How to respond to a suspicious email in under 60 seconds

Not all cyber threats come through hacking or malware. Some of the most common, damaging attacks begin with something deceptively simple: a suspicious-looking email. Phishing scams - emails that impersonate NHS bodies, suppliers, or colleagues - are one of the most frequent causes of cyber breaches in healthcare. These emails aim to trick staff into clicking links, downloading attachments, or sharing sensitive data. The good news? You don’t need to be an IT expert to stop them. If your team knows what to look for and how to act fast, you can prevent a small mistake becoming a major incident. Here’s how to spot, stop and report a suspicious email - in under 60 seconds. 

What does a suspicious email look like? 

There’s no single formula, but common signs include: 

• Unexpected messages from NHS suppliers or service providers. 

• Urgent requests to click a link or download a file. 

• Poor spelling, strange formatting or off-brand logos. 

• Email addresses that look similar but are subtly wrong. 

• Pressure to act quickly, such as “You must complete this now”. 

• Messages asking for login details or patient information. 

Some phishing emails may even appear to come from trusted sources, including NHSmail addresses that have been compromised. 

The 60-second checklist: what to do if you’re unsure

1. Don’t click anything (10 seconds)

If you feel uncertain about an email - even for a moment - stop. Don’t click links, download attachments, or reply. Most threats only activate if you interact with them. Simply opening an email is usually harmless, but the real danger starts when you follow its instructions. 

2. Check the sender carefully (10 seconds) 

Hover over the sender’s name or email address. Is it spelt correctly? Does it match the name and organisation you’d expect? Look for minor changes like nhs.net.co or [email protected] - these are common phishing tricks. 

3. Ask yourself: Was I expecting this? (10 seconds) 

Phishing works by catching people off guard. If you weren’t expecting a password reset, invoice, or link to a survey - question it. Even if it looks legitimate, a surprise email should raise a red flag. 

4. Report it or ask for help (20 seconds) 

If you’re using NHSmail, forward the email to [email protected]. This helps protect others in the system. If not, report it to your IT lead, practice manager, or CSU support desk immediately. Don’t delete the email until they advise. Do not forward it to anyone else in the practice without checking first. 

5. Inform your team if needed (10 seconds) 

If the email is widespread or part of a scam campaign, make others aware - especially those who might be most at risk of clicking it. A quick team message could stop someone else from falling for the same trick. 

Common examples in general practice 

• Fake supplier invoices (for example, printers, maintenance). 

• Messages claiming to be from NHS England or ICBs. 

• Fake Docman or EMIS login alerts. 

• Emails about “new patient referrals” or “clinical alerts” with links. 

• Posing as your practice manager or GP partner requesting urgent transfers. 

Build a culture of ‘Think Before You Click’ 

You don’t need formal training to create a cyber-aware team. Encourage: 

• Staff to flag anything unusual - even if it turns out to be safe. 

• Use of your shared inbox or IT contact for second opinions. 

• Adding cyber awareness tips to monthly briefings. 

• A no-blame attitude - if someone clicks, deal with it constructively. 

Helpful resources 

• NHSmail phishing guidance. 

• Keep IT Confidential campaign. 

• Local CSU or ICB IT support desk contacts. 

Final word: 60 seconds now could save 6 months of fallout 

Responding to a suspicious email is not about panic — it’s about pause. A moment’s caution can prevent a data breach, a ransomware attack, or an ICO investigation. Make sure every staff member knows what to do. Because in primary care, where speed and trust matter, cyber safety starts with everyday vigilance.