How to spot phishing emails, texts, and scam messages
Phishing tricks you into handing over passwords or money by pretending to be someone you trust. Learn the tell-tale signs.
Phishing is when a scammer pretends to be a person or company you trust — your bank, a delivery firm, a government office, even a family member — to trick you into clicking a bad link, entering your password, or sending money. It arrives by email, text message, phone call, or social media.
The good news: almost every phishing attempt shares the same warning signs. Once you know them, they become easy to spot.
The four questions to ask every message
- Is it trying to make me panic or rush?
- Is it asking for a password, code, or payment?
- Does the sender or link look slightly off?
- Did I expect this message at all?
The classic warning signs
A false sense of urgency
"Your account will be closed in 24 hours." "Suspicious activity detected — act now." Scammers want you scared and rushing, because a rushing brain does not stop to check. Real organisations give you time.
A request for secret information
No legitimate bank, tax office, or company will ever ask for your full password, your PIN, or a one-time security code. If a message or caller asks for these, it is a scam — full stop.
A link that does not match
The text might say your-bank.com but the real destination is elsewhere. On a computer, hover over the link without clicking to see the true address. On a phone, press and hold to preview it. Watch for lookalikes: paypa1.com, amaz0n-support.net.
The golden rule
Never log in or pay through a link in a message you did not expect. Go to the company yourself — type their address into your browser, use their official app, or call the number on the back of your card. This one habit defeats almost all phishing.
What to do with a suspicious message
- Stop. Do not click, reply, or call the number in the message.
- Check independently through official channels you find yourself.
- Report it — most email apps have a report button, and many countries let you forward scam texts to a short number such as 7726. See our reporting directory.
- Delete it.
If you already clicked
Act quickly, without panic: change the password on the affected account (and anywhere you reused it), turn on two-factor login, and if you entered card details, call your bank. Our article on recovering from a breach walks through it step by step.