Scams & Phishing

Spotting Scams and Phishing: A Calm Guide to the Tricks That Actually Fool People

Almost nobody gets scammed because they are gullible. People get scammed because a message arrived at exactly the wrong moment, looked completely normal, and pushed a button that bypasses careful thinking — fear, urgency, or the chance to fix a problem fast. Modern scams are not full of spelling mistakes and obvious nonsense. The good ones look like your bank, your delivery company, or your boss, and they are designed to make you act before you think.

The takeaway up front: you cannot reliably win by inspecting whether a message looks real, because the convincing ones are built to pass that test. You win by changing how you respond to any message that wants you to act quickly. The single habit that defeats almost every scam is this: when a message creates urgency, stop and verify it through a channel you chose yourself — not a link, number, or button the message handed you. This guide explains why that works and how to do it without becoming paranoid.

The real trick: scams target feelings, not logic

A scam has to get past your judgment, so it goes around it. Nearly every scam leans on one of a few emotional levers:

  • Urgency. "Your account will be suspended in 24 hours." A deadline makes you act before you check.
  • Fear. "Suspicious login detected." "Unpaid toll — legal action pending." Fear narrows your focus to making the bad thing stop.
  • Authority. A message that looks like it is from your bank, the tax office, or your CEO. We are trained to comply with authority quickly.
  • Reward or curiosity. "You've won." "Your parcel is waiting." A small dangling prize gets the click.

Once you know the levers, the tell is no longer in the spelling or the logo — it is in how the message makes you feel. A message engineered to make you feel rushed or scared is exactly the one to slow down on. That feeling of pressure is itself the warning sign. This pairs closely with locking down your logins, covered in our passwords and accounts guide, because a scam that captures one password does the most damage when that password is reused everywhere.

Why "just look carefully" stops working

People are told to check for bad grammar, odd sender addresses, and dodgy links. That advice is not wrong, but it is no longer enough, for three reasons:

  1. Scammers copy real messages. They lift the genuine branding, layout, and wording from a real bank or courier email. There is nothing visually off because it is a near-perfect copy.
  2. Display names and links can lie. The text of a link can say yourbank.com while pointing somewhere else entirely. A sender name can read "Customer Support" while the real address is gibberish you never see on a phone.
  3. Caller ID and SMS sender IDs can be faked. A text can appear in the same thread as your real bank's messages. A call can show your bank's actual number. Spoofing makes "but it came from their number" meaningless.

So inspection alone is a losing game against a good fake. The reliable defense is not better eyesight — it is a better procedure.

The procedure that beats almost any scam

Adopt one rule and apply it to every message that asks you to act, pay, log in, or share a code: verify out of band. That means confirming through a separate channel that you selected, not the one the message offered.

In practice:

  • Got an email or text from your bank? Do not click the link. Open your banking app or type the bank's address yourself, and check for the same alert there. If it is real, it will be in your account too.
  • Got a call claiming to be your bank, the tax office, or tech support? Hang up. Find the official number yourself — on the back of your card, on your statement, or on the official website — and call that. Never call back a number the caller gave you.
  • Got an urgent request from your boss or a supplier to pay or buy something? Confirm it on a different channel you already trust — a known phone number or in person — before moving any money. Urgent payment requests are a classic business scam.

The whole point is that the scammer controls every detail of the message except the channel you choose independently. By stepping outside their message, you step outside their trap. It costs you two minutes; it costs them the entire scam.

A worked example: the "delivery fee" text

You get a text: "Your parcel could not be delivered. Pay a £1.99 redelivery fee to reschedule: [link]." You are, in fact, expecting a parcel. It looks plausible, the fee is tiny, and you are busy. This is exactly the design.

Walk it through the procedure. The message wants you to act fast (urgency) over a trivial amount (low resistance) by clicking its link (a channel it controls). The redelivery page will look like the courier's site and will ask for your card details — and often a "verification" step that hands over enough to take far more than £1.99. The out-of-band move: go to the courier's official site or app yourself using your tracking number, or contact the sender you actually ordered from. If there is no real redelivery issue there, the text was a scam. The tiny fee was never the goal; your card and details were. The trick is that the scam works because you were expecting a parcel — so being expecting something is not evidence a message is genuine.

Common mistakes, and why people make them

  • Trusting caller ID or the message thread. People assume numbers and threads cannot be faked. They can. Treat the channel as unverified no matter how familiar it looks.
  • Clicking to "check if it's real." The link itself can be the trap — a fake login page or a malware page. Verify by going to the source independently, never by following the message.
  • Reading a code or one-time password aloud. No legitimate bank or company will ever ask you to read back a verification code sent to your phone. That request is the scam, full stop.
  • Acting because it's a small amount. Low-value asks lower your guard, but the small fee is bait for your details, not the actual theft.
  • Feeling too embarrassed to pause. People worry that double-checking is rude or paranoid. A real organisation will never mind you verifying. The pressure not to "waste their time" is part of the manipulation.

Edge cases and what to do if you slip

Some scams play a long game — a friendly chat over days or weeks before any ask (romance and investment scams). The same rule still holds: the moment money, crypto, gift cards, or account access enters the conversation, verify independently and talk to someone you trust before acting. Scammers isolate their targets, so a second human opinion is powerful.

If you think you have already clicked or shared something: change the password on the affected account immediately (and anywhere you reused it), turn on two-factor authentication, contact your bank if any payment details were exposed, and watch your accounts. Acting fast limits the damage, and there is no shame in it — these schemes fool careful people every day.

Frequently asked questions

How can I tell if an email or text is phishing?

Stop relying on how it looks, because good fakes copy real messages. Instead, notice how it makes you feel — urgency, fear, or a too-good reward are red flags — and never act through the link or number it gives you. Verify by contacting the company through a channel you chose yourself, such as their official app or the number on your card.

No. The link can lead to a fake login page that steals your password or a page that installs malware. Checking should always be done independently — open the official app or type the address yourself. If the alert is genuine, it will also appear when you reach the source directly.

My bank's real number called me — can I trust it?

Not on its own. Caller ID can be faked to show any number, including your bank's. Hang up and call the official number from the back of your card or your statement. A genuine bank will never object to you calling back to confirm.

What should I do if I already fell for a scam?

Act quickly and without shame. Change the password on the affected account and anywhere you reused it, turn on two-factor authentication, and contact your bank if any payment or card details were shared. Then watch your accounts for unusual activity. Fast action limits the damage.

Will a real company ever ask for a verification code?

No. A one-time code or password sent to your phone is for you alone. Anyone phoning, texting, or messaging to ask you to read it back is trying to break into your account. Never share it, however official they sound.

Next step

Scams win by rushing you; you win by slowing down. You do not need to become an expert at spotting fakes — you need one reliable habit: when any message wants you to act, pay, or share, stop and verify it through a channel you picked yourself. That single pause defeats the urgency every scam depends on. For more plain-language guides on staying safe online without the jargon, explore Cyber Zootopia.

Comments are disabled for this article.