Phishing emails have changed because the tools available to criminals have changed. Messages can now be cleaner, more personal and more timely than the broken-English scams many people still imagine. If your organisation needs a broader set of controls, start with our cybersecurity checklist for small UK businesses, then use this guide to improve how people spot and report suspicious messages.
The NCSC guidance on spotting scam messages explains that scams often use authority, urgency, emotion, scarcity and current events. Those patterns still matter, even when the email looks professional.
Why phishing is harder to spot now
Older advice often focused on spelling mistakes, strange formatting and suspicious attachments. Those clues still exist, but they are no longer enough. AI writing tools, stolen branding, leaked personal data and automated targeting help criminals create messages that look routine.
Modern phishing may arrive as a supplier invoice, HR document, parcel update, Microsoft 365 login alert, bank message, tax notice, recruitment request or shared file. It may reference real events or use the name of someone you know.
A polished email is not proof of legitimacy. Scammers can now write well, copy branding and use real context.
The warning signs that still matter
- Urgency: a deadline, penalty or threat pushes you to act quickly.
- Authority: the message claims to come from a bank, manager, supplier or government body.
- Emotion: fear, hope, curiosity or embarrassment is used to override judgement.
- Secrecy: you are told not to check with anyone else.
- Unusual action: payment changes, password entry, file download or MFA approval.
- Channel mismatch: the request arrives through an unexpected email, text or chat.
How AI changes phishing
AI can help attackers write better emails, create variations quickly and adapt tone to the target. It can also help with voice scams and impersonation. That does not mean every phishing email uses AI, but it does mean old quality signals are less reliable.
This is why security awareness should include voice and deepfake risk. For example, our guide to AI voice scams explains how emotional urgency can move from email into phone calls.
How to check a suspicious message
Checking should be a process, not a feeling. If the message asks for money, credentials, sensitive files or urgent action, slow down and verify through another route. Do not use phone numbers or links inside the suspicious message. Use an official website, saved contact or known internal channel.
| Check | What to do |
|---|---|
| Sender | Look beyond display name; check the actual address |
| Link | Open the service directly rather than using the message link |
| Attachment | Confirm with the sender through another channel |
| Payment request | Use a known phone number and second approval |
| MFA prompt | Reject unexpected prompts and report them |
Reporting phishing in the UK
The NCSC phishing guidance explains how to report scam emails, texts, websites, adverts and phone calls. Reporting matters because it can help takedown malicious infrastructure and protect other users.
Inside a business, reporting should be easier than ignoring. Staff should know where to send suspicious messages and should receive a calm response when they make a report. A blame-heavy culture makes phishing harder to detect.
What to do if someone clicked
If someone clicked a link or entered details, the first step is not blame. Capture what happened, change the affected password from a clean device, revoke active sessions, enable MFA if missing and contact the bank or provider if payment or account access is involved.
- Do not delete the original message immediately.
- Record the time and account affected.
- Change passwords and revoke sessions.
- Check mailbox forwarding rules.
- Report the scam through appropriate routes.
How businesses should reduce phishing risk
Training matters, but it should be supported by process. Payment verification, MFA, password managers, email security and incident planning all reduce damage. Link phishing controls with cyber risk management, not just annual training.
Finance, HR, leadership and customer support teams may need extra scenarios because they handle money, personal data and public communication. Test the process with realistic examples such as supplier bank changes, payroll requests and shared document links.
Frequently asked questions
Are phishing emails always obvious?
No. Many are now well-written and visually convincing. The action requested is often more revealing than the design quality.
Should staff report messages they are unsure about?
Yes. A near miss is useful information. Reporting uncertain messages helps the organisation understand what is reaching inboxes.
Can MFA stop phishing?
MFA reduces risk but does not remove it. Attackers may use fake login pages, MFA fatigue or session theft. MFA should be combined with reporting and verification habits.
Next steps
Update your phishing guidance so it reflects modern scams: cleaner writing, AI-enabled impersonation, QR codes, voice pressure and supplier fraud. The best defence is a team that knows how to pause and verify.
For home and family contexts, phishing awareness also connects with our parents guide to keeping children safer online, because many pressure tactics now appear in games, chats and social messages.
Sources and further reading
Why modern phishing is harder to spot
Older phishing advice often focused on spelling mistakes, strange formatting and obviously fake sender names. Those clues can still appear, but they are no longer enough. Criminals can now create polished copy, copy brand tone, translate messages, personalise details and time attacks around real events. A message can look tidy and still be malicious.
The strongest clue is often the request, not the writing. Does the message ask you to move money, open a file, reset a password, approve a login, scan a QR code, share a code or act urgently? Does it create pressure by pretending to be a boss, supplier, bank, courier, school, tax authority or platform? If the request creates risk, verify it through another route.
