Is this email a scam?
UK phishing emails follow seven repeating patterns. Spot any two and walk away — or paste the email into SilentID Safety Check for a verdict against 14 fraud signals.
Free download. iOS & Android. UK-first.
An email is likely a scam if the sender display name does not match the actual address, the link goes to a lookalike or recently-registered domain, the greeting is generic, there is an urgency or threat, or it asks for full bank details, passwords or one-time codes. Paste the email body or the link into SilentID Safety Check in the app — 3 free checks per day, no signup. Forward UK phishing to report@phishing.gov.uk (NCSC).
Why phishing email is still the dominant UK scam channel
Despite the rise of smishing and marketplace fraud, email phishing remains the single largest UK cybercrime category by volume. UK Finance puts annual UK fraud losses at over £2.7 billion and the National Cyber Security Centre’s Suspicious Email Reporting Service has taken down millions of phishing pages off the back of public reports — every forwarded email matters (Source: NCSC).
The good news: 2026 phishing emails still rely on a small, repeating set of templates and tells. Once you can spot the patterns, you can clear most of them at a glance.
How to check a suspicious email in the SilentID app
- 01
Don't click any link or open any attachment
Just looking at an HTML preview is usually safe. Clicking, downloading or replying are the danger zones.
- 02
Copy the email body or the suspicious link
On a phone, long-press the link and choose Copy. Or copy the entire email body text.
- 03
Paste into SilentID Safety Check
Open the SilentID app, tap Safety Check, paste. The check screens sender patterns, link reputation, brand-impersonation and phishing-database hits.
- 04
Read the verdict — and forward to NCSC
If 'Suspicious' or 'Likely scam', forward the original email to report@phishing.gov.uk to help NCSC take down the page. Then delete.
7 phishing email signals — UK 2026
The patterns NCSC, Action Fraud and bank fraud teams see most often. Two or more usually means delete-and-report.
Display name vs actual sender mismatch
From-name reads "HMRC" or "Lloyds Bank" but the actual address is a free Gmail/Outlook or a random unrelated domain. Tap or hover the sender name to reveal the real address.
Lookalike or recently-registered domain
rnyaccount-lloyds.co.uk, hmrc-rebate.top, dpd-redelivery.shop. Punycode tricks, typosquats and free TLDs designed to mimic UK brands.
Generic greeting and missing personalisation
"Dear Customer", "Dear Account Holder", "Hi there". Genuine UK banks, HMRC and delivery firms address you by name and reference your account number or order ID.
Urgent action or threat
"Account will be suspended in 24 hours", "Last chance to claim your refund", "Failure to act will result in legal proceedings". Pressure short-circuits the pause-and-check habit.
Link goes somewhere other than the brand
Hover the link (don't click) — the preview should match the brand's real domain. If it goes via bit.ly, tinyurl, a long random string or a different domain entirely, treat as phishing.
Unexpected attachment or invoice
PDF, .docx, .zip or HTML attachments from senders you don't recognise. Common payload types: invoice scams (BEC), credential-harvesting HTML pages, ransomware droppers.
Asks for full bank details, password or one-time code
No legitimate UK bank, HMRC, Royal Mail, NHS or platform will ever email asking for full card details, account passwords or one-time security codes. Action Fraud lists this as the single clearest tell.
Common UK phishing email templates
HMRC tax rebate
“You are due a refund of £X.YZ. Click here to claim before [date].” Genuine HMRC never emails or texts about rebates — they post a letter or notify via your Government Gateway account, never via an email link.
Royal Mail / DPD redelivery
“Your parcel could not be delivered. Pay a small surcharge to reschedule.” The link asks for card details and a one-time code. Royal Mail and DPD do not email surcharge requests — and their pay pages live on royalmail.com / dpd.co.uk only.
Bank security alert
“Suspicious activity detected on your account. Verify now to avoid suspension.” The link goes to a polished lookalike of your bank’s login page that captures username, password and one-time code in real time. If in doubt, call the number on the back of your card.
Invoice / business email compromise
For business accounts: a forwarded invoice from a supplier with updated bank details. The supplier’s real email account has been compromised; the new bank account belongs to the fraudster. Always verify any change of banking details by phone, not email.
How to report a scam email in the UK
- Forward the email to report@phishing.gov.uk — NCSC’s SERS service. Free, anonymous, takes down the page.
- Report to Action Fraud via actionfraud.police.uk or 0300 123 2040 — required if you’ve clicked, paid or shared details.
- Tell your bank’s fraud team immediately if money has left your account. Number is on the back of your card.
- Generate a PDF evidence pack in SilentID Pro — designed to be accepted by Action Fraud, the bank and the impersonated brand.
UK phishing & fraud — the numbers
Related guides
Frequently asked questions
Check the email before you click
Download SilentID — paste any suspicious email body or link into Safety Check. 3 free checks per day, no signup.
100% passwordless. UK-based. GDPR-native.
·
Reviewed by the SilentID editorial team. We update each guide quarterly with new UK fraud data.