← Home
Don’t Take the Bait: How to Spot Fake Emails Before They Cost You Money

Don’t Take the Bait: How to Spot Fake Emails Before They Cost You Money

Cybercriminals are using fake utility-worker tricks to slip into your inbox—here is how to spot their digital disguises before they steal your business keys.

Published 2026-06-08

Read More Security Insights →

Don’t Take the Bait: How to Spot Fake Emails Before They Cost You Money

Cybercriminals are using fake utility-worker tricks to slip into your inbox—here is how to spot their digital disguises before they steal your business keys.

Don’t Take the Bait: How to Spot Fake Emails Before They Cost You Money

Imagine you are sitting in your office, halfway through a cup of tea, when a man in a high-visibility vest knocks on the door. He tells you he is from the local water board and there is a catastrophic leak down the street. He needs to run inside, turn off your stopcock, and check your pipes immediately.

Because he looks the part and sounds urgent, your instinct is to let him in. But if you are sensible, you hesitate. You ask for his ID card. You look out the window to see if there is an official utility van parked on the street. You might even call the water board directly to check if they actually sent someone.

You do this because you know that letting a complete stranger bypass your locks and wander around your business unsupervised is madness.

Yet, in the digital world, we let these strangers in almost every single day.

They don't knock on our physical doors wearing high-vis jackets. Instead, they slip quietly into our email inboxes. They pretend to be our banks, our courier services, our software providers, or even our own colleagues. They create a false sense of panic, point to a link, and ask us to run inside and fix a problem.

In the tech industry, this is called phishing (spelled with a 'ph' because, as we've established, tech people love to make simple things sound complicated). Strip away the name, and it is simply the digital equivalent of that fake utility worker trying to trick you into opening the front door.

Let’s look at how these scams actually work, why they are so incredibly successful, and how you and your team can spot them before they cost your business thousands of pounds.

The Scam Artist's Shortcut

When we think of cybercriminals, we tend to picture highly skilled programmers typing green code on black screens, bypassing firewalls, and cracking security databases.

But hackers are lazy. Why spend three months trying to crack a company's state-of-the-art encryption system when you can simply email the manager, pretend to be Microsoft, and ask them to type their password into a fake box?

It takes ten minutes, costs almost nothing, and works surprisingly often.

Phishing relies entirely on exploiting human psychology, not technical glitches. Scammers know that when we are busy, tired, or stressed, we make mistakes. They design their emails to trigger three specific human emotional responses:

  • Panic: "Your account has been suspended. Click here to reactivate it within 24 hours."
  • Greed or Relief: "You have an outstanding tax refund of £420 waiting for you. Claim it now."
  • Authority: "Hi, it's the Managing Director. I'm stuck in a meeting. Can you buy three £100 Amazon gift cards for a client and email me the codes?"
    By bypassing our logical brains and hitting our emotional buttons, they trick us into handing over the keys to our business vaults without a fight.

Anatomy of a Phishing Attack: The Bait, Hook, and Sinker

To protect yourself, you need to understand how a typical phishing scam is put together. It almost always follows a three-step formula.

[ Step 1: The Bait ] --? A highly realistic email (e.g., from "Netflix" or "HMRC")
¦
?
[ Step 2: The Hook ] --? "Your payment failed! Update details in 24 hours."
¦
?
[ Step 3: The Sinker ] --? You click a link to a fake portal, type your login,
and hand your credentials straight to the hacker.

1. The Bait

The scammer sends an email that looks highly official. They steal the exact logos, colours, fonts, and email layouts of giant companies you probably use, like Microsoft, PayPal, Netflix, or HMRC. It looks perfectly legitimate at a glance.

2. The Hook

The email presents a scenario that requires immediate action. Usually, it’s a warning: your business billing has failed, a parcel couldn't be delivered to your office, or someone has tried to log into your account from another country. They want you to act fast so you don't stop to think.

3. The Sinker

There is a large, prominent button that says something like "Update Billing Info" or "Verify Identity." When you click it, you aren’t taken to the real website. Instead, you are taken to a highly realistic replica of the login page built by the hacker. The moment you type your username and password into that page, they have your login details.

How to Spot the Fakes (The Five-Second Checklist)

You do not need a computer science degree to defend your business against phishing. You just need to develop a habit of taking five seconds to inspect any email that asks you to click a link or download a file.

Here is your digital "utility worker ID check" checklist:

1. Look Beyond the Name (Inspect the Domain)

Anyone can set their email display name to say "Microsoft Support" or "Barclays Bank." But they cannot fake the actual email address it was sent from.

