We use cookies to help us provide you with the best experience, improve and tailor our services, and carry out our marketing activities. For more information, including how to manage your cookie settings, see our privacy notice.


Skip to content. | Skip to navigation

We’ve made our member-only resources free to everyone because of the current situation. We think it’s important people have the guidance they need to run their organisations during this time.

If you want to find out more about how you can volunteer to help deal with coronavirus, see our volunteering and coronavirus page.

If you are looking for advice on coronavirus and your charity, please see our dedicated coronavirus page.

Community-made content which you can improve Case study from our community

How to stay safe from email scammers

As more of our life moves online, we are becoming increasingly vulnerable to hackers and scammers, who seek financial gain through stealing your personal information or taking control of your computer.

This how-to contains a few simple tips to help you and your organisation avoid falling victim to email scammers.


Be vigilant, everyone is a target

The most important thing to remember is that we are all vulnerable to hackers or scammers, no matter how small your organisation. It only takes one scam email to succeed for the financial or operation information of you and your organisation to be at risk.


Beware all suspicious emails

Phishing scams are emails that are falsified to appear as if they are from a trusted source to dupe you into divulging personal information or installing malicious software that can take control of your computer.

Commonly these emails are disguised to look like they come from large service providers (HRMC, O2, UPS, Apple, Facebook, Gmail etc), but can also appear to come from people you know.

Be suspicious of any message from an organisation you don’t have a service with, or that asks for your password or personal or financial information.

Always check the full address that the email has come from – if it isn’t from @ the company they say, then it is a scam. This email is purporting to be from O2, but the email address gives it away as a scam:

Example of a fake email address


Be sceptical to avoid becoming a victim

Foreign offers are often fake, you probably aren’t due a rebate from HMRC, and it is unlikely a long-lost relative has left you money or is stuck in a compromising position in a foreign jail.

Scammers use emotion to try to make you click first and think later, so slow down in your response to surprising emails.

Does the email look right? Check spelling and grammar, capitalisation of words, resolution of logos and whether anything specific to you has been included. Phishing emails are designed quickly and sent in bulk, so use of language and design of the email can often be a giveaway. Go with your gut; if it seems suspicious, it's probably a scam.


Be careful what you click on and hover over links

Never click on links in a suspicious or unexpected email, even if it looks like a link to a safe website. If you hover your mouse over a link (don’t click!) it will reveal the true destination URL. If it isn't a URL you trust, don't click. If in doubt use Google to find the real website of the company, and provide required information that way.

The link in this phishing email looks like it goes to, but hovering over the link reveals a completely unrelated website:

example of a fake link

Some URLs will be very similar to the one they are mimicking, so it is important to be vigilant. The most important part of the web address is the text that comes immediately before the first / (excluding ‘http://’).

Examples of good URLs


Examples of bad URLs


This directs to, not


Again, this does to, as it is immediately before the first slash


Some websites do have things ahead of the web address, such as blog or help, but these must be separated by a dot. A hyphen, or anything else, will lead to another website


Don’t download unknown attachments

Clicking on attachments can download malicious software to seize control of your computer. Commonly scammers will encrypt your computer or whole network, locking away files and photographs until a ransom is paid.

Never click on unexpected attachments, even those sent from the actual email address of someone you know. Once hackers take control of an email address they will try to spread infection to anyone in their contact list. 


Use strong passwords

Every website now requires a long complicated password, and it can be tempting to take shortcuts and simply reuse passwords. Try not to do this.

A passphrase is a series of words, with or without spaces – you may find these can be easier to remember than a long string of characters. You can use free online generators to create your passphrase.

You can make stronger passphrases by adding numbers or characters in place of letters, and capitalising letters. So, infamous argument hatter becomes infa&ouS argu&3nT haTT3R

A password management programme can be useful to help maintain strong unique passwords without having to memorise endless combinations. LastPass is one example of a free password manager.

Find out more about how to choose a strong password


Enable two-factor authentication

For accounts with messaging functions, that could easily be used to spam or infect your contacts, consider using two-factor authentication (2FA) for extra security.

2FA requires a secondary key, other than a password, to log in. You probably already use 2FA when internet banking.

The large networking sites all have slightly different names for 2FA- Facebook login approval, Twitter login verification, LinkedIn two-step verification and Google 2-step verification – and most require you to enter a code sent to your phone to prove your identity. 


Check whether you have already been compromised

HaveIBeenPwned is a simple tool that allows you to check whether your account information has ever appeared in a large data breach. Use it to check both your work and personal email addresses, and change your passwords if your account has been compromised.

You can set up an automatic alert in case your account information ever appears online in the future– it won’t mean you don’t need to keep your password safe, but it may mean you have enough time to act to stay safe if your information is stolen.


Page last edited May 24, 2017 History

Help us to improve this page – give us feedback.