How modern scams are built, distributed, and detected — and where defences actually matter
Published 4 May 2026 · ScamSupport research · ~12 minute read
Phishing has become unrecognisable from its 2010s caricature. The "Nigerian prince" template that filtered itself out of inboxes a decade ago has been replaced by polished, brand-accurate, mobile-optimised campaigns that arrive at scale and convert at rates the security industry doesn't like to publish. UK Finance's Annual Fraud Report 2025 confirms £1.1 billion in losses across 2024, with over £600 million already stolen in the first half of 2025 alone — and that's only the reported portion. UK Finance's own survey work suggests actual losses run two to three times higher because the majority of incidents are never reported.
This article walks through what a modern phishing campaign actually looks like end-to-end, from the moment a criminal acquires a target list to the moment money lands in a mule account, and where defences interrupt the chain. It's written for ordinary readers, not security professionals, but it doesn't water down the technical reality. By the time you finish reading, you'll have a clearer mental model of what's happening when a suspicious email arrives in your inbox — and where you have leverage that the criminal doesn't.
A campaign starts with addresses. Two sources dominate in 2026.
Breached credential databases. Have I Been Pwned currently catalogues over 13 billion compromised credentials from more than 850 publicly disclosed breaches, and that's only the public side. The data feeds an underground marketplace where lists are bundled by demographic ("UK retail customers, 35–55"), by perceived wealth ("active investors, multiple platforms"), or by service ("LinkedIn professionals, 2024 leak"). Lists trade for surprisingly little money — a million UK email addresses might cost a buyer £200. The economics of phishing only work because the input cost has collapsed.
Data broker leaks. When a less-known data broker is breached, the resulting dump often contains not just emails but full identity profiles: name, postcode, employer band, age range, and increasingly recent purchase history. This is the input that enables the second wave of phishing — the kind that knows your name, addresses you correctly, and references something specific to your life. The line between "spam" and "targeted social engineering" depends almost entirely on whether the criminal has paid for enriched data.
The shift over the past three years has been from spray-and-pray spam to targeted lure design. A scammer no longer needs to send a generic "your account is suspended" email. They can send a message that knows you bank with NatWest, lives in your postcode, and pretends to be a fraud alert specific to your card. The technology to merge a list with a lure template is, at this point, off-the-shelf.
Modern scams exploit psychology more than technology. Three levers reliably out-perform every other angle, and you can identify them in almost any phishing message you receive.
Manufactured urgency. "Your tax return must be filed within 24 hours or you'll be fined." "Your parcel will be returned to sender at midnight." The deadline doesn't have to be real — it just has to compress your decision-making window enough to override scepticism. Cognitive scientists call this ego depletion under time pressure. Phishing copywriters call it the squeeze. The countdown is almost always synthetic; a real organisation has escalation procedures that take weeks, not hours.
False authority. Branding a message with HMRC, Royal Mail, or your bank's logo is technically trivial — most logos are publicly available SVG files. The harder problem is matching the typography, footer disclaimers, and CSS of a real corporate email. A serious campaign will copy the source of a genuine email, swap in the malicious link, and re-send it. The result is indistinguishable from the real thing on a phone screen, where roughly 80% of UK email is now read.
Loss aversion. Behavioural economics shows people work twice as hard to prevent a loss as to secure an equivalent gain. Phishing copy weaponises this directly: "your subscription will be cancelled", "your account will be locked", "your refund will be returned to sender". The threat of loss does more conversion work than any promise of reward, which is why genuine "you've won" scams have all but disappeared from sophisticated campaigns — they only catch the most credulous targets, and modern criminals would rather convert one cautious person than ten naive ones.
The brands targeted vary by country. In the UK in 2026 the top five are HMRC (tax-refund and tax-debt scams), Royal Mail (parcel-delivery fees), the major banks (impersonation of fraud teams), Amazon (account-suspension), and Netflix (payment-failed). The mix shifts when news cycles change. When energy bills spike, expect Octopus and British Gas; when there's a big fashion sale, expect ASOS and JD Sports; when a mainstream news story features a brand, expect that brand to appear in inboxes within a week.
