What is a phishing email?

A phishing email is a fake message designed to trick you into giving away a password, clicking a dangerous link, or handing over money. It pretends to be from a company you trust, like your bank, a delivery service, or a streaming site.

I clicked a link in a suspicious email. What should I do?

Clicking the link alone is usually not the end of the world. What matters is what happened next. If you did not type any passwords or card details on the page it took you to, you are almost certainly fine. If you did, we can walk you through the recovery steps during a visit.

How can I check if an email is really from my bank?

Never use the contact details in the email itself. Instead, call your bank using the phone number printed on the back of your card, or log in using the bank's app or website you normally use. That way you are going directly to the real bank rather than to whoever sent the message.

Help Guides

How do I spot a phishing email?

Phishing emails have become very convincing. Here is how to tell a real one from a fake, with the red flags we see most often in homes across Durham Region.

Quick Answer

If an email uses urgent language, asks you to click a link and type in a password or card number, or comes from an address that looks slightly wrong, treat it as fake. When in doubt, do not click anything. Go directly to the company's real website or app using the details you normally use.

If you have received an email that is making you worry, or you already clicked something you now regret, please do not feel silly. These emails fool clever people every day. Give us a call and we can check it together.

Real email versus phishing email

Here are two side-by-side examples of the same kind of message. One is how a legitimate email from a real company usually looks. The other is what a phishing email looks like, using the same pretend situation. The differences are small but important.

Real: delivery notification
From a consistent sender address you recognise. Uses your name. Has no password prompts. Any link goes to the courier's normal website. Does not threaten to "destroy the parcel" if you do not act in two hours. Usually has an order number you can look up on the courier's real site.
Fake: delivery notification
Sender address has random numbers or is from a free email service. Greets you as "Dear Customer". Says a small fee (often $1.99) must be paid "to reschedule delivery". The link leads to a page asking for your full card details. There is no parcel. There is no fee. It is a scam.
Real: bank notification
Uses your name. Tells you about activity but does not ask you to log in through a link in the email. Instead it tells you to open the bank's own app or go to its website as usual. Never asks for your full password, full card number, or PIN by email. Banks have their own secure messaging.
Fake: bank notification
Warns that your account has been "temporarily suspended" or "limited due to unusual activity". Urges you to click a button to "confirm your identity". The button leads to a fake login page that looks like your bank. Once you type the password, the scammer has it. Real banks do not work this way.

Worried about an email right now?

If you are staring at something that makes you uneasy, do not click anything. We can come and check it together. Ajax, Pickering, Whitby and Oshawa.

Book a Visit

The six red flags we see most often

If you spot two or more of these in the same email, treat it as a scam until proven otherwise.

Urgency and threats

"Act within 24 hours or your account will be closed". Real companies do not talk like this. The urgency is designed to make you react before you think.

Strange sender address

The name says one thing (like your bank) but the email address is a string of random characters, a free Gmail address, or a slightly misspelled company name. Always check the actual address, not just the name.

Generic greeting

"Dear Customer" or "Dear User" when the real company would use your name. Not always a giveaway, but it should raise your guard.

A link that looks odd

On a computer, hover your mouse over the link without clicking. The real web address will pop up in the bottom corner. If it does not match the company it claims to be from, do not click it.

Spelling and grammar mistakes

Big companies pay people to proofread their emails. A message from "Serurity Department" or with clumsy wording is almost always a scam.

Asking for passwords or card details

This is the biggest one. No legitimate company will ever email you asking for your full password, full card number, or your mother's maiden name. If you see this, stop reading and delete the email.

What to do if you are not sure

Do not click anything in the email, not even the "unsubscribe" link at the bottom. If the message claims to be from a company you actually use, open a fresh browser window or use the company's app and check your account directly. If there really is an issue, it will also show up there. If nothing is wrong in the app, you can safely assume the email was fake and delete it.

If you are really unsure, forward the email to us or show it to us during a visit. Checking a suspicious email together is something we help with as part of our online safety tuneup, and it is also one of the first things we cover during scam recovery visits.

What to do if you already clicked

Stay calm. If you clicked the link but did not type anything in, you are very likely fine. Close the page. Run a virus scan if you are on a computer. If you did type a password, change it straight away on that account, and change it anywhere else you use the same password. If you typed card details, phone your bank straight away using the number on the back of the card. Our scam recovery guide walks through the full steps.

Get help today

We help Durham Region homes recover from phishing, lock down accounts, and set up protection against the next one. Honest advice, no lectures.

Get Help Today

FAQ

Common questions about phishing emails

What is a phishing email?: A phishing email is a fake message designed to trick you into giving away a password, clicking a dangerous link, or handing over money. It pretends to be from a company you trust, like your bank, a delivery service, or a streaming site.
I clicked a link in a suspicious email. What should I do?: Clicking the link alone is usually not the end of the world. What matters is what happened next. If you did not type any passwords or card details on the page it took you to, you are almost certainly fine. If you did, we can walk you through the recovery steps during a visit.
How can I check if an email is really from my bank?: Never use the contact details in the email itself. Instead, call your bank using the phone number printed on the back of your card, or log in using the bank's app or website you normally use. That way you are going directly to the real bank rather than to whoever sent the message.