Clicked on a Phishing Link on Android? Do This Immediately

You’ve just clicked on a phishing link on your Android phone, and that sinking feeling hits immediately. Whether it arrived via SMS, WhatsApp, or email, you’re now wondering: can you get a virus from clicking a link on Android, and what happens next? Take a deep breath. Your Android isn’t instantly compromised, and you can fix this.

The actions you take in the next five minutes are critical. This isn’t a lecture about what phishing is—it’s an emergency response protocol. We’ve structured this guide specifically for Android users, covering both Samsung OneUI and stock Android devices, to help you neutralise the threat, check for hidden downloads, and secure your data immediately. This article will show you exactly what to do now, how to check for damage, and how to prevent future attacks.

Quick Emergency Response (Do This First)

If you’ve just clicked a suspicious link on your Android device, follow these six steps immediately:

Emergency Protocol:

1. Enable Airplane Mode immediately (swipe down from the top, tap Airplane Mode icon).
2. Force stop your browser (Settings > Apps > [Browser Name] > Force Stop).
3. Don’t enter any information if a phishing page is still visible on your screen.
4. Check your Downloads folder for suspicious .apk files using Files by Google or Samsung My Files.
5. Run a malware scan using Google Play Protect (Settings > Security > Google Play Protect).
6. Change passwords on a different device if you entered any credentials or personal information.

Read the complete guide below for detailed instructions with device-specific screenshots and UK reporting procedures.

You Clicked on a Phishing Link on Android: What Happens?

Understanding what actually happens when you click on a phishing link helps you respond appropriately. Modern Android security architecture makes it difficult—but not impossible—for malware to install automatically. Android’s sandboxed app environment means that simply tapping a link typically won’t compromise your entire device.

However, sophisticated phishing attacks use two primary methods to cause harm:

1. Drive-by Downloads: Some phishing links attempt to install malicious .apk files directly to your Downloads folder without providing obvious notification. These files can’t install themselves—Android requires explicit user permission—but they sit waiting for you to open them accidentally. This is particularly common with phishing SMS messages claiming to be from delivery services or banks.
2. Active Credential Theft: The more immediate danger comes from fake login pages that mimic legitimate websites. If the phishing link directed you to a page requesting your Google account password, banking credentials, or payment card details, and you entered that information, cybercriminals now have direct access to those accounts. This scenario requires immediate action beyond basic device security.

According to the Department for Digital, Culture, Media & Sport’s 2024 Cyber Security Breaches Survey, phishing remains the most common cyber attack vector in the UK, with 79% of businesses and 83% of charities experiencing phishing attempts in the past year. Mobile phishing—particularly via SMS (called “smishing”)—has increased 48% since 2022, making Android users a primary target.

The good news: if you clicked a phishing link but immediately closed it without downloading anything or entering information, your risk level is relatively low. The following steps will help you verify your device’s security and protect your accounts.

Step 1: Disconnect From the Internet Immediately

Severing your internet connection is the first and most critical step after clicking on a phishing link. The moment you tap a malicious link, the website may attempt to communicate with a “Command and Control” (C2) server. This server can send malicious scripts to your device, record your IP address and location, or initiate background file downloads.

While turning off Wi-Fi might seem sufficient, Android devices typically switch seamlessly to mobile data (4G/5G) when Wi-Fi is disconnected. This automatic failover maintains the connection to potential threats, allowing malware to continue communicating or downloading.

The correct action: Enable Airplane Mode

Pull down your Quick Settings panel by swiping down from the top of your screen. On most Android devices, you’ll need to swipe down once for notifications and twice for the full Quick Settings panel. Tap the Airplane Mode icon (it looks like an aeroplane). Ensure the icon lights up or changes colour to indicate it’s active.

Airplane Mode disables all wireless communications simultaneously:

1. Wi-Fi connections.
2. Mobile data (4G/5G).
3. Bluetooth (preventing local device pairing attempts).
4. NFC (Near Field Communication).
   • For Samsung Galaxy users: The Airplane Mode icon appears in the first row of Quick Settings icons. On Galaxy S24, S23, A54, and similar devices, it’s typically positioned in the top-left corner alongside Wi-Fi and Bluetooth.
   • For Google Pixel users: The Airplane Mode toggle appears in the Internet tile. Tap “Internet,” then toggle “Airplane mode” at the bottom of the menu. Alternatively, press and hold the power button, then tap the Airplane Mode icon.