The technical side is where the arms race lives.
Lookalike domains. A campaign targeting Royal Mail won't be sent from royalmail.com — that's owned by the real Royal Mail. It'll be sent from royalmail-tracking.help, royalrnail.co.uk (rn instead of m), or royalmail.com.update-id-2026.click. The right-most part of the domain (everything before the first slash of any URL) is what controls where it actually points. Everything to the left is decoration the attacker chose. Once you train yourself to read URLs from right to left, this category of trick stops working.
Three domain manipulations dominate: typo-squatting (royalmial), homograph attacks (using Cyrillic а instead of Latin a, indistinguishable in most fonts), and subdomain abuse (the real domain is buried after several misleading subdomains). Browser address bars on mobile typically show only the last few characters before the slash, which is why mobile is where most successful clicks happen.
Bulletproof hosting. The infrastructure that hosts the actual phishing page is rented from providers in jurisdictions where takedown requests don't get answered quickly. Cloudflare and major CDNs increasingly auto-detect and block known phishing domains, which has shortened the average lifespan of a campaign URL from weeks in 2020 to about 18 hours in 2026. But 18 hours is still plenty of time to harvest tens of thousands of credentials.
Email authentication bypasses. SPF, DKIM, and DMARC are the three protocols that, together, are supposed to prove an email actually came from the claimed sender. They work, but only when the receiving mail provider checks them strictly. Many corporate and small-business mail servers don't. Phishers also use compromised legitimate accounts — a hacked WordPress site can send technically-authenticated mail from a clean domain — which sidesteps the authentication checks entirely without needing to defeat them.
Sending 10 million emails sounds technically demanding. In 2026 it isn't.
Compromised SMTP relays. Hijacked Office 365 accounts, hacked WordPress installations with the wp-mail plugin enabled, residential ISP accounts with weak passwords — collectively, the criminal economy has access to tens of thousands of low-volume mail-sending endpoints. Each one is configured to send a few thousand messages per day, below the threshold that gets the IP blocklisted. Aggregate the network and you reach scale without a single major outbound source for spam-detection systems to lock onto.
SMS via SIM farms. UK smishing volume tripled between 2023 and 2026, mostly because the cost of sending fell. SIM farms — physical devices holding hundreds of pay-as-you-go SIMs, usually in countries with cheap mobile data — automate the dispatch. A campaign of 5 million UK texts costs the operator perhaps £400 in mobile data and twenty hours of automated processing. The economics are very different from email, where carriers can throttle, but the result for the recipient is the same.
Encrypted-messenger pivots. WhatsApp and iMessage are end-to-end encrypted, which makes them useful for criminals because the carriers can't filter content. The "Hi Mum" voice-cloning scam, the WhatsApp investment-group scam, and the Telegram romance-scam ecosystem all rely on encrypted channels for the conversion phase, even when initial contact happened over SMS or email. The shift to messengers is a distribution change as much as a technology one — it moves the conversation onto a channel where institutional defences are largely absent.
What does the criminal actually want? Three outcomes drive almost every campaign.
Credential capture is the most common goal. Get the victim to type a username and password into a fake login page. Sell the credential, or use it to log into the real service and drain whatever is accessible. A captured Netflix login is worth a few pounds; a captured online-banking login is worth four figures because of what can be drained from it.
Card details with one-time-password capture. Modern payment systems require an OTP for unusual transactions, which is supposed to defeat card-only theft. The fake page sidesteps this. It asks for the card number, then asks the victim to enter the OTP "to verify the card". The criminal puts the card number into a real shopping site that fires an OTP to the victim's phone, which the victim then helpfully pastes into the fake page. The criminal completes the purchase, often for items that can be quickly resold — phones, gift cards, electronics.
Direct bank impersonation. A phone call follows the email. The caller claims to be from the victim's bank fraud team, asks them to "move money to a safe account" while the supposed fraud is investigated. The "safe account" is the criminal's. UK banks have spent years training customers not to fall for this, and the awareness has improved meaningfully — but substantial money still moves this way every week.