Good grammar is not a security signal. A risky request still needs verification.
The new phishing formats
Phishing is no longer just email. It appears through text messages, WhatsApp, social DMs, QR codes, collaboration tools, shared documents, fake calendar invites and voice calls. Attackers follow attention. If a team works in Microsoft Teams, Slack, Google Workspace or a project management platform, scams may appear there too.
| Format | Common trick | Best response |
|---|---|---|
| Fake invoice, password reset, document share | Check sender, link destination and request | |
| SMS | Delivery, bank, tax or parking message | Use the official app or website, not the link |
| QR code | Fake login or payment page | Verify destination before entering details |
| Voice | Urgent executive or family impersonation | Call back on a known number or use a code word |
How AI changes phishing
AI helps attackers scale quality. It can generate credible messages for different sectors, rewrite emails in a local tone, summarise stolen information and produce scripts for calls. It can also help criminals test variations quickly. The result is not necessarily a completely new crime, but a faster and more convincing version of an old one.
That means training needs to move beyond “spot the typo”. People should learn to question context, pressure and verification. A message from a known supplier can still be dangerous if the supplier account was compromised. A message from a colleague can still be suspicious if it asks for something unusual.
Verification rules for teams
Every organisation should define a few requests that are never actioned from a message alone. Payment-detail changes, urgent bank transfers, password resets, MFA code requests, sensitive data exports and new supplier onboarding should always require a second check. The second check must use a trusted channel, not the contact details supplied in the suspicious message.
- Call a known number from your records, not a number in the email.
- Open the website by typing the address or using a bookmark.
- Confirm supplier bank changes with an existing contact.
- Never share MFA codes with anyone, including “support”.
- Report suspicious messages instead of simply deleting them.
What to include in phishing training
Training works best when it uses examples close to the person’s job. Finance teams need invoice and supplier examples. HR teams need CV, payroll and employee-data examples. Leadership needs impersonation and board-document examples. Customer support needs account recovery and refund examples. Generic examples are useful, but role-specific examples create better judgement.
Keep training short and repeated. One annual module is easy to forget. A five-minute monthly example, a quick team discussion or a screenshot of a real blocked attempt can be more useful. The goal is to make reporting normal, not to embarrass people who click.
What to do after someone clicks
Speed matters. If someone clicks a suspicious link, enters a password, opens a file or shares a code, they should report it immediately. The business can then reset passwords, revoke sessions, check mailbox rules, review sign-in logs, scan the device and warn others. A blame-heavy culture delays reporting and makes damage worse.
The safest employee is not the one who never makes a mistake. It is the one who reports quickly when something feels wrong.
Personal phishing habits
For individuals, the best habits are simple. Use a password manager so fake sites are easier to notice. Turn on MFA. Keep devices updated. Be cautious with links in urgent messages. Check delivery, banking and tax messages through official apps. Do not share codes. Slow down when a message creates fear, excitement or pressure.
Modern phishing succeeds because it interrupts people during real life. Better habits create a pause. That pause is often enough to stop the attack.
Use reporting as a security control
Reporting is one of the most underrated phishing controls. When one person reports a suspicious message, the whole organisation can benefit. IT can block the sender, remove similar messages, warn other staff and check whether anyone interacted with the link. A message that looks like a nuisance to one person may be part of a wider campaign.
Make reporting easy. Use a phishing report button where possible, or a dedicated email address if not. Tell staff what happens after they report. Thank people for reporting even if the message turns out to be harmless. This builds trust and encourages speed.
Metrics that matter
Avoid measuring phishing training only by click rates. Click rates can be useful, but they do not tell the whole story. Reporting rate, reporting speed and repeat themes are often more valuable. If people report quickly, the business can contain attacks faster. If many reports involve QR codes or fake invoices, training can focus there.
| Metric | Why it matters |
|---|---|
| Reporting rate | Shows whether people participate in defence |
| Time to report | Shows how quickly the business can respond |
| Repeated themes | Shows what training and controls should address next |
Good metrics support better conversations. They show whether the security culture is improving, not whether people can be blamed for a single mistake.
Controls that reduce damage after a phishing attempt
Even strong training will not stop every attempt, so technical controls matter too. MFA reduces the value of stolen passwords. Conditional access can challenge unusual logins. Email filtering can block known malicious links and attachments. Domain protection such as SPF, DKIM and DMARC can make spoofing harder. Browser and endpoint protection can reduce the chance that a malicious file causes wider compromise.
These controls do not replace judgement, but they create layers. If one person makes a mistake, the next layer can still prevent a full incident. That layered approach is especially important now that phishing is more polished, more targeted and more likely to appear across several channels at once.