Important note: If you need to read this guide while fixing your phone, consider opening this page on a secondary device (such as a laptop, tablet, or your partner’s phone). If you must use the affected phone, turn Wi-Fi back on specifically through Settings > Network & Internet > Wi-Fi, but keep Mobile Data disabled. This prevents potential carrier-billing scams whilst allowing you to follow the steps.

Step 2: Force Stop Your Browser (Critical Step)

Closing the browser tab isn’t enough. Phishing links often utilise malicious JavaScript loops or “browser lockers” that prevent users from leaving the page. Even after you close the app, these scripts can remain cached in your device’s temporary files, waiting to reload the next time you open your browser.

When you close a browser tab on Android, the app itself continues running in the background. Malicious JavaScript can persist in your device’s RAM, potentially continuing to communicate with phishing servers, monitoring your clipboard for copied passwords, or attempting to download additional malware. Force Stop terminates the entire browser process, ensuring no scripts continue running. It’s the equivalent of a complete shutdown, not just minimising a window.

For Google Chrome Users (Pixel, Motorola, OnePlus, Sony)

Chrome is the default browser on most Android devices running stock Android or near-stock versions.

1. Open Settings from your app drawer or notification shade.
2. Scroll down and tap Apps (may be labelled “Apps & notifications” on older Android versions).
3. Tap See all apps if you see a shortened list.
4. Scroll down and tap Chrome.
5. Tap Force Stop (located at the bottom of the screen or in the top menu).
6. Confirm by tapping OK in the dialogue box.
7. Now tap Storage & cache.
8. Tap Clear cache (this removes temporary files without deleting saved passwords).
9. Optional but recommended for serious threats: Tap Manage Space, then Clear All Data.

Warning about Clear All Data: This action signs you out of all websites and removes saved passwords stored in Chrome. However, it’s the only way to guarantee the malicious tab is completely obliterated from your device. If you use Google Password Manager, your passwords will sync back after signing in again.

For Samsung Internet Browser Users (Galaxy S24, A54, Z Fold, etc.)

Samsung devices default to Samsung Internet, which has a different menu structure due to One UI’s interface design.

1. Open Settings (swipe down and tap the gear icon, or find it in your app drawer).
2. Scroll down and tap Apps.
3. Tap the three-dot menu icon (top right) and select Show system apps if Samsung Internet isn’t visible.
4. Scroll down and tap Samsung Internet.
5. Tap Force Stop (located at the bottom right of the screen).
6. Confirm by tapping OK.
7. Tap Storage.
8. Tap Clear cache.
9. For serious threats: Tap Clear data, then confirm.

Critical additional step for Samsung Internet: After force-stopping, open the browser again whilst still in Airplane Mode. If the malicious tab attempts to load, tap the Tabs icon at the bottom of the screen (which displays the number of open tabs), then tap the three-dot menu and select “Close all tabs.” This ensures no session data remains.

For Firefox, Brave, and Other Alternative Browsers

The process is identical to Chrome:

1. Settings > Apps > [Browser Name] > Force Stop.
2. Clear cache via Storage & cache.
3. Consider clearing all data if you entered credentials on the phishing site.

Why Force Stop matters: The National Cyber Security Centre (NCSC) identifies browser-based malware persistence as a common technique in Android phishing attacks. Background processes can continue executing malicious code even after you think you’ve closed the threat. Force Stop guarantees termination.

Step 3: Check for Silent Downloads (The Hidden Threat)

This is the step most safety guides miss. Sophisticated phishing attacks use “drive-by downloads”—small files pushed to your device’s storage without noticeable notification. You might not have seen a download notification bar, but a malicious file (usually an .apk, .zip, or disguised .pdf) could be waiting in your Downloads folder.

If you don’t open the file, you’re usually safe. Android’s security model prevents apps from installing themselves without explicit user permission. However, leaving malicious files on your device creates an ongoing risk. Cybercriminals use social engineering tactics to trick users into opening these downloads later, perhaps through follow-up phishing messages that reference the “update” or “security scan” they’ve supposedly sent.

