BT customers are being warned to be on the alert for scam emails saying they're about to be billed.
The email claims that a payment is due and will be taken by direct debit after eight days.
There's a button marked 'Log in to view your pending message' - and this is the dangerous bit, as clicking it leads to a request for personal information.
The scam was first spotted by a friend of a Which? employee. Luckily, she was savvy enough to realise it was a scam by checking the sender's details. While the email appeared to be from 'email@example.com address', a completely different address popped up when she hovered her cursor over the 'from' address – an address she didn't recognise.
Similarly, the account number and BT ID bore no resemblance to the real account number and ID. And when the woman logged in to her broadband account separately, she saw there was no such message.
See also: New 'BT' scam: claims scammer is accessing your internet
See also: Scam warning over fake NHS calls
"The time the recipient took to read the email saved her from handing over her details – and ultimately giving fraudsters access to steal her money," says Melissa Massey, Which's consumer rights digital producer.
"Sneakily, this scam phishing email came through at about 7.00am – a time of day when people are often in the throes of getting ready for work or commuting, so may have rushed to act on this in the heat of the moment."
The new scam follows hard on the heels of another targeting BT customers, and claiming to be able to fix the effects of the WannaCry ransomware attack.
Which? advises people to follow a few simple steps to reassure themselves that an email is the real thing.
First, do as the recipient above did, and hover your cursor or right-click on the sender's name to see the email address it really came from. The same goes for any links you're invited to click.
Second, check the wording: an impersonal greeting or bad spelling and grammar should be warning signs, as are dodgy-looking logos and the like.
And if you do think the email might be genuine, you still shouldn't click on any links, but go to your account via the company's main website instead.
Finally, never, ever give away your bank details or any personal information.