By Jack Sheppard - Last updated:
We’ve all encountered financial scams online before, whether it is an email from Apple saying you’ve won a free iPhone, or from a Nigerian prince offering you his large fortune. However scams are getting harder to spot, and are no longer just aimed at people who should know better.
The advent of social media and data sharing has meant it’s now much easier for scammers to get your personal information and either steal your money directly or con you into giving it to them yourself. This guide lists some of the most common online scams, with tips on how to notice and avoid them.
Phishing is the type of scam many people will be most familiar with. You get an email from a seemingly legitimate company, such as your bank or insurance provider, telling you that something is wrong with your account, and asking you to click a link.
These links will direct you to a malicious website, containing malware that will be downloaded onto your computer to send personal and financial information to the phisher.
The email may alternatively contain an attachment which the sender may request that you download, but the principal is the same in either case.
These emails are almost always sent by bots to hundreds of recipients at a time, in the hope that some people will be naive enough to click the link contained within, hence the term “phishing”. They may be poorly written with spelling and grammar mistakes, and might not be formatted correctly, but scammers are becoming more professional, and it is a lot harder to tell the genuine email from the spam.
Many phishing emails will copy the email format used by genuine companies, and will also have links that on first glance appear legitimate. This is done by buying URLs that are very similar to legitimate websites, for example Santander.1.co.uk, or L!oyds.co.uk.
They may also write the address of a legitimate website but link it to a malicious site. To tell the legitimate site from the fake, hover your mouse over a link and check the bottom left-hand side of your screen. This will show you where the hyperlink will actually take you.
So if there is a link that says apple.com but the link shown in the bottom left-hand corner says anything other than this, you know that the email is not legitimate. The true destination of the hyperlink however can be hidden by the phisher by using a link shortening service, such as Bitly, therefore making it even harder to tell the legitimate link from the malicious one.
If the junk mail filter on your email account is good enough, a lot of phishing emails will be filtered into that folder, but some will always fall through the filter, particularly if they look professional. Another way to ensure that the email is genuine is to look at the email address it has been sent from.
As the majority of emails are sent from bots, the email addresses themselves will be generated by bots, and so may be a random collection of letters or numbers e.g. email@example.com. Even if this is not the case, they will not be sent from a legitimate address. For example, if the phisher claims to be from Amazon, you can expect the email address to end with @amazon.co.uk.
Always double and triple check
If you’re still unsure whether the email you have received is genuine or not, go to the website directly, rather than clicking the link provided. You can then check your account yourself or email customer services to check if they had actually emailed you.
There are many different types of phishing that scammers use to attempt to get your money. “Spear phishing”, for example, targets specific people or groups of people. These attacks will often be well researched and may contain personal details about yourself or people you know, which they would’ve got from social media or your company’s website.
Despite what the email may contain, they are no different from any other phishing emails in their aim, and you should ignore them and refrain from clicking any links on the email. However, if the email contains personal information that isn’t publically available, or is threatening in nature, you may want to contact the police.
Although a lot of phishing techniques rely on the victim accidentally downloading a virus by clicking a link or attachment, some techniques are a lot more complex. Pharming is done by redirecting traffic from a legitimate website to a malicious clone that looks identical to its legitimate counterpart. The aim of this is to trick you into attempting to log into the cloned website so they can then use this information to steal from your account on the genuine site.
Evil twin wifi, despite its cheesy name, is a very effective and dangerous phishing technique. Evil twin wifi is where a phisher will set up a wifi point with a very similar name to the legitimate access point. If you connect to the “evil twin” standpoint, the attacker can view everything you do on your computer whilst you are logged in, and then use this information for financial gain.
Despite most phishing occurring online, there are still a lot of attackers who phish by sending SMS messages. These work in exactly the same way as traditional phishing; the attacker will send you a text message claiming to be from a legitimate company and asking you to click a link. Although it can be hard to identify a genuine text from a scam, most banks and legitimate companies won’t send you a link over text, and instead will ask you to log in directly.
However, even if you believe the link may be from a legitimate company, you can Google the number you have received the text from to see its origin. Chances are that if it’s not a British number, the text is not genuinely from your bank.
Voice Phishing is also another common occurrence. An attacker will contact you over the phone or a VoIP service, such as Skype, claiming to be from a legitimate company. These calls will often be pre-recorded on a machine, and will ask you to call back on a specific number, or give them personal information directly.
You could ask the caller to give you some more information, such as your address to prove their legitimacy; however, it’s possible that an attacker may already have this information. The best thing to do in this scenario is to hang up immediately and call the company back on a different phone yourself, using the number listed on their website.