How to Audit Your Files

1. On Google Pixel, Motorola, and Stock Android Devices:
   • Open the Files by Google app (pre-installed on most devices; if missing, download it from Google Play Store).
   • Tap the Downloads category on the home screen.
   • Look carefully at files added in the last 24 hours.
   • Sort by “Last modified” to see the most recent files first.
2. On Samsung Galaxy Devices:
   • Open My Files app (found in the Samsung folder in your app drawer).
   • Tap Downloads from the categories list.
   • Tap the three-dot menu (top right) and select “Sort by”.
   • Choose “Date” to see the most recent downloads first.

Identifying Suspicious APK Files and Malware

1. Red flags to watch for:
   • Files ending in .apk (Android Package files) that you didn’t intentionally download.
   • .zip or .rar archive files with generic names like “update.zip” or “security_patch.zip”.
   • Files with double extensions like invoice.pdf.exe or photo.jpg.apk (attempting to disguise the real file type).
   • Generic filenames such as:
     • “system_update.apk”.
     • “google_security.apk”.
     • “flash_player.apk” (Flash is defunct and never worked properly on Android).
     • “codec_update.apk”.
     • Any file with “antivirus,” “cleaner,” or “optimiser” in the name.
   • Files downloaded immediately after clicking the suspicious link.
2. What to do if you find suspicious files:
   • Long-press the suspicious file.
   • Tap Delete (Samsung) or the trash bin icon (Google Files).
   • Go to the Bin or Trash folder in your Files app.
   • Tap Empty Trash or Delete all to permanently remove the files.

Critical warning: Do NOT open suspicious files “just to check what they are.” Opening an .apk file initiates the installation process. Even if you cancel the installation, some sophisticated malware can exploit vulnerabilities during the initial parsing stage.

Checking “Install Unknown Apps” Permissions

Android’s security settings prevent apps from installing software from sources outside the Google Play Store by default. However, malware often attempts to trick users into enabling this permission. Checking these settings ensures no unauthorised permissions were granted during the phishing incident.

Navigation path for all Android devices:

1. Open Settings.
2. Tap Apps (or “Apps & notifications”).
3. Tap the three-dot menu (top right) and select Special app access.
4. Tap Install unknown apps.
5. Review the list of apps shown.

What you should see: Most apps should display “Not allowed” next to them. Your web browser (Chrome, Samsung Internet, Firefox) should definitely show “Not allowed.”

If your browser shows “Allowed”:

1. Tap the browser name.
2. Toggle Allow from this source to OFF.
3. Repeat for any other apps showing “Allowed” that you don’t recognise.

Legitimate apps that might need this permission include:

1. Samsung Galaxy Store (on Samsung devices).
2. Amazon Appstore (if you use Amazon services).
3. F-Droid (if you’re an advanced user who uses open-source apps).

Any other app with this permission enabled should be investigated immediately and may need to be uninstalled.

Step 4: Assess the Damage (Did You Enter Information?)

Your response strategy depends on whether you simply clicked the link or actually provided information to the phishing site. This section helps you determine your risk level and take appropriate action.

Scenario A: You Only Clicked the Link (Low Risk)

If you immediately closed the page without entering any information, downloading files, or granting permissions, your risk level is relatively low. Modern Android security makes it difficult for passive attacks to succeed without user interaction.

Your action plan:

1. Complete Steps 1-3 above.
2. Proceed to Step 5 (malware scanning).
3. Monitor your accounts for 48 hours.
4. Watch for unusual notifications or unexpected app behaviour.

Scenario B: You Entered Credentials or Personal Information (High Risk)

If you typed in any of the following on the phishing site, immediate action is required:

1. Email address and password.
2. Banking login credentials.
3. Credit or debit card numbers.
4. Card CVV codes.
5. National Insurance number.
6. Date of birth.
7. Home address.
8. Security question answers.

Immediate actions required:

