How to Recognise a Phishing Email: Guide for UK Staff

Why Recognising Phishing Matters

Phishing is the starting point for approximately 85% of all cyberattacks. Despite advances in email filtering technology, phishing emails continue to reach inboxes — and a single click can lead to credential theft, ransomware infection, or financial fraud. Training staff to recognise phishing is one of the highest-value investments a UK business can make in its cybersecurity.

The Warning Signs of a Phishing Email

Spoofed or Suspicious Sender Address

Always check the actual email address, not just the display name. Attackers commonly set the display name to something familiar (such as a colleague's name or a bank's brand name) while sending from a completely different domain. Look for subtle misspellings such as amv1a.co.uk instead of amvia.co.uk, or domains that add words like -secure or -support.

Urgency and Pressure Tactics

Phishing emails typically create a sense of urgency to prevent the recipient from thinking carefully. Common phrases include "Your account will be suspended within 24 hours", "Immediate action required", or "You must respond today." Legitimate organisations rarely demand instant action by email without any prior notice.

Suspicious Links and Attachments

Hover over any link before clicking to see where it actually leads. A link that displays as "Microsoft Login" may point to a completely unrelated domain. Be especially cautious with shortened URLs (bit.ly, tinyurl.com) and links in unexpected emails. Unexpected attachments — particularly ZIP files, Office documents with macros enabled, or executable files — should never be opened without verification.

Grammar and Formatting Errors

While AI tools have reduced the frequency of obvious grammar errors in phishing emails, many still contain awkward phrasing, inconsistent capitalisation, unusual punctuation, or formatting that differs from what a genuine organisation would send. A poorly formatted "invoice" from a known supplier is a red flag worth investigating.

Requests for Credentials or Personal Information

Legitimate services — including banks, HMRC, Microsoft, and your own IT team — will never ask you to provide your password by email. Any email requesting login credentials, credit card numbers, or sensitive personal data should be treated as highly suspicious regardless of how official it appears.

Spear Phishing vs Generic Phishing

Generic phishing campaigns are sent in bulk with minimal personalisation. Spear phishing is targeted: the attacker researches their specific victim using LinkedIn, company websites, and social media to craft a believable message. A spear phishing email might reference your actual job title, your manager's name, or a project you are known to be working on. These attacks are much harder to detect and are increasingly used against UK SMEs.

What to Do If You Receive a Suspicious Email

• Do not click any links or open any attachments
• Do not reply to the email or provide any information
• Report it using your organisation's suspicious email reporting process (in Microsoft 365, use the Report Message button)
• If you are unsure whether an email is genuine, contact the sender through a known phone number or a separately typed web address — not by replying or using contact details within the email
• If you have already clicked a link or entered credentials, notify your IT team immediately so they can act quickly to contain any damage

Phishing Simulation Training

Reading about phishing is helpful, but the most effective training involves realistic simulations. AMVIA deploys phishing simulation campaigns that send safe, fake phishing emails to staff and measure click rates. Employees who click receive immediate, contextual training at the point of failure. Over time, simulation training measurably reduces phishing susceptibility across the organisation.