK finance teams and senior executives.
Yes. Filtering catches most bulk phishing, but business email compromise often contains no malware, no links and no attachments, so it slips through technical controls. The average cost of a data breach for UK organisations reached £3.58 million (IBM 2024). A trained, sceptical recipient backed by simulation training is the only reliable defence against this filter-invisible category.
Yes. Realistic simulations with point-of-failure coaching consistently outperform annual classroom sessions, and click rates fall across successive quarterly campaigns. With 85% of breaches involving phishing (DSIT 2025), measurably reducing staff susceptibility directly reduces overall breach risk — which is why AMVIA runs varied, evolving scenarios rather than a single repeated test.
Need Help With This?
AMVIA can assess your current position and recommend practical next steps.
Related Resources
Email Security and Phishing Protection for UK Businesses
Comprehensive guide to cybersecurity for UK businesses. Expert advice, key considerations, and actionable steps to strengthen your…
The Complete Guide to Managed Cybersecurity for UK…
Comprehensive guide to cybersecurity for UK businesses. Expert advice, key considerations, and actionable steps to strengthen your…
What Is Email Security? A Guide for UK Business Owners
In-depth explainer on email security? a guide for uk business owners for UK businesses. Key concepts, best practices, and practical…
How to Protect Your Business from Phishing Attacks
In-depth explainer on how to protect your business from phishing attacks for UK businesses. Key concepts, best practices, and practical…
Protect your business → Get Cybersecurity Assessment