1. Change passwords on a different device: Do NOT change passwords on the affected Android phone until you’ve completed all security steps. Use a laptop, desktop computer, or a trusted friend’s device. Start with the most critical accounts:
   • Email account (if compromised, attackers can reset other passwords).
   • Banking and financial accounts.
   • Amazon, PayPal, or other payment platforms.
   • Work-related accounts.
   • Social media accounts (used for identity verification).
2. Create strong, unique passwords: Each account needs a different password. Consider using a password manager like:
   • Bitwarden (free tier available, £8.29/year for premium).
   • 1Password (£2.99/month, family plan £4.99/month).
   • NordPass (£1.29/month on 2-year plan).
     • These prices are current as of November 2025 and include VAT.
3. Enable two-factor authentication (2FA): Add an extra security layer to prevent unauthorised access even if passwords are compromised. Use authenticator apps like:
   • Google Authenticator (free).
   • Microsoft Authenticator (free).
   • Authy (free).
     • Avoid SMS-based 2FA when possible, as SIM-swapping attacks can bypass this protection.
4. The “Sign Out of All Devices” Protocol:
   • For Google accounts:
     • Visit myaccount.google.com on a trusted device.
     • Click “Security” in the left menu.
     • Scroll to “Your devices”.
     • Click “Manage all devices”.
     • Sign out of any unfamiliar devices.
     • Change your password immediately.
   • For Microsoft accounts:
     • Visit account.microsoft.com/security.
     • Click “Sign-in activity”.
     • Review recent activity.
     • Click “Sign out everywhere” if you see suspicious activity.

Scenario C: You Entered Payment Card Information (Critical Risk)

If you provided credit card, debit card, or bank account details, financial fraud is imminent. Cybercriminals often test stolen card details within minutes of obtaining them.

Immediate financial protection steps:

1. Contact your bank immediately using the number on the back of your card (NOT a number from the phishing message). Most UK banks have 24/7 fraud departments:
   • Barclays: 0800 400 100
   • HSBC: 0800 085 2401
   • Lloyds: 0800 096 9779
   • NatWest: 0800 014 2955
   • Santander: 0800 9 123 123
2. Request card replacement: Your bank will cancel the compromised card and issue a new one. This typically takes 3-5 working days.
3. Freeze or lock the card: Most banking apps allow instant card freezing while you wait for a replacement. Look for “Card controls” or “Freeze card” in your mobile banking app.
4. Check recent transactions: Review the last 7 days of activity for unauthorised charges. Banks typically refund fraudulent transactions made after you report the compromise.
5. Report to Action Fraud: Contact the UK’s national fraud reporting centre:
   • Online: https://www.actionfraud.police.uk
   • Phone: 0300 123 2040 (Monday-Friday, 8 am-8 pm)
   • Have ready: Date and time of phishing incident, phishing message details,and financial loss amount
6. Monitor your credit report: Sign up for credit monitoring through:
   • Experian (free basic service)
   • Equifax (free statutory report)
   • TransUnion (free basic service)
7. Watch for unauthorised credit applications or accounts opened in your name over the next 3-6 months.
8. For business accounts or large sums: If the compromised credentials relate to business banking or involve significant amounts, consider contacting the Information Commissioner’s Office (ICO) as this may constitute a data breach requiring formal reporting:
   • ICO helpline: 0303 123 1113
   • Online: ico.org.uk/make-a-complaint

Step 5: Scan Your Android Device for Malware

After completing the containment steps, scanning for malware provides crucial verification that no malicious software was installed during the phishing incident. Android malware has evolved significantly, with modern variants employing sophisticated techniques to evade detection by users and security software.

Using Google Play Protect (Built-in Security)

Google Play Protect is Android’s native malware scanner, built into all devices with Google Play Services. It scans apps when you install them and performs periodic background scans of your entire device.

1. How to run a manual scan:
   • Open Settings.
   • Scroll down and tap Security (may be “Security & privacy” on newer Android versions).
   • Tap Google Play Protect (near the top of the Security menu).
   • Tap the Scan button (circular arrow icon).
   • Wait for the scan to complete (typically 1-3 minutes).
2. What the results mean:
   • “No harmful apps found”: Your device passed the scan. Continue monitoring for 48 hours.
   • “Harmful app detected”: Google Play Protect will offer to remove the app. Tap “Uninstall” immediately.
   • “Harmful app can’t be removed”: Some malware grants itself Device Administrator privileges, preventing removal. See the next section for resolution.
3. Samsung Galaxy users: Samsung adds an additional layer called “Device care” that includes malware scanning:
   • Open Settings > Battery and device care.
   • Tap Device protection.
   • Tap Scan phone.
   • Review results.

This Samsung-specific scanner complements Google Play Protect and may catch threats that Google’s scanner misses.

Third-Party Security Apps (Optional Enhanced Protection)

While Google Play Protect provides adequate protection for most users, third-party security apps offer additional features, such as web protection, Wi-Fi security scanning, and more aggressive malware detection.

