Phishing emails are now the #1 way fraud happens in Pakistan. They look professional, they spoof real banks, and they get smarter every year. The five-second checks below catch almost all of them.
1. Hover over the sender's email — actually hover
The display name says "HBL Bank Security." The actual email is support@hbl-secure.online. The mismatch is the giveaway. Always check the actual address, not the display name.
2. Hover over every link before clicking
On desktop, hover. On mobile, long-press. The URL preview will appear. If it doesn't match the company's real domain (hbl.com, not hbl-verify.net), do not click.
3. Check the urgency
"Your account will be closed in 24 hours." "Click within 1 hour to claim your refund." Real banks don't operate on countdown timers. The urgency is the manipulation.
4. Look for generic greetings
Real banks address you by name. "Dear Customer" or "Dear Valued Client" is a sign the sender doesn't actually know who you are.
5. Check the grammar
Phishing emails are increasingly polished but still often contain subtle grammar errors — extra commas, awkward phrases, wrong tenses. A real bank email is reviewed by their compliance team.
What to do if you're unsure
Don't reply. Don't click. Don't forward. Open a new browser tab and type the bank's URL manually. Log in directly to verify. If a message was real, it will be in your messages inside the app. If it wasn't there, it wasn't real.
What to do if you clicked
If you entered any details: change your password immediately from a clean device, call the bank, and check your transaction history. Time is of the essence in the first hour.