Money laundering is its own industry. Funds typically pass through several mule accounts (often students or elderly people who've been recruited via fake job listings — themselves the result of an earlier phishing pass) before being converted to crypto and exiting the regulated banking system. The Financial Conduct Authority's mule-detection programmes have improved meaningfully since 2023, but the criminals adapt as quickly as the rules tighten.
The defensive stack has three layers, each catching a different fraction of the campaign volume.
Network-level detection. Email providers (Gmail, Outlook, ProtonMail) score every incoming message against a model that has seen most of the world's email. Most obvious phishing never reaches your inbox — it lands in spam or gets refused at the gateway. The problem is structural: the campaigns that do reach your inbox are by definition the ones that beat this model. They're the polished ones, the ones that don't trigger the obvious flags. The 1% that gets through is doing more harm than the 99% blocked.
Sender authentication. DMARC, BIMI, and the supporting protocols are slowly rolling out across UK consumer brands. When a bank publishes a strict DMARC policy, an email impersonating that bank from a spoofed sender literally won't render in a compliant inbox. The catch: only about 60% of UK consumer brands have done this, and almost none of the smaller ones have. Authentication helps for big brands; it doesn't help for the long tail.
Content-based detection. This is where ScamSupport and similar tools sit. Once the message is in your inbox, the question is whether the content matches known scam patterns. The features that work — sender/display-name mismatch, urgency vocabulary, link-to-text ratio anomalies, brand-mismatch, time-pressure phrases — are stable across campaigns because they're rooted in psychology, not technology. Even when scammers change domains every 18 hours, the manipulation patterns barely change. That's what makes a small browser-side model viable as a defence: it doesn't need to know about the domain registered three hours ago to recognise a shape it has seen ten thousand times.
The arms race continues, but the patterns the bad actors rely on are slow-moving by their nature. Every effective phishing message has urgency, false authority, and an off-platform call-to-action somewhere in it. Strip those three signals out and the message stops working as a scam.
Three habits defeat the majority of campaigns by themselves.
Never log into anything through a link in a message. If your bank or Amazon or Netflix needs you to do something, the action will be visible the next time you open their app or type the URL. The two-second cost of a fresh tab eliminates an entire class of attack. This single habit, consistently applied, is more effective than any technology layer because it sidesteps the entire infrastructure trick.
Use a password manager and turn on multi-factor authentication for the high-value accounts. A password manager won't auto-fill on a lookalike domain — it knows the real domain and refuses to fill on the fake. That alone catches almost every credential-phishing attempt before you can fall for it. MFA, ideally with a hardware key or an authenticator app rather than SMS, closes the gap on the rare cases that get through. Email accounts and banking accounts deserve the strongest version of this; everything else can use the convenient version.
When in doubt, paste it into a tool. ScamSupport, the message-checker on this site, is one option; Google's Safe Browsing transparency report lets you check URLs; your bank's app usually has a "is this from us" check. Whichever tool you use, the cost is seconds. The friction of making a habit of this once or twice is far smaller than the friction of explaining to your bank why money left your account.
Scams are getting more polished. The volume is going up, not down, and the arms race favours offence: defenders have to be right every time, attackers only need to be right once. That's the structural reality and there's no point pretending otherwise.
But the basics still defeat most of it. A password manager, a habit of typing URLs instead of clicking links, and a healthy scepticism towards anything that wants you to act in 24 hours — that combination catches enough of the modern campaign space that the criminal economy has had to focus on the people without those defences. Make sure you're not one of them, and help the people you know set up the same habits. A 30-minute conversation with a parent or grandparent about how to install a password manager and where to paste a suspicious text saves more grief than any subsequent recovery attempt.
If you want a sense of how a specific message you've received scores against the patterns described above, paste it into ScamSupport. Even if you don't use the tool, the framework — what's being asked of me, who's claiming to ask, why is the urgency synthetic — is portable. Once you've seen it explicitly, you'll find yourself running it on every suspect email you receive, almost automatically.