You’re checking emails while having your morning coffee. One email catches your eye, your bank has detected unusual activity on your account. "Click here to verify your identity."

It looks legitimate. The logo is correct, the wording sounds official, and you don’t want to risk your account being locked. You tap the link, log in, and follow the instructions.

Everything seems fine. But it isn’t.

Two days later, you discover money is missing from your account. The email was fake, the login page was a clone, and the scammers now have full access to your banking details.

This scenario happens daily to people who believe they’d never fall for a scam. Phishing works because it appears authentic and exploits trust.

Why Phishing Scams Are So Effective

Criminals don’t need to break into your home. They just need you to trust them for a moment.

1️⃣ They create urgency ⏳

• "Your account has been locked due to suspicious activity." 🔒

• "Your delivery failed, update your details to reschedule." 📦

• "You’ve won a prize, claim it now before it expires." 🎁

When something feels urgent, you react before you think. That’s exactly what they want.

2️⃣ They imitate brands you trust 🏦

• Banks, delivery services, HMRC, PayPal, Netflix—scammers copy big names because they know you’ll let your guard down.

• Everything looks professional, from the logo to the email signature. Some even fake customer service phone numbers to make their scams more convincing.

3️⃣ They know you’re distracted 📱

• You check emails while commuting, scrolling social media, or half-watching TV. You don’t inspect every sender, you just click and move on.

• Scammers count on you being in autopilot mode.

And it’s not just emails anymore, texts, WhatsApp messages, phone calls, and social media DMs are now common tools used for phishing.

🛠️ How to Avoid Getting Hooked

Phishing only works if you take the bait. Here’s how to spot and stop it.

1️⃣ Slow down before clicking 🚦

• Hover over links on a computer or long-press on your phone before clicking. If it looks suspicious or has typos, delete it 🗑️.

• If unsure, go directly to the official website instead of clicking links.

2️⃣ Check who’s sending it 🧐

• Legitimate companies don’t use random Gmail or Outlook addresses.

• Watch for small spelling changes, like "barclays-support.com" instead of "barclays.co.uk."

3️⃣ Never share personal information via email or text 🚫

• Banks, HMRC, and major companies will never ask for passwords or personal details over email.

• If you receive an urgent request, call the company using the number on their official website and never the one in the email.

4️⃣ Enable two-factor authentication (2FA) 🔐

• Even if scammers get your login details, 2FA adds an extra layer of security that makes it harder for them to access your account.

If something feels even slightly off, assume it’s a scam 🚨.

📩 Report Phishing in the UK

If you receive a suspicious email, forward it to report@phishing.gov.uk. This is the UK government’s official reporting service, run by the National Cyber Security Centre.

For scam texts, forward them to 7726.

Reporting phishing helps shut down scam websites faster and protects others from falling victim.

🤔 Can You Spot the Fake?

One of these emails is real. The rest are scams. Can you tell which is which?

A) no-reply@hsbc-secure.com
B) support@paypal-updates.com
C) contact@amazon.support-team.com
D) notifications@apple.com

Scroll down for the answers.

❓ Ask The Broken Padlock

Q: "I think I clicked a phishing link, what should I do?"
A: Act fast. Change your passwords immediately, enable two-factor authentication, and contact the company involved to report the scam. If you entered payment details, contact your bank to block potential fraud.

🕯️ And Finally…

Phishing scams don’t work because people are foolish. They work because scammers are cunning.

The next time you get an email or text that feels urgent, pause, verify, and take control.

📩 Want more real-world security advice? Subscribe to The Broken Padlock for free.

🔜 Next Week: Walking Home Alone – Are You Being Watched?

We’ll look at how criminals assess their targets in public, the small habits that make you a harder victim, and practical ways to stay safe on the street.

✅ Answer to "Can You Spot the Fake?"

The only real email is D) notifications@apple.com. The rest are scams. Here’s why:

A) no-reply@hsbc-secure.com – HSBC emails always come from hsbc.co.uk. The scammer has added "-secure.com" to make it look official.

B) support@paypal-updates.com – PayPal emails only come from paypal.com. The scammer added "-updates" to make it seem legitimate.

C) contact@amazon.support-team.com – Amazon doesn’t use "support-team.com." Scammers insert extra words like this to trick people into thinking it’s real.

Next time you get an email, take a second to check the sender’s address carefully. A small detail could be the difference between staying safe and getting scammed.

Disclaimer:
While the advice provided in this newsletter can help reduce the risk of becoming a victim of crime, no security measure or strategy can eliminate the risk entirely. The goal is to reduce the risk to as low as reasonably practicable (ALARP), acknowledging that some level of risk will always remain due to the unpredictability of human behaviour and the methods used by criminals. According to criminological theories such as Situational Crime Prevention (Clarke, 1983), the most effective way to prevent crime is to alter the environment or circumstances that allow it to occur. However, even with the best precautions, risk can never be reduced to zero. The only way to completely remove the risk is to entirely eliminate the target in other words, remove the opportunity for crime to occur altogether. This reinforces the importance of layered security measures, vigilance, and ongoing risk assessment to effectively mitigate threats.