top of page

Why it's helpful to forward phishing emails (but only to one email address!)

We wanted to share a crucial section of our security awareness training as it’s so important to protect yourself, your colleagues, and your business. Reporting phishing attempts is essential for monitoring the scale of the crime, bringing criminals to justice, and protecting yourself and your business.

What is phishing?

Cyber-attacks and scams can be conducted in all manner of ways, such as via text messages, emails, social media, or phone calls, but the term 'phishing' is used to describe attacks by email. The aim is often to make you visit a website, which may download a virus onto your computer, and steal bank details, or other valuable personal information. Phishing emails can reach millions of users directly and hide amongst the huge number of benign emails that busy users receive. Attacks can install malware, sabotage systems, or steal intellectual property and money.

Phishing emails can hit an organisation of any size and type. You might get caught up in a mass campaign (where the attacker is just looking to collect some new passwords or make some easy money), or it could be the first step in a targeted attack against your company, where the aim could be something much more specific, like stealing sensitive data. In a targeted campaign, the attacker might use information about your employees or company to make their messages even more persuasive and realistic, such as pretending to be someone in your company such as ‘accounts’.

How can I spot a phishing email?

Phishing emails are designed to imitate legitimate individuals and organisations, they can be difficult to identify at first glance. Here are some common warning signs to watch out for:

The sender’s email address is not associated with a legitimate domain name

Don’t just check the name of the person sending you the email. Check their email address by hovering your mouse over the ‘from’ address. The domain should match the name of the organisation the email claims to come from. For instance, if all email addresses from Legitimate Internet Company are formatted as “,” a counterfeit email might be sent from a similar-sounding address like

Legitimate companies don’t request your sensitive information via email

The chances are if you receive an unsolicited email from an institution that provides a link or attachment and asks you to provide sensitive information, it’s a scam. Most companies will not send you an email asking for passwords, credit card information, credit scores, or tax numbers, nor will they send you a link from which you need to log in.

The email does not pass SPF, DKIM, or DMARC checks

Three DNS records — Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication Reporting and Conformance (DMARC) — are used to authenticate the origin of an email. When an email message does not pass one or more of these checks, it’s often marked as spam or not delivered to its intended recipient. For this reason, it’s uncommon to find legitimate emails in spam folders.

A generic greeting is used in place of a name

Words like “customer,” “account holder,” or “dear” may be a sign that the email is part of a mass phishing attempt, rather than a personal message from a legitimate sender.

The body message is full of errors

Poor grammar, spelling, and sentence structure may hint that an email is not from a reputable source.

There is a time limit or uncharacteristic sense of urgency

Phishing emails often generate a false sense of urgency to convince users to act immediately. For instance, they may promise a gift card if the user responds within 24 hours or allege a data breach to get the user to update their password. It’s rare for these tactics to be tied to real deadlines or consequences, as they’re intended to overwhelm a user into acting before they become suspicious or ask someone for help.

Links in the body message do not match the sender’s domain

Most legitimate requests will not direct users to a website that is different from the sender’s domain. By contrast, phishing attempts often redirect users to a malicious site or mask malicious links in the email body.

So, who should I send it to?

If you have received an email which you’re not quite sure about, forward it to Sometimes a forwarded email may not reach them because it’s already recognised by spam detection services. You can also take a screenshot of the email and send it to them. You can even forward text messages to 7726 in the same way.

Send any emails that feel suspicious, even if you're not certain they're a scam. It’s important to not click on any links in a suspicious email, and you don’t need to forward the suspicious emails you find in your spam/junk folder.

The NCSC will analyse the suspicious email and any websites it links to. They’ll use any additional information you’ve provided to look for and monitor suspicious activity. If they discover activity that they deem to be malicious, they may:

  • seek to block the address the email came from, so it can no longer send emails.

  • work with hosting companies to remove links to malicious websites.

  • raise awareness of commonly reported suspicious emails and methods used.

Whilst the NCSC is unable to inform you of the outcome of its review, they act upon every message they receive.

Why should I report phishing scams?

The National Cyber Security Centre (NCSC) is a UK government organisation that has the power to investigate and take down scam email addresses and websites. Reporting a scam is free and only takes a minute. By reporting phishing attempts, you can:

  • reduce the number of scam communications you receive.

  • make yourself a harder target for scammers.

  • protect others from cybercrime online.

Make yourself a hard target and get trained in security awareness today. Contact us to learn more.


The contents of this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of The Cyber Resilience Centre for the West Midlands is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others.  Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. The Cyber Resilience Centre for the West Midlands provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us.


The Cyber Resilience Centre for the West Midlands does not accept any responsibility for any loss which may arise from reliance on information or materials published on this document. The Cyber Resilience Centre for the West Midlands is not responsible for the content of external internet sites that link to this site or which are linked from it.

bottom of page