This one is becoming more and more common, with the increase in short term loans. Victims will get a call from someone claiming to be from a short-term loan company, offering a loan, but saying that the victim will need to pay an upfront fee first. The scammer may also claim that the up-front payment is a refundable deposit, however, once this payment is received, the scammer will disappear without the loan being paid.
Scammers will often target the financially vulnerable, including people who have taken out multiple loans in the past, or who have had applications rejected. The best thing to do if this happens to you is just ignore the call. Legitimate lenders may charge you to apply, for appraisals or credit reports, but will never require you to pay up front for the loan itself.
If you have any doubts, check to see if the company is authorised by the Financial Conduct Authority. All loan companies have to be authorised by the FCA, and if they are not, you will not be protected by the Financial Ombudsman Service if things go wrong.
Identity theft is becoming one of the most common crimes in this country, with 175,000 individual cases last year alone. An identity thief uses personal data, from stuff as simple as your full name, date of birth, or address, or more complex data, such as your credit card details or bank account numbers. With people sharing much more personal information online, through mediums such as social media, identity theft is becoming a lot more common.
Despite being known as identity theft, it rarely involves any physical theft, and the thieves are much more likely to use your identity and set up and bank accounts or take out a mortgage in your name. They may also use your identity to commit criminal activity, such as laundering money or buying or selling drugs.
It can be difficult to spot identity theft immediately, as the criminals are often one step ahead of their victims, and have taken precautions to cover their tracks, however, if you keep track of your finances and are eagle-eyed, there can be clear signs that your identity is being stolen. For example, things such as letters demanding payments from an account that you didn’t set up, unexpected transactions from your bank account or being turned down by a lender because of a poor credit score are all signs that someone may have stolen your identity.
If you have been a victim of identity fraud involving a credit, debit or bank account, you should contact your bank immediately. They will then freeze transactions from your account, and should refund any money that has been stolen. They are also in charge of any investigation into the fraud, meaning that they will contact the police on your behalf. If you are the victim of any other type of fraud, contact the relevant organisation, and then contact the police if that’s what they advise.
Check personal documents, such as passports, driving licences, cards, and cheque books and report any that are missing to the relevant authority. You should also contact Royal Mail if you believe that your mail is being stolen or is being fraudulently redirected from your address. They have an investigative department that will look into this for you.
Finally, get a copy of your credit report. This will show any searches done by a lender, and credit accounts set up in your name. If there are any companies that you don’t think you have dealt with, contact them immediately. If fraud has been committed, contact the police.
If fraud hasn’t been committed however, there are a number of things you can do to protect yourself from an attack. Firstly, ensure that you have a secure password. The traditional advice is that a strong password should be at least twelve characters long (although some websites may have a higher or lower minimum), have a mix of upper and lower case letters, numbers, and symbols. This is good advice, but with this advice alone, people tend to have very basic passwords. These include using the name and date of birth of a family member, such as Wilson87 (which is really easy for hackers to guess), or replacing letters in a very basic word with numbers, such as P455w0rd, which is also very easy to guess.
You could set up a password that is just a selection of random characters, such as Wr:fbu23!y, which would be very secure, but difficult to remember. Instead, use a sentence or phrase you know and can remember as the basis of your password. For example, you could initialise a simple phrase such as “My name is John Smith, and I live at 54 Main Road” to MniJS,aIla54MR. This is a very secure password, at fifteen characters long, and uses a mixture of all types of characters, but can be easily remembered.
Alternatively, you could create a password based on the position of keys on the keyboard, for example, `qsCft6yjMko0 may just look like a series of random numbers and letters, but is actually the letters pressed when writing a “W” across the keyboard, from left to right, capitalising the letters on the bottom row.
Other things you can do to decrease your risk of identity fraud is ensure that all mail you receive with personal details on, even if it’s just your name and address, is shredded before being thrown away. If you move house, you should also ask Royal Mail to redirect any mail to your new address for at least a year, to ensure that it doesn’t fall into the wrong hands. Keep all your personal documents in a safe place, and if you lose your bank card, or anything that allows access to your account or financial information, call your bank immediately.
Like with phishing, don’t accept cold calls or emails. If someone calls you claiming to be from your bank and asks you for personal details or you simply don’t trust them, hang up and call the bank yourself from a different number. Keep your details close - don’t write your passwords down on a piece of paper or even your phone, and ensure you cover your PIN at an ATM. You should also protect the identity of deceased family members. As disgusting as it is, fraudsters will often target the deceased and steal their identity, as it is harder for this to be noticed.