Skip to main content
Personal
Business
Commercial
Log in to Personal Banking
The Co-operative Bank
or
Register

Scam emails, texts, calls and QR codes - how to spot and outsmart the scammers

Fraudsters are getting access to your personal details. If you’re not alert, that is.

We all may think we will never become a victim of a scam, but fraudsters are always looking for new and smarter ways to trick us. Could you outsmart a scammer as their tactics become increasingly undetectable?

Read on to find out what scam emails, texts, calls, and QR codes really look like, and the red flags to look out for to keep your details and your money safe.

On this page:

Scam emails and texts

Scam phone calls

Scam QR codes

Scam emails and texts

You can trust the name that the text or email came from, right? Wrong.

Scam emails (phishing) or scam texts (smishing) are when a fraudster attempts to trick you into sharing your information. They may get you to fill in a form, make a payment or take you to a fake website via clicking on a link in an email or text.

Their goal is to gain access to your sensitive information such as usernames, passwords, credit or debit card details or anything else they can use to take your money. But these email and text scams are no longer always obvious and full of spelling errors. They often appear to be from genuine, reputable sources, even appearing to come from real companies you know and use, or claiming to be your friends or family. Fraudsters can copy names, logos and phone numbers to look like the real thing.

In this section:

What do scam emails and texts look like?

Avoid becoming victim to scam email or text

What do scam emails and texts look like?

Step 1: The fraudster creates a fake message and selects you as a target

You receive an email or text that appears to be from an organisation you know and trust, like HMRC, or a frequently used courier service.

You look over the message and it appears legitimate. The sender name matches the company. They’re using the company’s logos and you cannot spot any spelling errors.

The fraudster has carefully crafted this message to look real. But it is not. They have created a sense of urgency by telling you that you need to make a payment now or sign into your account. They might have mentioned account suspension, a security alert, a time-sensitive offer, or a threat of some kind. They get you to act without thinking.

Two smart phones displaying a text message and email that appear to be from HMRC. Both encourage the user to make a tax refund by clicking on hyperlinks.

The link or attachment on the email or text could contain and install malware when you click it. This allows the fraudster to directly steal information, or remotely gain control of your device, without you even having to enter any details.

Step 2: You click the link in the email or text the fraudster sent to you

You are led to a fake website. But you do not realise this because it looks genuine, just like the email or text you received.

The fraudsters aim is to get your sensitive information. You might be asked to enter login credentials, credit card numbers, or other details they can use to access your accounts.

In your state of panic, you enter the details the website asks for.

Step 3: The fraudster exploits you

The fraudster now has your details. Depending on the information they have, they might use them to immediately steal money or gain access to your accounts. Or they might sell your data on the dark web for other people to use to make purchases, or for future scams.

A smart phone displaying a website that looks like the genuine HMRC website. The website shows a form for the user to enter their details.

Avoid falling victim to scam emails and texts

Here are our key tips and things to think about next time you receive an email or text.

Did you expect a message?

If you get a message out of the blue that you were not expecting about a payment or asking you to share your details, log-in somewhere or change your security, this is a scam.

Check who an email came from by hovering your cursor over the email address or by tapping the name on a mobile device. If this does not match the sender’s name, it's a scam.

Do they want you to follow a link?

Following just one link in an email or text could compromise your device, identity and online safety.

Some links may lead to fake websites or forms that allow the fraudster to steal your details by getting you to enter them. Other links could download viruses or malware to your device without you realising. This means the fraudster can spy on you through your device to steal your information.

Do not click too quickly. Even if the link might appear genuine at first glance, this does not mean it is legitimate. Check the text of the link carefully.

If in doubt, find the website through a search engine or your search bar and contact them directly to check if the message is genuine. Use a phone number you trust and not the details or links in the email or text.

Is there urgency around the message?

Fraudsters want you to react quickly and without thinking. They create urgency because they want to scare you into handing over any information they can use, as quickly as possible.

