Scam emails and texts
Scam emails (phishing) or scam texts (smishing) are when a fraudster attempts to trick you into sharing your information. They may get you to fill in a form, make a payment or take you to a fake website via clicking on a link in an email or text.
Their goal is to gain access to your sensitive information such as usernames, passwords, credit or debit card details or anything else they can use to take your money. But these email and text scams are no longer always obvious and full of spelling errors. They often appear to be from genuine, reputable sources, even appearing to come from real companies you know and use, or claiming to be your friends or family. Fraudsters can copy names, logos and phone numbers to look like the real thing.
In this section:
What do scam emails and texts look like?
Step 1: The fraudster creates a fake message and selects you as a target
You receive an email or text that appears to be from an organisation you know and trust, like HMRC, or a frequently used courier service. The fraudster has carefully crafted this message to look real. Fraudsters often create a sense of urgency around making payments or clicking on a link. They might use threatening language to get you to act without thinking.
The link or attachment on the email or text could contain and install malware when you click it. This allows the fraudster to directly steal information, or remotely gain control of your device, without you even having to enter any details.
Step 2: You click the link in the email or text the fraudster sent to you
You are led to a fake website.
The fraudsters aim is to get your sensitive information. You might be asked to enter login credentials, credit card numbers, or other sensitive details they can use to access your accounts.
In your state of panic, you enter the sensitive information into the fake website.
Step 3: The fraudster exploits you
Depending on the information they have, the fraudster might gain access to your accounts to steal your money. Or they might sell your data on the dark web where you could be targeted by other fraudsters.
Did you expect a message?
If you get a message out of the blue that you were not expecting about a payment or asking you to share your details, log-in somewhere or change your security, this is a scam.
Check who an email came from by hovering your cursor over the email address or by tapping the name on a mobile device. If this does not match the sender’s name, it's a scam.
Do they want you to follow a link?
Following just one link in an email or text could compromise your device, identity and online safety.
Always check links carefully to make sure they are genuine. If in doubt, go to the website directly. Contact the company or person on a number you trust to verify their request.
Is there urgency around the message?
Fraudsters want you to react quickly and without thinking. They create urgency because they want to scare you into handing over any information they can use, as quickly as possible.
Be wary of any messages telling you that your accounts are compromised, threatening legal action or asking you to act within a matter of minutes or hours.
Remember, never share your customer ID, user ID, or security details with anyone.
Scam phone calls
Phone call scams, also known as vishing (voice phishing), are when a fraudster attempts to trick you into sharing information or making a payment over the phone. Fraudsters sometimes 'spoof' a legitimate phone number so it appears they are calling from your bank or other reputable company.
If someone asks you to tell them sensitive information or to move your money for safety reasons, hang up the call. This is a scam. We will never ask you to reveal any of this information to anyone, not even us.
How do scam phone calls work?
Step 1: The fraudster gets your details, then gives you a call pretending to be someone you trust
The fraudster needs to obtain your phone number and personal details from somewhere before they call you in order to win your trust. This often happens through scam emails and texts first. They could have your bank or card details, or other personal details to seem like they know you well.
The fraudster spoofs their number to look like they are calling from the Bank, the police, or government.
You answer the phone call, and they convince you of who they are with the information they have about you.
Step 2: The fraudster builds a story, playing on your emotions, to get you to do what they ask
The fraudster builds a convincing story. They might make you feel scared, worried and rushed to act fast.
They might pretend to be from the Bank's fraud department or the police, claiming there is fraudulent activity on your account and that you need to move your money to a 'safe account'.
Step 3: The fraudster gains access to your sensitive details or money and takes action
The fraudster applies pressure and convinces you to provide personal or sensitive information, or even convinces you to send money to an account that they have control of.
They might isolate you by claiming the situation is confidential and say you must not tell anyone.
Avoid falling victim to scam phone calls
Here are our key tips to protect yourself against scams next time you receive a phone call:
- never share your customer ID, user ID, or security details with anyone
- be wary of unexpected phone calls even if the caller already seems to know personal details about you, this does not mean that they are genuine
- call back on a trusted number fraudsters can fake phone numbers (spoofing), so do not reply on caller ID to tell you if someone is genuine.
Scam QR codes
QR code scams, also known as quishing (QR code phishing), are on the rise. QR codes are a type of barcode that store information in pixels in a square-shaped grid. You may have used them when ordering from a menu at a restaurant, to get into an event, at a car park, or to post a package. QR codes can be read easily and quickly by your mobile device which makes them a great way to share information.
But as the use of QR codes increases, fraudsters are taking advantage by creating QR codes to carry out their scams.
Step 1: The fraudster creates the QR code
The QR code could link to a malicious website, download malware to your device, or direct you to a fake payment portal. The fraudsters aim through all of these methods is to get your sensitive information and money.
Step 2: The fraudster places the QR code
QR codes online - The fraudster might distribute the QR code through email, social media, on websites, or messaging apps. It could appear to be legitimate communication, advertising a promotion or attached on a fake invoice.
QR codes in the real world - The fraudster might place the QR code on menus, tables, posters, letters, parcels, car park payment machines, or even over legitimate QR codes in public places.
Step 3: The fraudster encourages you to scan the QR code
The fraudster presents the QR code in a way that encourages you to scan it. They might offer discounts or promotions, offer convenient access to information or a menu, or they might state urgent action is needed like account verification or an invoice to be paid. They could even use company branding or logos to make it look more legitimate.
Step 4: The fraudster gets hold of your sensitive information
You scan the QR code and you are unknowingly taken to a phishing website.
You enter your sensitive information. The fraudster now has access to your details, which they can use to make fraudulent transfers.
Avoid falling victim to QR code scams
Here are our key tips to protect yourself against QR code scams.
Make sure the QR code has not been tampered with
Before you scan a QR code in a public place, make sure it has not been tampered with. A sign of this is a sticker placed over the original QR code. Do not scan these QR codes as they could be a scam.
Check the QR code link
Many devices will allow you to preview the URL when you go to scan a QR code. Make sure the website address is legitimate by checking:
- that the URL is something you recognise and looks as it should
- it does not have misspellings or misplaced words
- that the URL has a padlock symbol and begins with "https://" as this means your connection to the website is encrypted and cannot be intercepted.
If in doubt as to whether the QR code is genuine, you should go to the website or app directly, or speak to a member of staff if you are in a shop or restaurant.
Scam emails, texts, phone calls and QR codes all have the same end goal of stealing your sensitive information and money. As fraudsters’ tactics continue to evolve and become harder to spot, understanding how these scams are carried out can help you to stay alert and keep your money safe.
Remember to always stop and think before you click on any links or enter your sensitive information.