Skip to navigation Skip to content Skip to footer

Phishing - spam emails and fake websites

This advice applies to England

Scams are schemes to con you out of your money. They can arrive by post, phone call, text message, email, or a scammer may even turn up on your doorstep.

Many scams happen online and are set up by computer hackers. They send fake emails or set up bogus websites, which may look like they come from a genuine company when they don't. Fake emails are known as spam emails.

Scammers use these emails or websites to try to get you to give them personal information, for example, your bank account details or passwords. They may also access your wireless (Wi-Fi) network if it isn’t secure to get to your personal information. This is known as phishing.

This page tells you more about how to spot signs of phishing and spam emails.


Phishing is a way scammers try to steal your identity and gain access to user names and passwords, to then steal money.

Phishing usually takes place through spam emails sent to millions of addresses. These emails look like they come from a genuine companies, usually a bank or credit card company, and they ask for details of your account.

The company claims you need to update or confirm your account details by clicking on a link. The link then takes you to a bogus website where your details can be used by criminals.

Your bank will never ask you to confirm your user name or password by clicking on a link in an email and visiting a website.

How can I spot a spam email?

You can often tell a spam email because:

  • the sender’s email or web address is different to the genuine organisation’s addresses
  • the email is sent from a completely different address or a free web mail address
  • the email does not use your proper name, but uses a non-specific greeting such as 'dear customer’
  • the email threatens that unless you act immediately your account may be closed
  • you're asked for personal information, such as your username, password or bank details
  • the email contains spelling and grammatical errors
  • you weren't expecting to get an email from the company that appears to have sent it
  • the entire text of the email is contained within an image rather than text format
  • the image contains a link to a bogus website

How can I spot a phishing website?

You may be able to tell a website isn’t genuine because:

  • the website's address is slightly different to the genuine company's
  • there are spelling and grammatical errors on the page
  • the site isn't secure. A genuinely secure web address where you're being asked to send sensitive personal information should always start: https://. Websites that start http:// aren't as secure.
  • the padlock for secure sites isn’t in the website browser, at the top or bottom of the page.  

Padlock security

Genuine websites that ask for personal information show a padlock either at the top or the bottom of the web page. If you're not sure whether a site is genuine, click on the padlock and check the security certificate, which tells you if the site is authentic.  

Only valid certificates issued by approved authorities are trustworthy.  If you're still unsure, check if the name on the certificate matches the name of the company behind the website.

Next steps


Reporting a problem to Trading Standards

Trading Standards deal with complex consumer problems and potential criminal activities.

If you want to report a problem to Trading Standards, you should contact the Citizens Advice consumer service, who share information reported to them with Trading Standards.

Did this advice help?
Why wasn't this advice helpful?
Did this advice help?

Thank you, your feedback has been submitted.