Be wary of any messages telling you that your accounts are compromised, threatening legal action or asking you to act within a matter of minutes or hours.

Two smart phones displaying an email and contact card that appear to be from HMRC. The email has HMRC circled in red and the contact card shows a suspicious email address.

Never share your verification codes or one time passcodes (OTP)

Never share a verification code (OTP) or card details with anyone who contacts you, even if they claim to be from a reputable company or the Bank. Banks, the police, and other organisations will never ask you to disclose your verification code (OTP) or any other security information.

Carefully check over the details of the message

Remember, fraudsters can fake names and numbers in texts and emails to look like they are from a genuine company or person. This is known as 'spoofing'.

Allow yourself enough time to check a message from top to bottom when you are not busy or distracted, as this is exactly what fraudsters are relying on you to not do.

You could also use a search engine to see if the email or text you have received matches other reports of the scam, for example, entering 'HMRC scam' into the search engine.

Two smart phones displaying a website and text message. The website shows a verification code has been sent to a mobile number and displays a field to enter the verification code. The text message displays a verification code with a red cross over the corner of the screen.

Scam phone calls

You can trust the voice of the person on the other end of the phone because you know who is calling you, right? Wrong.

Phone call scams, also known as vishing (voice phishing), are when a fraudster attempts to trick you into sharing information or making a payment over the phone. Fraudsters sometimes 'spoof' a legitimate phone number so it appears they are calling from your bank or other reputable company.

If someone asks you to tell them sensitive information like your card details, verification codes (OTP) or to move your money for safety reasons, hang up the call. This is a scam. We will never ask you to reveal any of this information to anyone, not even us.

In this section:

How do scam phone calls work?

Avoid becoming victim to a scam phone call

How do scam phone calls work?

Step 1: The fraudster obtains your details, then gives you a call pretending to be someone you trust

The fraudster needs to obtain your phone number and personal details from somewhere before they call you in order to win your trust. This often happens through scam emails and texts first. They could have your bank or card details, or other personal details to seem like they know you well.

The fraudster spoofs their number to look like they are calling from the Bank, the police, or government.

You answer the phone call, and they convince you of who they are with the information they have about you. They build rapport with you, and they’re friendly. Why would you not trust them?

A smart phone displays a call from what looks like The Co-operative Bank. A speech bubble to the side of the smart phone shows a friendly conversation.

Step 2: The fraudster builds a story, playing on your emotions, to get you to do what they ask

The fraudster builds a convincing story. They might make you feel scared, worried and rushed to act fast.

They might pretend to be from the Bank’s fraud department or the police, claiming there is fraudulent activity on your account and that you need to move your money to a 'safe account'. Or they might claim to be a distressed relative claiming a loved one is in danger and needs money urgently to help.

A smart phone displays a call from what looks like The Co-operative Bank. A speech bubble to the side of the smart phone shows a conversation which encourages the user to move their money into a safe account.

Step 3: The fraudster gains access to your sensitive details or money and takes action

The fraudster applies pressure and convinces you to provide personal or sensitive information, or even convinces you to send money to an account that they have control of.

They might isolate you by claiming the situation is confidential and say you must not tell anyone.

The fraudster may quickly transfer funds now they have this information, or make unauthorised purchases using your details. They may continue to manipulate you further for more money or details too.

A smart phone displays a call from what looks like The Co-operative Bank. A speech bubble to the side of the smart phone shows a conversation asking the user to share their account details and password.

Avoid falling victim to scam phone calls

Remember these key tips and stop to think next time you get a phone call.

Be wary of unexpected phone calls

A genuine company will never call you and ask you to move money. They will never ask you for sensitive information like your card details, PIN number, full security information, or verification codes (OTP). Even if the caller already seems to know personal details about you, this does not mean that they are genuine.

Never share your security information in full with anyone

Never share your card details or security information in full with anyone. Never share your verification code (OTP). Not even with us.

