Can you spot the signs of a phishing scam?

Aqua’s new brainteaser challenges you to spot the signs of a phishing email, and shares expert advice on how to avoid getting scammed

Written by Victoria Smith and Vanessa Stewart

Published: 24/02/25Published on February 24th, 2025

Last reviewed: 25/02/25Last reviewed on February 25th, 2025

13 mins read

If you have an email account, it’s likely that you’ve been targeted by a phishing scam before. Phishing scams are the most common type of cybercrime around the world, with an estimated 3.4 billion emails a day sent by fraudsters looking to scam people.

Phishing involves cybercriminals posing as a legitimate organisation, most often by email, in an attempt to ‘fish’ for sensitive information. The email will often ask you to click on a link that takes you to a fake website, where you’ll be encouraged to enter details such as login credentials or bank details.

To further understand the impact of phishing scams, we surveyed Brits about their experiences, confidence in spotting scams, and detection strategies. Given how common these scams are, we've also created a brainteaser to test your scam-spotting skills and offer expert tips on avoiding phishing traps.

How common are online phishing scams in the UK?

Our survey revealed that around one in six (16%) people have personally experienced online fraud, and a quarter (25%) of people know someone who has been a victim of an online scam, demonstrating just how common these scams really are.

According to the survey, those aged 18 to 24 are the most likely to be the victim of an online scam, as over a quarter (27%) of this age group say they have personally experienced being caught out by an online scammer. This is closely followed by those aged 25 to 34, where 26% have reported the same. Meanwhile, those who are the least likely to be scammed online are those aged 55 to 64, with only 11% saying they have experienced this personally.

Victims of online scams are the most prolific in London, where 23% of residents say they have personally been scammed, and 30% of people say they haven’t, but know someone who has. Northern Ireland follows close behind, with 21% saying they have experienced being scammed personally and 22% saying they haven’t, but know someone who has.

How confident are people that they could spot a phishing scam?

Scammers purposefully try to make their emails and texts look official to catch people out. Sometimes, it can be difficult to work out if an email or text is legitimate. But how confident are people in their ability to spot these scams?

Despite 16% of people having experienced a phishing scam personally in the UK, a substantial 91% of people say they’re confident they can spot a scam email or text, leaving almost one in ten (9%) of people admitting to being clueless about how to spot a scam.

Although they are the age group that is scammed the most, those who are aged 18 to 24 are the most confident in their ability to spot a scam email or text, with as staggering 94% saying they’re eagle-eyed about scams online. On the other hand, those aged 65 and over are the least confident about spotting phishing scams, with 12% saying they’re not confident when it comes to working out whether they’re being duped.

People in the South East of England and Wales are leading the way in scam awareness, with an impressive 93% confident in spotting phishing attempts. In contrast, residents of the South West are trailing behind, as 12% admit they have little to no confidence in identifying these types of scams.

How are people preventing being scammed?

As phishing scams continue to evolve, people are becoming more vigilant in their efforts to protect themselves.

Our survey revealed the various ways that people around the UK identify and prevent scams, showing key strategies that help reduce the risk of falling victim to fraud. Here's a look at the most common tactics people rely on to safeguard their information:

The most popular method for spotting scams is checking the sender’s email address. Over half of our respondents (57%) said they do this to minimise the risk of being scammed. This step helps individuals quickly identify if the message is likely to be fraudulent, as genuine emails from reputable companies usually come from recognisable, official domains.

Following closely behind, 56% say they pay attention to grammar and spelling in the message, as many scam emails contain errors. These mistakes can be a strong indicator that a message is not professionally written and may be fraudulent.

Any request for sensitive information, such as passwords or financial details, is a major warning sign. 47% of people in the UK check for this before deciding if it's a legitimate message or not. Another 47% check for personalised greetings, as scammers often use generic ones like "Dear Customer" to target many people at once. A personalised greeting can help confirm if the message is legitimate or a scam.

