For years, the standard advice for spotting scam emails was simple: look for bad spelling, clumsy grammar, and odd formatting. That advice is now dangerously out of date. Scammers use AI tools to write emails with perfect grammar, accurate branding, and a tone that sounds exactly like a real bank, a real delivery company, or a real government department. The National Cyber Security Centre has flagged a significant rise in campaigns impersonating HMRC, high-street banks, and NHS services — and they don't look amateurish any more.
So what actually works? A handful of checks that don't depend on the scammer making mistakes — because increasingly, they don't.
Check the real sender address, not the display name
This is the single most reliable check, and the one most people never do. Every email shows a friendly display name — "HMRC", "Your Bank", "Royal Mail" — but the actual sending address underneath can be anything. Scammers set the display name to whatever they like.
On most phones and email apps, tapping the sender's name reveals the real address. A genuine HMRC email comes from an address ending in gov.uk. A scam version comes from something like noreply@hmrc-secure-alert.info — designed to look plausible at a glance, but not the real domain.
The rule to teach: the words before the @ mean nothing; what matters is what comes after it, right at the end. "security@barclays-verification.com" is not Barclays. "barclays.co.uk" is.
Never trust a link — preview it or skip it
Links in scam emails lead to clone websites that look pixel-perfect and exist only to capture whatever's typed into them. Two safe habits:
On a computer, hovering the mouse over a link (without clicking) shows the true destination in the corner of the screen. If an email claims to be from the NHS but the link points somewhere unrelated, that's the answer.
The safer habit for everyone, and especially for a parent who finds hovering fiddly: don't use links in emails at all for anything involving accounts or money. If an email says "your account needs attention," go to the website directly — type the address, use a saved bookmark, or use the official app. If the account genuinely needs attention, it'll say so there. This one habit defeats nearly every phishing email ever sent, with zero judgement calls required.
Be suspicious of the story, not just the email
Because the presentation is now flawless, the tell is usually in what the email is asking for. The same pressure patterns come up in almost every scam email:
- A deadline with a consequence. "Your account will close on 16 May." "Your points expire in 2 days." Real organisations rarely operate this way; scammers always do.
- A reward that needs claiming. Unclaimed loyalty points, a tax refund, an overpayment being returned — anything where clicking is framed as being in your interest.
- A request to "confirm" or "verify" details the organisation should already have. Your bank does not need you to confirm your account number by email.
- An unexpected attachment. Genuine organisations very rarely send unprompted attachments. A PDF "regarding your account" from an unexpected email is a reason for more caution, not less.
Current examples of all of these are circulating right now: fake Microsoft emails claiming accounts will close due to inactivity, supermarket loyalty-point expiry scams, and fake HMRC refund emails. The brands rotate; the patterns don't. It's the same playbook we covered in spotting scam texts — and increasingly the same scam arrives by email, text, and phone call together, each channel "confirming" the others.
How to check an email with a parent, in three steps
- Ask what it's asking them to do. Click, pay, reply, call, open an attachment? If the answer is "nothing" — it's informational and asks nothing — the risk is low. Everything that asks for an action deserves the next two steps.
- Check the real sender address together. Tap the name, look at the domain after the @. This takes ten seconds and is the closest thing to a definitive answer.
- Do the task the safe way instead. Whatever the email wants — checking an account, claiming a refund, rearranging a delivery — do it by going to the official website or app directly. If it's real, it'll be there.
Where to report scam emails
Suspicious emails can be forwarded to report@phishing.gov.uk — the National Cyber Security Centre's reporting service, which investigates and takes down scam addresses and websites. It's free, takes a minute, and genuinely reduces the volume of scams in circulation. Emails impersonating HMRC specifically can go to phishing@hmrc.gov.uk.
If details have already been entered on a fake site, the priority order is: bank first (using the number on the back of the card), then passwords (starting with email, since it unlocks everything else — our password guide covers this), then a report to Action Fraud on 0300 123 2040.
Someone to read it with, every time
All of this works — but only when someone actually pauses to check, and the entire design of a scam email is to prevent that pause. Ivy by WorryLess gives your parent someone to check with, every time: a voice-first assistant they can read the email to, in their own words, and get a calm plain-English answer about what it's really asking for and whether the safe move is to ignore it, report it, or go to the official website instead.
If this sounds like something your parent could use, Ivy by WorryLess is now in early access. Find out more.