Recommended security apps for Android:

1. Malwarebytes for Android
   • Price: Free (basic), £11.99/year (premium).
   • Features: Malware scanner, privacy audit, link checker.
   • Why it’s trustworthy: Established cybersecurity company with transparent detection methodologies.
   • Download: Google Play Store (official source only).
2. Avast Mobile Security
   • Price: Free (with ads), £14.99/year (premium removes ads).
   • Features: Malware scanner, Wi-Fi security check, VPN (premium).
   • UK context: UK-based support team, GDPR-compliant.
   • Download: Google Play Store.
3. Bitdefender Mobile Security
   • Price: £12.49/year.
   • Features: Real-time protection, web protection, VPN (200MB/day).
   • Why it’s effective: Consistently high detection rates in AV-TEST evaluations.
   • Download: Google Play Store.

Critical warning about fake security apps

The Google Play Store contains numerous fake “antivirus” apps that are actually malware or adware themselves. Only download security apps from established companies with verifiable track records. Never install security apps from:

1. Direct .apk downloads from websites.
2. Apps with generic names like “Super Antivirus Cleaner”.
3. Apps with fewer than 1 million downloads.
4. Apps with poor English in descriptions.

Advanced Check: Accessibility Services Audit (Critical for Banking Trojans)

Sophisticated Android malware—particularly banking trojans targeting UK users—often hijacks Accessibility Services. This Android feature, designed to help users with disabilities, grants extraordinarily powerful permissions when exploited by malware.

Once malware gains accessibility permissions, it can:

1. Read everything displayed on your screen, including passwords typed in other apps.
2. Perform actions on your behalf, such as approving bank transfers or confirming payments.
3. Intercept two-factor authentication codes sent via SMS.
4. Prevent itself from being uninstalled by intercepting your uninstall attempts.
5. Grant itself additional permissions without your knowledge.

The NCSC has identified accessibility permission abuse as a growing Android malware tactic in 2024-2025, particularly in banking trojans targeting UK financial institutions.

1. How to audit Accessibility Services:
   • Open Settings.
   • Scroll down and tap Accessibility.
   • Look under “Downloaded apps” or “Installed services”.
   • Review every app listed carefully.
2. Red flags that indicate malware:
   • Apps with generic, system-sounding names:
     • “System Update Service”.
     • “Security Manager”.
     • “Google Play Services” (note: the legitimate Google Play Services doesn’t appear here).
     • “Device Manager”.
     • Any name with “Update,” “Security,” “System,” or “Manager”.
   • Apps you don’t recognise or didn’t install.
   • Apps that aren’t obviously accessibility-related (screen readers, magnifiers, etc.).
   • Recently added services that appeared after the phishing incident.
3. If you find suspicious entries:
   • Tap the suspicious app name.
   • Toggle OFF immediately.
   • Press your device’s back button to return to Settings.
   • Navigate to Settings > Apps.
   • Find the suspicious app in your full apps list.
   • Tap Uninstall.
4. If the Uninstall button is greyed out: The malware has granted itself Device Administrator privileges. To remove it:
   • Go to Settings > Security > Device admin apps (location varies by Android version).
   • Look for the suspicious app name.
   • Tap it and select Deactivate.
   • Return to Settings > Apps and uninstall.

Step 6: Secure Your Accounts and Monitor Activity

Final protective measures ensure long-term security after the immediate threat has been addressed. These steps prevent secondary attacks and help you detect any compromise you might have missed.

Password Security Best Practices

If you haven’t already changed passwords (see Scenario B in Step 4), do so now on a trusted device.

1. Password creation rules:
   • Minimum 12 characters (16+ for banking and email).
   • Mix uppercase, lowercase, numbers, and symbols.
   • Avoid dictionary words, names, or dates.
   • Never reuse passwords across sites.
   • Change passwords every 90 days for critical accounts.
2. Using password managers securely: Password managers store all your credentials behind one master password. Choose a master password that’s:
   • At least 20 characters long.
   • Memorable but not guessable (consider a passphrase like “Purple-Elephant-Dancing-Moonlight-47”).
   • Never written down or shared.
   • Not stored digitally anywhere except in your memory.