Checking whether or not the tone of the message is unusual is another tell-tale sign for 44% of people in the UK. The tone of a message can be a giveaway—scams often use exaggerated language to induce fear or urgency. An overly casual or formal tone from a well-known brand, or an email that sounds alarming, can indicate a scam.

Younger individuals (18-24) are particularly attentive to any signs of urgency or threats, with 33% considering this their primary indicator of fraud. This age group is likely aware of scare tactics often used in online scams and tends to focus on emotionally charged language as a warning sign. Meanwhile, those in the 25-34 age range take a proactive stance, with 26% reaching out directly to the organisation or sender to confirm a message’s legitimacy. This method allows them to sidestep potential scams by verifying information before engaging further.

Among 35-44 year olds, 45% say that reviewing grammar, spelling, and punctuation is their go-to strategy. This group may have a trained eye for professionally written content and can spot mistakes that often signal fraudulent messages. Individuals aged 45-54 prioritise checking the sender’s email address, with 60% relying on this approach. This group tends to focus on the source, scrutinising email addresses for any signs of forgery or obscure domain names. In the 55-64 age group, 42% prefer examining URL links to detect scams.

Finally, those 65 and older tend to rely on assessing the overall tone of a message. With 42% of this group favouring this approach, they focus on whether the tone feels appropriate for the supposed sender. Unusual phrasing or urgency might raise a red flag, helping them identify scams before they respond.

How often are people in the UK being sent scam messages?

Email scams are the most frequently received, with 12% of people reporting scam emails at least once a day, and 15% experiencing them a few times a week. Only 4% say they never receive email scams, indicating that email remains the primary channel for scammers.

Text scams are less frequent but still common, with 4% receiving them daily and 10% encountering them a few times each week. About 22% experience text scams only a few times a year, making this type of scam less frequent for many compared to emails.

Phone scams are also less frequent than email but affect a significant portion of people. Around 12% report receiving these a few times a week, and 4% report daily calls. Notably, phone scams tend to be more infrequent for some, with 20% saying they only get them a few times a year.

The most common signs of a phishing scam

• It doesn’t address you by name. Phishing emails are usually sent to thousands of people at a time, meaning they aren’t personalised. Instead of addressing you by name, the email might say ‘Dear Sir/Madam’ or ‘Dear Customer’.
  
• The sender’s email address looks suspicious. A very long or unusual email address is a red flag — as is one sent from a service like Gmail or Hotmail. Legitimate organisations usually have their own email domain; for example, a message from Amazon will come from ‘@amazon.com’.
  
  It’s important to note that it sometimes won’t be obvious that the email address is fake. Make sure you’re checking it aligns with the site’s domain name, and you can also check the site’s ‘contact’ page to ensure the email matches.

• It sounds urgent or threatening. Scammers often try to create a sense of urgency to pressure you into responding quickly. They want you to rush into giving them the information they want before you have time to realise you’re being scammed. If the email says something like ‘urgent action required’ or threatens negative consequences if you don’t respond now, it’s likely to be phishing.
  
• It’s full of spelling and grammar mistakes. Poor spelling and grammar, or mistakes to the company’s name (such as a misspelt brand name or one with no capitalisation), are classic signs of a phishing scam.
  
• It includes unclear links. Phishing emails will almost always encourage you to click on a link (or alternatively download an attached file). Often, the link will be shortened or scrambled so it isn’t clear where it’s taking you. If you’re ever unsure where a link leads, play it safe and don’t click on it.
  
• It asks you for personal or sensitive information. The aim of a phishing scam is to steal sensitive information from you, such as login details or bank information. It might ask you to visit a link, where you’ll be directed to a fake landing page asking you to log in to your account or provide payment details. A genuine organisation will never ask for personal information such as your password, card number or address like this.

Can you spot the signs of a phishing scam?

Three of the emails below are examples of phishing emails, can you spot which ones are the scams, and what makes them fraudulent?

Top tips to avoid getting phished

Danny Clark, Head of Fraud at Aqua says, “Phishing scams are more sophisticated than they used to be, and it can be hard to identify a malicious email at first glance. It’s important to read all emails carefully and look out for the tell-tale signs of phishing to avoid falling victim to a scam.

