How To Spot A Phish

One of the most common and damaging forms of Cyber Fraud is phishing. SMEs across the country are increasingly becoming targets of these attacks, and they are discovering that cybercrime is no longer only being directed at large corporates and tech giants. Understanding how to spot a phishing attempt is therefore business critical for owners and leaders of SMEs.

Phishing is a cyber attack that attempts to trick individuals into revealing sensitive information such as passwords, bank details, or company data. It usually arrives via email but can also come through text messages (smishing), phone calls (vishing), or even social media. The attacker pretends to be a trustworthy entity like HMRC, your bank, a supplier, or even a colleague to lure the recipient into clicking a malicious link or downloading a harmful attachment.

Many SMEs operate without a dedicated IT team or comprehensive cyber training. Attackers know this. They see smaller organisations as low-hanging fruit—less defended, often more trusting, and yet still connected to valuable financial or client information. One successful phishing email can open the door to ransomware, financial theft, or data breaches.

Here are some of the telltale signs of a phishing email:

1. Generic Greetings and Urgency:

Phishing emails often use vague greetings like "Dear Customer" or "Dear Sir/Madam." They may also create a false sense of urgency—“Your account will be suspended in 24 hours!”—to prompt rash decisions.

2. Suspicious Sender Address:

Look beyond the display name. Hover over (but don’t click) the sender’s email address. A legitimate message from HMRC, for example, won’t come from “hmrc-taxrefunds@hotmail.com.”

3. Poor Grammar and Spelling:

Many phishing emails originate from overseas and contain clumsy language or awkward phrasing. This is often a sign of an illegitimate message.

4. Unexpected Attachments or Links:

If you weren’t expecting a file or link—especially if it asks for a login or download—be wary. Don’t open attachments or click links without verifying their source.

5. Requests for Sensitive Information:

Legitimate organisations will never ask for passwords, bank details, or PINs via email. Any email doing so should raise immediate suspicion.

One common phishing scam in the UK involves an email claiming to be from Companies House or HMRC, asking businesses to confirm details or make payments. Another frequent tactic is posing as a supplier and asking for payment to new bank details, which is known as mandate fraud.

If something feels off, it probably is. Always verify through an independent channel. Call the organisation directly using a number from their official website, not one in the email.

What to Do If You Suspect a Phish:
Don’t interact with the message—no clicks, no downloads.

Report it to your email provider or IT team.

Forward the email to the UK’s Suspicious Email Reporting Service: report@phishing.gov.uk.

Alert your staff, especially if it’s targeted at more than one person in your organisation.

The best defence is a well-informed team. Train your staff to recognise phishing attempts, implement two-factor authentication across systems, and encourage a “think before you click” mindset.

Additionally, consider investing in email filtering tools, regular backups, and Cyber Essentials Certification.

Phishing isn’t going away. As the techniques become more sophisticated, UK SMEs must stay vigilant. By knowing what to look for and fostering a culture of caution, your business can stay one step ahead of the scammers.