Enable Two-Factor Authentication (2FA)

1. Two-factor authentication requires two different verification methods to access your account:
   • Something you know (password).
   • Something you have (authentication code from your phone).
2. Priority accounts for 2FA:
   • Email (Gmail, Outlook, etc.).
   • Banking and financial institutions.
   • Amazon and shopping accounts.
   • PayPal, Stripe, or payment processors.
   • Work-related accounts (Microsoft 365, Google Workspace).
   • Social media (used for password recovery).
3. Setting up 2FA on Google accounts:
   • Visit myaccount.google.com/security.
   • Scroll to “2-Step Verification”.
   • Click “Get started”.
   • Choose “Authenticator app” rather than SMS.
   • Follow the setup instructions.
4. Setting up 2FA on UK banking apps: Most UK banks now require some form of 2FA by default (due to Strong Customer Authentication regulations under PSD2). Verify yours is active:
   • Open your banking app.
   • Go to Security Settings.
   • Confirm biometric login (fingerprint/face recognition) is enabled.
   • Verify you receive push notifications for login attempts.

Check Recent Account Activity

Most online services maintain activity logs showing recent logins, location changes, and security events.

1. Google account security check:
   • Visit myaccount.google.com/security
   • Click “Recent security activity”.
   • Review the list for:
     • Unfamiliar locations.
     • Unexpected login times (middle of night).
     • Unknown devices.
     • Failed login attempts (indicates someone has your password).
2. If you spot suspicious activity:
   • Click “Secure account”.
   • Follow Google’s guided recovery process.
   • Change your password immediately.
   • Sign out of all devices.
3. Microsoft account security check:
   • Visit account.microsoft.com/security.
   • Click “Sign-in activity”.
   • Review recent activity for anomalies.
   • Use “Where you’re signed in” to see active sessions.

Set Up Security Alerts

Enable email or SMS notifications for important security events:

1. Google Security Alerts:
   • Automatically enabled for critical events.
   • Receive notifications for: new device sign-ins, password changes, recovery information changes.
   • Cannot be disabled (this is protective).
2. Banking Alerts: Most UK banks offer customisable transaction alerts. Enable:
   • International transaction alerts.
   • Large transaction alerts (set threshold at £50-100).
   • Card-not-present transaction alerts.
   • Balance threshold alerts.

These are typically found in your banking app under Settings > Notifications or Alerts & Notifications.

Monitor Financial Statements

Even after taking all protective measures, continue monitoring for 7-14 days:

1. Daily checks (first 72 hours):
   • Banking app transaction list.
   • Credit card recent activity.
   • PayPal or payment processor activity.
   • Email inbox for password reset requests.
2. Weekly checks (days 4-14):
   • Full bank statements.
   • Credit card statements.
   • Any unfamiliar recurring charges.
3. What to look for:
   • Small “test” charges (£0.50-£2.00) that cybercriminals use to verify card validity.
   • Charges to unfamiliar merchants.
   • International transactions you didn’t make.
   • Subscription charges you didn’t authorise.

Report any suspicious activity to your bank immediately. UK banks typically provide strong fraud protection and refund unauthorised transactions reported promptly.

How to Identify Phishing Links on Android (Prevention)

Learning to spot phishing attempts before clicking prevents future incidents. Mobile phishing has become increasingly sophisticated, but certain red flags remain consistent across most attacks.

The Long-Press Preview Technique

Android allows you to preview link destinations before tapping them—a critical safety feature many users don’t know exists.

1. How to preview links:
   • When you receive a suspicious message with a link, long-press the link (press and hold).
   • A menu appears showing the full URL destination.
   • Read the complete URL carefully before deciding whether to tap.
2. For email apps: Long-pressing may also show options like “Copy link” or “Share.” Choose “Copy link,” then paste it into a notes app to examine the full URL safely.
3. For SMS messages: The long-press menu typically shows the URL immediately. Look carefully at the domain before tapping.

Red Flags in URLs

Phishing URLs use various tricks to appear legitimate whilst actually directing to malicious sites.