Call back on a trusted number

Do not rely on the caller ID display on the phone to check if the caller is genuine. Fraudsters can manipulate this. It is best to hang up and call back on a trusted number if you have any doubts about the phone call at all. Do not feel pressured to stay on the phone. A genuine company will understand if you wish to call them back.

Two smart phones displaying a website and text message. The website shows a verification code has been sent to a mobile number and displays a field to enter the verification code. The text message displays a verification code with a red cross over the corner of the screen.

Scam QR codes

QR codes are everywhere, so they cannot be harmful, right? Wrong.

QR code scams, also known as quishing (QR code phishing), are on the rise. QR codes are a type of barcode that store information in pixels in a square-shaped grid. You may have used them when ordering from a menu at a restaurant, to get into an event, at a car park, or to post a package. QR codes can be read easily and quickly by your mobile device which makes them a great way to share information.

But as the use of QR codes increases, fraudsters are taking advantage by creating QR codes that lead to fake websites to steal your information, or links containing malicious software that will download to your device. This allows a fraudster access to your personal and financial details, maybe without you even realising.

In this section:

What does a QR code scam look like?

Avoid becoming victim to a QR code scam

What does a QR code scam look like?

Step 1: The fraudster creates the QR code

The QR code could link to a malicious website, download malware to your device, or direct you to a fake payment portal. The fraudsters aim through all of these methods is to get your sensitive information and money.

A QR code example - scanning this code using your phone will open the google website on your phone’s default browser.

Step 2: The fraudster places the QR code

QR codes online - The fraudster might distribute the QR code through email, social media, on websites, or messaging apps. It could appear to be legitimate communication, advertising a promotion or attached on a fake invoice.

QR codes in the real world - The fraudster might place the QR code on menus, tables, posters, letters, parcels, car park payment machines, or even over legitimate QR codes in public places.

An illustration of an invoice with a QR code. To the side of the invoice is a smart phone displaying a QR code with the word 'pay' below. Scanning this code using your phone will open the google website on your phone’s default browser.

Step 3: The fraudster encourages you to scan the QR code

The fraudster presents the QR code in a way that encourages you to scan it. They might offer discounts or promotions, offer convenient access to information or a menu, or they might state urgent action is needed like account verification or an invoice to be paid. They could even use company branding or logos to make it look more legitimate.

A smart phone displays a congratulations email with a QR code, conveying that the user needs to scan a QR code to claim a prize. Scanning this code using your phone will open the google website on your phone’s default browser.

Step 4: The fraudster gets hold of your sensitive information

You scan the QR code and you are unknowingly taken to a phishing website.

You enter your sensitive information - username and password, as well as your credit card details. The fraudster now has access to your details, which they can use to make fraudulent purchases.

Two smart phones displaying an email and website form. The email displays a congratulations email with a QR code, conveying that the user needs to scan a QR code to claim a prize. The website form asks for personal details. Scanning the QR code using your phone will open the google website on your phone’s default browser.

Avoid falling victim to QR code scams

Here are our key tips and things to think about next time you come across a QR code.

Make sure the QR code has not been tampered with

Before you scan a QR code in a public place, make sure it has not been tampered with. A sign of this is a sticker placed over the original QR code. Do not scan these QR codes as they could be a scam.

Check the QR code link

Many devices will allow you to preview the URL when you go to scan a QR code. Make sure the website address is legitimate by checking:

  • that the URL is something you recognise and looks as it should
  • it does not have misspellings or misplaced words
  • that the URL has a padlock symbol and begins with "https://" as this means your connection to the website is encrypted and cannot be intercepted.

If in doubt as to whether the QR code is genuine, you should go to the website or app directly, or speak to a member of staff if you are in a shop or restaurant.

Scam emails, texts, phone calls and QR codes all have the same end goal of stealing your sensitive information and money. As fraudsters’ tactics continue to evolve and become harder to spot, understanding how these scams are carried out can help you to stay alert and keep your money safe.

Remember to always stop and think before you click on any links or enter your sensitive information.

Not found what you're looking for?

Contact our support team

Visit a branch
Call us