How to spot scam emails and calls

HM Revenue and Customs have reported that 170,000 scam referrals were made to them in the year to July 2025. Encouragingly, this is a 12% reduction on the previous year, however HMRC are warning taxpayers to take care.

Whether it’s emails pretending to be from HMRC, from your bank or from someone else, phishing scams are becoming harder to spot. They’re no longer just poorly worded emails full of spelling mistakes. Many now look professional, use company logos, and even include QR codes to try to trick you into clicking links or handing over details.

For small business owners, falling for a phishing attempt can mean more than inconvenience - it could lead to stolen funds, lost data, or serious reputational damage. The good news is that the National Cyber Security Centre (NCSC) provides clear guidance on the signs to look out for.

Common red flags

Scam messages (whether email, text or phone call) usually try to make you act quickly without thinking. Watch out for these tell-tale tactics:

• Authority: The message pretends to come from someone official (bank, HMRC, solicitor, or even your IT provider). Criminals pretend to be authority figures to pressure you into doing what they want.
• Urgency: “Act now or your account will be closed!” If you’re told to respond immediately or are threatened with fines or other negative consequences, it’s often a scam.
• Emotion: Fear (“you owe money”), excitement (“you’ve won a prize”), or curiosity (“see your confidential report”). Emotional triggers make you click without pausing.
• Scarcity: Offers of something “in short supply” - cheap tickets, limited-time tax refunds, or medical “cures”.
• Current events: Criminals exploit tax season, major sporting events, or big news stories to make scams look more believable.

How to check If a message is genuine

If something about a message doesn’t feel right to you, stop and don’t click any links or open attachments.

Check the contact details in the message against the organisation’s official website (not the ones given in the suspicious message).

It’s also good to remember that your bank or HMRC will never ask you to confirm account details or passwords over email or text.

If it’s a phone call purporting to be from your bank, simply hang up and use the official number from your bank statement or credit card.

Make yourself a hard target

With a few simple steps you can significantly reduce your risk and make it more difficult for scammers. You can:

• Think about what personal information is posted about you online, as criminals may use this to make their messages seem more convincing. Check your privacy settings within your social media accounts so that you’re not sharing information more widely than you intended.

• If you have staff, train them on how to recognise scam messages.
• Use multi-factor authentication (e.g. login codes sent to your phone) for all your online accounts.
• Keep devices updated with the latest security patches.

Final thought

Phishing scams rely on speed and pressure. If you stop, take a breath, and double-check, you greatly reduce the chance of falling victim..

See: https://www.ncsc.gov.uk/collection/phishing-scams/spot-scams