What Is Phishing?

Phishing is a type of social engineering attack where criminals impersonate trusted organisations — such as your bank, a loan provider, or HMRC — to trick you into revealing sensitive information. This might include your login credentials, one-time passcodes (OTPs), or card details.

Financial accounts are among the most targeted because the reward for criminals is immediate and direct.

The Most Common Phishing Techniques

Email Phishing

You receive an email that appears to come from your bank, warning of suspicious activity or asking you to verify your account. The email contains a link to a convincing but fake website designed to capture your login details.

Red flags to look for:

  • Sender address doesn't match the official domain (e.g. support@your-bank-secure.com instead of support@yourbank.com)
  • Generic greetings like "Dear Customer" instead of your name
  • Urgent language: "Your account will be suspended within 24 hours"
  • Links that display one URL but point to another (hover over links to check)
  • Poor grammar or unusual formatting

SMS Phishing (Smishing)

Text messages claiming to be from your bank or a delivery service, often containing a short link. Legitimate banks will never ask you to click a link in an SMS to log in or confirm payment details.

Phone Phishing (Vishing)

A caller claims to be from your bank's fraud team and asks you to confirm your details to "secure your account." They may already know your name and partial account details (gathered from data breaches) to seem credible.

Important: Your bank will never ask for your full PIN, full password, or for you to transfer money to a "safe account."

Clone Websites

Criminals create near-identical replicas of banking login pages. Always check the URL carefully before entering any credentials.

How to Protect Yourself

  1. Go directly to the source. Never click links in unsolicited emails or texts. Open your browser and type your bank's address manually.
  2. Enable two-factor authentication (2FA). Even if your password is compromised, 2FA adds an additional barrier.
  3. Check the padlock and URL. Ensure the website address begins with https:// and matches your bank's official domain exactly.
  4. Never share OTPs. One-time passcodes are for your use only. No legitimate organisation will ask you to read one out to them.
  5. Keep software updated. Browser and operating system updates often include security patches that protect against known attack methods.
  6. Use a password manager. Strong, unique passwords for every account mean one compromised password doesn't expose everything.

What to Do If You've Been Phished

If you suspect you've entered your details on a fraudulent site or disclosed information to a suspicious caller:

  • Contact your bank immediately using the number on the back of your card.
  • Change your online banking password from a secure device.
  • Report the incident to Action Fraud (UK) or your national cybercrime reporting centre.
  • Monitor your account statements closely for unauthorised transactions.

Final Thought

The most effective defence against phishing is scepticism. Treat every unsolicited communication asking for financial information as suspicious until proven otherwise. Legitimate organisations will always give you time to verify their identity through official channels.