Scam Texts and Emails: How to Spot Them and What to Do

Why Scam Messages Are So Effective Now

The scam texts and emails that arrive in UK inboxes today are qualitatively different from the poorly spelled messages about Nigerian princes that were easy to dismiss a decade ago. Modern phishing and smishing attacks are personalised, professionally written, visually convincing, and timed to coincide with events that make them plausible. A text purportedly from Royal Mail arriving when you are expecting a delivery, an email apparently from your bank at the moment you are checking your account, a message from HMRC during the self-assessment period: all of these land in a context that makes them feel entirely credible.

The sophistication of these attacks means that spotting them requires an understanding of how they work, not just pattern recognition of obviously suspicious messages. This guide explains the current tactics, gives concrete spotting techniques, and covers what to do if someone in your household has already interacted with something suspicious.

The Main Types of Attack

Phishing arrives by email and impersonates organisations you trust: banks, HMRC, Royal Mail, Amazon, Netflix, PayPal, and government services. The email typically contains either a link to a convincing fake website designed to capture your login credentials or financial details, or an attachment containing malware that installs itself when opened. Some phishing emails are not trying to steal credentials directly but to install ransomware or spyware onto your device.

Smishing arrives by text message and follows the same pattern. Delivery scams (Royal Mail, DPD, Evri) are currently the most common format: you are told a delivery has failed or a customs fee is due, and you are asked to click a link to reschedule or pay. The link leads to a convincing fake site that captures your payment details. These are sent at scale to millions of numbers and are timed to land when delivery volumes are high, such as before Christmas or during peak online shopping periods.

Vishing is voice phishing: a phone call from someone pretending to be your bank, the police, or HMRC. These calls are sometimes automated initially, then transferred to a human operator if you engage. They are among the most convincing scams because a real-time voice conversation allows the scammer to adapt to your responses in ways that a prewritten text or email cannot.

How to Spot a Scam Message

Check the sender details carefully. In emails, the display name may say "Royal Mail" while the actual email address is something like "noreply@royalmail-tracking.net" rather than the legitimate "@royalmail.com". Hover over the sender name to reveal the full address. In texts, legitimate organisations sending important messages will typically use a named sender ("Royal Mail") rather than a random phone number, though scammers are increasingly spoofing named senders.

Do not trust a link in any unsolicited message. Before clicking any link, hover over it in an email to see the destination URL at the bottom of your browser window. If the URL does not match the organisation it claims to be from, do not click it. For texts, do not click any link in an unsolicited delivery or payment message; go directly to the courier or organisation's official website by typing it yourself in your browser.

Urgency is the primary psychological tool in scam messages. "Your account will be suspended in 24 hours", "Act now to avoid a fine", "Immediate action required": these phrases are designed to override careful thinking. A genuine organisation will not typically require you to act within hours or face irreversible consequences. Take a breath before acting on any urgent message and verify through an official channel first.

Requests for payment by unusual methods, including vouchers (iTunes, Amazon), cryptocurrency, or bank transfer to a new account, are almost always fraudulent. Legitimate organisations do not request payment through these channels.

Protecting Your Household

Enable spam filtering on all email accounts. Most major email providers including Gmail, Outlook, and Apple Mail have built-in spam detection that catches a significant proportion of phishing attempts before they reach the inbox. Make sure this is turned on and set to an appropriate sensitivity level.

Register your household numbers with the Telephone Preference Service (tpsonline.org.uk) to reduce marketing calls. While this does not stop criminal calls, it reduces the overall volume of unsolicited contact and makes it slightly easier to identify calls that should not be coming through as higher risk.

Have an explicit family conversation about scam messages, including with older relatives who may be less familiar with current tactics. Show examples of real scam messages so that family members recognise the formats. Agree that anyone unsure about a message will check with another family member before clicking or responding. This simple norm significantly reduces the risk of a successful attack.

If Someone Has Clicked or Responded

If you or a family member has clicked a link and entered information, act immediately. Contact your bank if any financial or payment information was provided; banks have fraud teams and the sooner you report, the higher the chance of recovering any funds taken. Change the password for any account whose credentials may have been captured, starting with your email account which is the master key to most other accounts.

If you clicked a link and downloaded something, run a full security scan using your device's antivirus software or a reputable tool such as Malwarebytes. If you are concerned that malware may have been installed, your IT department (if a work device) or a reputable computer repair service can help assess and clean the device.

Report phishing emails to the National Cyber Security Centre at report@phishing.gov.uk, and report scam texts by forwarding them to 7726 (which spells SPAM on a phone keypad). Reporting contributes to the identification and disruption of scam operations. Report to Action Fraud (actionfraud.police.uk) if money has been lost.