“If you do receive an email that looks suspicious, always take the following steps to protect yourself and stay safe online:

1. Don’t rush to act

“If you receive an urgent message or email that demands immediate action, resist the impulse to act hastily. Phishing attempts often create a sense of urgency to manipulate individuals into making impulsive decisions. Take a moment to carefully evaluate the situation, independently verify the request, and reach out to the supposed sender through trusted communication channels to confirm the legitimacy of the message.”

2. Check the sender’s email address

“Phishers often use email addresses that may look like legitimate ones but have subtle variations or misspellings. Be wary of generic or suspicious email addresses, as reputable organisations usually use official domains. When in doubt, look up the contact information of the organisation and check if it matches the email you received.”

3. Don’t click on any links

“Instead of clicking on any links directly, open a new browser window and manually search for the official website of the supposed sender. Or, look at any official letters you’ve received, such as a bank statement, to find the website and type it directly into the address bar. This way, you can ensure you’re accessing the authentic website and not falling prey to a phishing link.”

4. Trust your gut

“If an email appears too good to be true or raises suspicions, trust your instincts. Phishers often use enticing offers, fake rewards, or false claims to lure individuals into their scams. Take a step back and critically evaluate the content of the message. If something feels off or the email triggers a sense of unease, it's better to play it safe.”

5. Delete and mark the email as a scam

“If you think you are being targeted by phishing, you should mark it as a phishing scam, if possible, and delete the email. This not only helps protect you but also helps improve the email filtering systems, preventing similar messages from reaching others.”

Other types of scams to watch out for

Smishing

Smishing (or ‘SMS phishing’) is a type of scam similar to email phishing, but carried out over text messages. Cybercriminals send fraudulent texts designed to steal your personal data, which — just like phishing — often claim to be from a reputable organisation.

Key signs of smishing to watch out for include:

• Suspicious links, which may be shortened or scrambled to make it unclear where they’re taking you
• A number you don’t recognise, especially if it includes an unfamiliar area code
• Poor spelling and grammar
• Sense of urgency
• Requests for sensitive information – real organisations like banks would never ask for this over a text message

If you receive a suspicious text message, never click on any links or attachments. If the text claims to be from an organisation such as your bank, contact them independently using the contact details on their official website.

Vishing

The name vishing is a combination of ‘voice’ and ‘phishing’. It describes a type of scam that takes place over a phone call. Just like phishing and smishing, these scams aim to manipulate you into sharing sensitive information.

Vishing can be more difficult to spot than other types of scam, as it can be very convincing. However, there are some tell-tale signs to look out for:

• A call from an unknown number, or a number that you don’t recognise
• Poor audio quality, or a voice that sounds fake or robotic
• Asking you to share sensitive information – real organisations like banks or the government would never ask for this over the phone
• Asking you to download software or grant remote access to your device(s)
• Using threatening or intimidating language to pressure you into sharing information

If you receive an unsolicited call from someone claiming to be from your bank, or a similar organisation, always be vigilant. If in doubt, hang up and call the company back from the number listed on their official website.

What to do if you think you’ve been phished

If you suspect that you have fallen victim to a phishing attempt, it's essential to take immediate steps to mitigate potential damage. Firstly, change your passwords for the affected accounts. Use strong, unique passwords to enhance your account security.

Next, inform your bank if any financial transactions were involved, and follow their guidance on securing your accounts. You should also report the phishing attempt to the legitimate organisation being impersonated, as they may take measures to alert other users and enhance their security protocols.

Brainteaser answer

Think you managed to spot all the signs of a phishing scam hidden throughout our brainteaser? Take a look at the answers below to see how you did.

1. Top left = Written with a sense of urgency, and contains spelling mistakes

2. Middle = Asks for personal information, written with a sense of urgency, and doesn’t address you by your name

3. Bottom left = Asks for sensitive information, and doesn’t address you by your name

Contributors

Victoria Smith

Victoria is an editor at Aqua.

Vanessa Stewart

Vanessa is an editor at Aqua.