Always click or tap on the sender's name to reveal the full email address behind it.

The Fake: support@microsoft-billing-uk-99.com
The Real: support@microsoft.com

If the domain name after the @ symbol looks messy, contains random numbers, or uses a slight misspelling (like micros0ft with a zero), it is a scam. Delete it immediately.

2. The Hover Test

Before you click any link in an email, hover your mouse cursor over the button or link (or long-press it if you are on a smartphone). A tiny pop-up box will appear showing you the actual web address the link is pointing to.

If the email claims to be from DHL, but the hovered link points to www.random-web-address.ru/login, the link is a trap.

3. Forget the "Bad Grammar" Myth (AI Has Upgraded the Scammers)

Historically, security advice always told you to look out for spelling mistakes, clunky phrasing, or generic greetings like "Dear Valued Customer."

You need to throw that advice in the bin.

With the rise of AI writing tools like ChatGPT, scammers can now generate flawless, highly professional emails written in perfect, business-grade English. Even worse, they can feed your public LinkedIn profile into an AI tool to write a hyper-personalized email referencing your actual projects, colleagues, and tone of voice. A beautifully written, typo-free email is no longer proof of safety.

4. The Gift Card Trap & The Cloned Boss

Sometimes, scammers don't target massive groups of people; they target your business specifically. This is called spear phishing.

A common trick involves a hacker setting up a free Gmail address using your Managing Director’s real name. They email a junior member of the finance team with an urgent request to buy gift cards or approve a rapid bank transfer.

The Modern Twist: To make the trick highly believable, hackers are now combining these emails with AI voice cloning. An employee might hesitate after receiving the email, only to get a quick call or a WhatsApp voice note a minute later. The voice sounds exactly like their boss because the hacker used a 30-second audio clip from a company YouTube video or a podcast to clone it.

Modern Twists: Phishing is Leaving Your Inbox

Scammers have realised that we are starting to get quite good at spotting dodgy emails, so they are migrating to other platforms where our guard is down.

  • Workplace Chat Apps (Slack, Teams, and LinkedIn): We tend to assume that because we are "logged into work," anyone messaging us inside Microsoft Teams or Slack must be safe. Scammers are actively targeting these apps, pretending to be external contractors or clients, and sharing malicious links directly in the chat.
  • Smishing (SMS Phishing): You get a text message on your mobile phone pretending to be from EVRI, Royal Mail, or a toll road company, claiming you have a fee to pay before a package can be delivered. Because it arrives on your personal phone, it feels far more intimate and believable.
  • Quishing (QR Code Phishing): You walk up to a parking meter or sit down at a pub table, and there is a sticker with a QR code saying "Scan here to pay." Scammers frequently paste their own fake stickers over the real ones, redirecting your phone to a fake payment page that steals your card details.

What to Do If Your Team "Takes the Bait"

Despite your best efforts, mistakes will happen. A busy employee, rushing to finish their work on a Friday afternoon, will eventually click a link and type in their details.

If this happens, panicking or shouting at the employee won't help. You need to act fast to lock the doors:

  • Change the Password Instantly: If they typed their password into a fake portal, immediately log into the real portal and change that password to something entirely new and complex.
  • The 2FA Reality Check: If you have standard Two-Factor Authentication turned on (like receiving a text message code), it will stop basic hackers. However, as we discussed in our digital deadbolt article, clever scammers can now bypass SMS codes in real-time. This is why transitioning your business towards Passkeys or physical hardware security keys is the ultimate way to keep the lock secure.
  • Notify Your Bank: If credit card or banking details were entered, call your bank's fraud department immediately to freeze the cards.
  • Report It: Most email software (like Outlook or Gmail) has a "Report Phishing" button. Clicking this trains the system to block that specific scammer from reaching anyone else in your company.

Building a Human Firewall

At the end of the day, you can purchase the most expensive cybersecurity software in the world, but your business's ultimate line of defence is your team's habits.

You don't need to scare your staff or turn them into paranoid tech experts. You just need to create a workplace culture where it is perfectly okay to pause, double-check a weird request, and ask questions.

The new golden rule of business communication is simple: Any unusual financial request, change of payment details, or urgent data request requires secondary confirmation via a completely separate, trusted channel. If your boss emails you asking for a rapid payment, pick up the phone and call their known number. If a supplier sends an invoice with new bank details, don't use the phone number printed on the invoice—use the one you have saved in your contacts.

A healthy dose of skepticism is completely free, and it is the single most powerful shield your business can ever have.

Need a bespoke software solution that prioritizes airtight data security?
Then get in touch and lets chat!

Get In Touch

Back