TL;DR
Phishing is the most common gateway to financial fraud in the UK. The FCA, Action Fraud, and UK Finance all report rising volumes of impersonation scams targeting banking and investment customers. Here is how phishing works, how to identify it, and what to do if you have been targeted.
Phishing searches spiked in the UK on 15 June 2026. While search volume alone does not confirm a specific campaign, phishing awareness searches typically correlate with active fraud waves - often when a major bank, government department, or well-known brand is being impersonated at scale.
What phishing is and how it works
Phishing is the fraudulent attempt to obtain sensitive information - typically login credentials, card numbers, or personal data - by impersonating a trusted entity. The name derives from the analogy of fishing: cast enough lures, and someone takes the bait.
The primary vectors in the UK are email (phishing), SMS (smishing), and telephone calls (vishing). A phishing email typically mimics the branding of a bank, HMRC, Royal Mail, or a utility supplier, and contains a link to a spoofed website designed to capture credentials. Smishing uses urgent SMS messages ("your parcel could not be delivered") to the same end. Vishing involves a caller impersonating a bank's fraud team and using social engineering to extract account details or authorise transfers.
How to identify a phishing attempt
Sender addresses: legitimate banks and government departments do not send from free email domains (gmail.com, yahoo.co.uk). Check the actual sending address, not just the display name. Hover over links before clicking to see the destination URL - a spoofed domain might be "hmrc-refund.co.uk" rather than "hmrc.gov.uk". Urgency and threats: phrases such as "your account will be suspended in 24 hours" are designed to bypass rational evaluation. Legitimate institutions provide adequate notice and formal written communication. Requests for passwords or full card numbers: no legitimate bank or government body will ask for your full PIN, password, or card security code. Attachment warnings: executable files (.exe), Office documents requesting macro activation, and compressed archives from unknown senders are high-risk.
What to do if you have clicked a phishing link
Do not enter any information on the page. Close the browser immediately. If you have already entered credentials, change your password on the genuine site immediately from a different device if possible. Contact your bank directly using the number on the back of your card - not any number provided in the message. Report the phishing attempt to the National Cyber Security Centre (NCSC) at report@phishing.gov.uk. Report financial fraud to Action Fraud at actionfraud.police.uk or 0300 123 2040.
If money has already left your account
Report to your bank immediately. Under the Payment Systems Regulator's mandatory reimbursement rules for Authorised Push Payment (APP) fraud (which took effect October 2023), banks are required to reimburse victims of APP fraud up to £85,000 per claim in most cases, unless the customer acted with gross negligence. If your bank declines to reimburse, escalate to the Financial Ombudsman Service (FOS), which is free for consumers.
Protecting yourself going forward
Enable two-factor authentication (2FA) on banking and email accounts. Use a password manager to generate unique passwords per site, eliminating credential stuffing risk. Register your number with the Telephone Preference Service (TPS) to reduce cold call volume. Check your credit file regularly via one of the three UK credit reference agencies for unexpected applications.
What should I do if I receive a phishing email?
Do not click any links or open attachments. Forward the email to report@phishing.gov.uk (the NCSC Suspicious Email Reporting Service) and then delete it. If the email impersonates a specific bank or organisation, report it to that organisation's fraud team as well.
Can I get my money back after a phishing scam?
If you were tricked into authorising a payment (APP fraud), the Payment Systems Regulator's mandatory reimbursement scheme applies to most cases. Report to your bank immediately and escalate to the Financial Ombudsman Service if the bank refuses. If money was taken without your authorisation (card fraud), the bank is generally required to refund under the Payment Services Regulations 2017.
How do I report phishing in the UK?
Suspicious emails: report@phishing.gov.uk (NCSC). Suspicious texts: forward to 7726 (the industry SMS spam reporting number). Phone scams and financial fraud: Action Fraud at actionfraud.police.uk or 0300 123 2040. Scam websites: report to the NCSC via the same email address.
Is phishing covered by my bank's fraud protection?
Unauthorised transactions (where a fraudster accessed your account without your consent) are covered by the Payment Services Regulations 2017. Authorised push payment (APP) fraud (where you were manipulated into making the transfer yourself) is covered by the PSR's mandatory reimbursement scheme up to £85,000, subject to gross negligence tests.
Disclaimer: This article is for general information only. If you believe you are a victim of fraud, contact your bank and Action Fraud immediately. Kaeltripton is not an FCA-regulated firm and does not provide financial advice.
Sources: National Cyber Security Centre phishing guidance (ncsc.gov.uk); Action Fraud (actionfraud.police.uk); Payment Systems Regulator APP fraud reimbursement rules (psr.org.uk); Financial Ombudsman Service (financial-ombudsman.org.uk); Payment Services Regulations 2017 (legislation.gov.uk).