1. Domain misspellings:
   • Legitimate: amazon.co.uk
   • Phishing: arnazon.co.uk, amazon-uk.com, amazonuk-login.com
2. Subdomain tricks:
   • Legitimate: hsbc.co.uk
   • Phishing: hsbc.co.uk.security-check.com (the real domain is “security-check.com”)
3. Character substitution:
   • Using “rn” to look like “m”: arnаzon.co.uk
   • Using “1” instead of “l”: barclays1.co.uk
   • Using “0” instead of “o”: micros0ft.com
4. URL shorteners (bit.ly, tinyurl.com, etc.): Legitimate companies rarely use URL shorteners in official communications. Shortened links hide the true destination, making them favourite tools for phishing attacks.
5. HTTPS doesn’t guarantee safety: The padlock icon and “https://” simply mean the connection is encrypted—not that the website is legitimate. Phishing sites frequently use HTTPS to appear trustworthy.

RCS Verified Business vs Unverified SMS (2025 Context)

Android’s Rich Communication Services (RCS) messaging includes verification features that traditional SMS lacks. Understanding these distinctions helps identify legitimate business messages.

1. RCS Verified Business Senders:
   • Display the company name clearly at the top of the conversation.
   • Show a blue verification checkmark next to the company name.
   • Include the company logo.
   • Come through the “Messages” app with special formatting.
   • Example: “NatWest [Verified]” with NatWest’s logo and blue tick.
2. Suspicious unverified SMS:
   • Show only a phone number (e.g., “+44 7XXX XXXXXX” or a 5-digit short code).
   • No company name or logo.
   • Generic formatting.
   • Claims to be from a business but lacks verification.

Important context: RCS verification only works for business messages sent through Google’s Business Messages platform. Personal contacts won’t show verification ticks, which is normal. However, if someone claiming to be a bank, delivery service, or government agency contacts you via standard SMS without verification, treat the message as suspicious.

Major UK organisations using RCS Business Messaging (November 2025):

1. Most major banks (HSBC, Barclays, NatWest, Lloyds).
2. Royal Mail.
3. Parcel delivery services (DPD, Evri, etc.).
4. HMRC (for certain communications).

If you receive an SMS from these organisations without RCS verification, verify independently by calling the official number from their website.

Sender Urgency and Psychological Manipulation

Phishing messages exploit psychological triggers to bypass rational decision-making.

1. Common urgency tactics:
   • “Your account will be suspended in 24 hours”
   • “Unusual activity detected—verify immediately”
   • “You’ve won [prize]—claim within 48 hours”
   • “Package delivery failed—reschedule now”
   • “URGENT: Security alert on your account”
2. Pressure through consequence:
   • “Failure to respond will result in account closure”
   • “Legal action will be taken unless you…”
   • “You’ll lose access to…”
3. Too-good-to-be-true offers:
   • “You’ve been selected for a £500 refund”
   • “Free iPhone 15 Pro—limited stock”
   • “Your Amazon order is eligible for compensation”

Legitimate companies don’t create artificial urgency. Banks, government agencies, and reputable businesses provide reasonable timeframes and multiple contact methods.

Grammar, Spelling, and Formatting Errors

Professional organisations employ copywriters and editors. Phishing messages often contain:

1. Poor grammar:
   • “Your account has been compromise”.
   • “We has detected unusual activity”.
   • “Please to verify your information”.
2. Unusual phrasing:
   • “Dear valued customer” (impersonal).
   • “We are writing to inform you that…” (overly formal).
   • Awkward sentence construction suggesting translation.
3. Formatting issues:
   • Inconsistent capitalisation.
   • Random bold or italic text.
   • Excessive exclamation marks!!!
   • Unusual spacing or alignment.

However, be aware that sophisticated phishing operations increasingly use professional copy. Don’t rely solely on grammar checks.

Generic Greetings and Missing Personalisation

Legitimate communications from organisations you have accounts with typically include:

1. Your full name.
2. Account number (partially masked).
3. Specific transaction or account details.
4. References to recent activity you recognise.

Phishing messages often use:

1. “Dear Customer”.
2. “Dear Account Holder”.
3. “Hello User”.
4. Just “Hi” with no name.

Exception: Some automated systems from legitimate companies do send generic greetings. Use this as one indicator among many, not a definitive test.

UK-Specific Reporting and Resources

Reporting phishing attacks helps protect others and contributes to national cybersecurity intelligence. UK authorities use these reports to identify trends, shut down phishing operations, and warn the public about emerging threats.

Report Phishing to Action Fraud

Action Fraud is the UK’s national fraud and cybercrime reporting centre, operated by the City of London Police.

1. How to report:
   • Online: https://www.actionfraud.police.uk (24/7 online reporting).
   • Phone: 0300 123 2040 (Monday-Friday, 8 am-8 pm).
   • Textphone: 0300 123 2050 (for those with hearing difficulties).
2. Information to provide:
   • Date and time you clicked the phishing link.
   • How you received the message (SMS, email, WhatsApp, etc.).
   • The sender’s details (phone number, email address, account name).
   • The content of the phishing message (screenshot if possible).
   • The URL of the phishing website.
   • Whether you provided any information.
   • Any financial loss incurred.

What happens after reporting: Action Fraud creates a crime reference number and passes your report to the National Fraud Intelligence Bureau (NFIB). They analyse reports to identify patterns and coordinate law enforcement responses. Whilst individual cases rarely lead to direct investigation (due to resource constraints), your report contributes to broader intelligence about cybercrime operations.

NCSC Suspicious Email Reporting Service

The National Cyber Security Centre (NCSC) operates a dedicated service for reporting suspicious emails.

1. How to report suspicious emails:
   • Email address: [email protected]
   • Method: Forward the suspicious email as an attachment.
   • Android Gmail app: Open the email, tap the three-dot menu, select “Forward,” and send to [email protected]
2. The NCSC uses these reports to:
   • Identify and take down phishing websites.
   • Block malicious URLs across UK networks.
   • Provide intelligence to internet service providers.
   • Warn organisations that are being impersonated.

Since launch in April 2020, the NCSC Suspicious Email Reporting Service has received over 14 million reports and removed more than 160,000 scam websites (as of October 2025).

Google Safe Browsing Reporting

Google Safe Browsing protects billions of devices worldwide. Reporting phishing URLs helps Google update their blocklists, preventing other users from accessing the same malicious sites.

How to report:

1. Visit https://safebrowsing.google.com/safebrowsing/report_phish/
2. Enter the phishing URL.
3. Add any additional context.
4. Submit the report.

Reports are processed automatically and typically result in the URL being blocked within hours across Chrome, Firefox, and Safari browsers.

ICO Data Breach Reporting

If the phishing incident resulted in unauthorised access to personal data—particularly for business accounts, work emails, or organisational systems—you may need to report to the Information Commissioner’s Office (ICO).

1. When to report to the ICO:
   • You’re a business or organisation whose employee clicked a phishing link on a work device
   • Customer or client data may have been compromised
   • Personal data of UK residents was accessed
   • The breach presents a risk to people’s rights and freedoms
2. Reporting requirements:
   • Organisations must report data breaches to the ICO within 72 hours of becoming aware
   • Failure to report can result in fines under GDPR
3. How to report:
   • Online: ico.org.uk/for-organisations/report-a-breach
   • Phone: 0303 123 1113 (Monday-Friday, 9am-5pm)
4. For personal (not business) incidents: Individual users who clicked phishing links on personal devices typically don’t need to report to the ICO unless the incident involves a data controller’s failure to protect your data.

Bank Fraud Reporting Protocols

If you provided financial information to a phishing site, your bank is your primary point of contact.

UK banking fraud guarantee: Under the Lending Standards Board’s Contingent Reimbursement Model Code (effective 2019), most UK banks refund victims of authorised push payment (APP) fraud when certain conditions are met. This includes phishing attacks where you were tricked into providing credentials.

What banks typically require:

1. Immediate notification (ideally within 24 hours).
2. Detailed description of the phishing incident.
3. Evidence of the phishing message.
4. Proof you took reasonable steps to verify legitimacy.
5. Confirmation you didn’t act against security warnings.

Report to your bank first, then to Action Fraud. The bank may request your Action Fraud crime reference number.

You’ve taken the right steps by acting quickly after clicking on a phishing link. By disconnecting your device, checking for hidden downloads, scanning for malware, and securing your accounts, you’ve significantly reduced the risk of lasting damage.

Remember these key protective measures going forward: always preview links before tapping them, verify sender authenticity through official channels, enable two-factor authentication on all critical accounts, and maintain vigilance for the red flags we’ve discussed. Phishing attacks continue evolving, but your awareness and prompt response remain your strongest defences.

If you’ve followed all the steps in this guide and haven’t detected any compromise, you can resume normal device use whilst continuing to monitor your accounts for the next two weeks. Stay cautious with future messages, trust your instincts when something feels wrong, and never let urgency override your security judgment.