10 min read

How to spot phishing email and phone scams

Tim Mitchell
25 March 2020

We've teamed up with fraud expert Tim Mitchell from Get Safe Online to help you stay one step ahead of the fraudsters and spot even the most cunning of scams.

It’s a common scenario: you open up your emails and there in your inbox is an email congratulating you on your million pound win. All you have to do is click the link to share all your account details and pay £100 to cover the transfer fee. It can be pretty easy to scoff at examples like this. After all you’d never fall for it, right?

But losing money to a scam is much easier than you’d think. In fact, 190,000 cases of identity fraud were reported in 2018. Anyone can fall victim to an online scam and end up losing money. And as technology gets more sophisticated and we share more and more online, it's going to be even more important to equip yourself with the tools to prevent yourself from becoming another statistic.

So, to help stop it happening to you, we’ve teamed up with fraud expert Tim Mitchell from Get Safe Online, the longest-running and one of the most respected sources of information and advice on internet safety and avoiding fraud in the UK. With his help you'll be able to identify even the most cunning of online scams to keep your money and your identity safe online.

What is the number one type of fraud that you think our users need to be aware of in 2018?

The biggest issue at the moment is definitely people falling victim to what we call ‘social engineering’ fraud. This simply means manipulating or tricking someone into performing certain actions, such as divulging personal or financial information. A con, in other words.

Unfortunately, financial fraud has always been a massive issue, but as we live more of our lives online more and more people are becoming vulnerable to this type of fraud, and more and more people are losing money to it. But social engineering is an easy one to avoid, if you know the warning signs.

Check for fraud and see all your accounts in one place in your ClearScore

To help our users steer clear, how do these social engineering scams trick people into handing over too much information?

At Get Safe Online we've seen how social engineering scams come in all shapes and sizes ranging from the ridiculous to the nearly impossible to identify. And unfortunately people are falling for these every day. Here are the mains ones you need to be aware of:

Email scams

Scams are very common via email, so make sure you pay attention to what lands in your inbox. Fraudsters often pretend to be someone official such as a bank, online retailer, or a government agency. They’ll then ask you to share confidential private information such as your banking details or login details to your accounts. Some fraudulent emails contain an attachment which, if clicked, can lead to a virus or even spyware being downloaded on to your computer or mobile.

Social media scams

We’ve seen a big rise in people losing money through social media, and I reckon we’ll see this one grow over the next few years. You may have seen Facebook posts promising a free £50 supermarket voucher in return for clicking on a link. Just consider why a supermarket would give money away like this before you click.

So does this sort of thing only happen online or should we be keeping watch elsewhere too?

*Phone call scams

It's certainly not all online, in fact some of the most convincing scams come via a phone call. Typically, you’ll get a call from someone claiming to be from your bank, telling you that your account has been ‘hacked’ or taken over by an unauthorised user, and that the bank needs your OK to move your balance into a new account. In reality a bank would never ask for your details over the phone.

Another kind of phone call scam is the computer support scam. I was working at an online safety event recently, and a man told me that his computer had been locked by ransomware, asking me how this might have happened. He swore that, knowing the dangers, he hadn’t clicked on any links or attachments. It was only after probing, that he told me he’d had a call from ‘Microsoft’ a couple of weeks earlier, and the nice operative on the other end had fixed his problem. What had in fact happened, is that the caller was a scammer, who had infected his computer with the malware. Not only that, but he’d been charged as well!

What are the main warning signs that will help users identify even the trickiest of scams?

Is the email threatening you to take action RIGHT NOW?

Typically, emails claiming to be from your bank, the DVLA or the police will tell you that there’s a problem that will result in your money or identity being put at risk, and will urge you to click through to a website to take action. This will normally involve supplying your confidential login details. Any email that asks you to take action immediately is likely to be suspect. It’s designed to make you flustered in the hope you’ll make a mistake.

Have you been promised a reward, a competition win or a tax refund?

Any email or call claiming to be giving you money should be considered with a watchful eye. Especially if they are demanding your details in order to claim it. Reveal your logins, and a fraudster has free rein to get into your bank account (and maybe other accounts if you use the same details).

Could the email have been sent to anyone?

Generic greetings like 'Dear Sir or Madam' or 'Dear valued customer' are an easy sign that this email has probably been fired off to as many email addresses as possible, rather than an email from a real person or company.

It can sometimes be tricky to identify a dodgy link. The key is to check that the domain name matches the legitimate one (which you can find through a quick google search).

Here’s an example. Let’s say you’ve got an email asking you to follow a link to reactivate your account with PayPal. How can you tell if these links are the real deal or a fake?

The trick here is to look for the first hyphen (/) after the http:// and then go back to the next two dots. What's in between those is the true domain name and tells you what site you'll be accessing if you click. You can see that actually none of these have a domain name of paypal.com or paypal.co.uk. The first may have PayPal in it, but it’s really taking you to a site ‘paypal-reactivate.com’, the second to ‘reactivate-account.com’ and the third is directing you to the even dodgier sounding ‘11982pypl.com’.

If you’re not sure about a link, type it into your browser before clicking on it so that you can see the full address.

If you get an email that seems to come from someone a bit odd, how can our users be sure it's a scam?

A fake email is one of the hardest things to spot as fraudsters can get pretty cunning. Let’s try out another example. Which of these do you think could be a scam account?

  • paypal@accounts. com
  • customerservcie@santender. com

Actually, both of these addresses are probably fake. With the first one the domain name is ‘accounts.com’ so this could literally be from anyone. Always check that the correct company name comes after the @ as that will confirm who it's really coming from. The second one is easy to miss, but the giveaway here is that there are a few spelling mistakes, particularly in the name of the bank. This is another clear sign of a scam.

And finally, what do you think is the one crucial thing that will help make sure our users stay one step ahead of the fraudsters?

The most crucial thing that's going to help keep your money safe online is being aware of how often scams happen and how easy they are for anyone to fall for. The “it’ll never happen to me” attitude is what fraudsters take advantage of every day.

We recently did some research to investigate this and the results were pretty shocking. 80% of respondents to our survey said they could confidently identify a fraudulent approach. However, in a separate test of over 63,000 people, only 9% who completed our quiz scored full marks. That's a pretty eye-watering stat and just goes to show how anyone can become a victim, however smart or savvy.

To help stop this, it’s all about changing your mindset so that you remain vigilant (but not paranoid). Always just take 5 minutes to stop and think before clicking on a potentially fake link or attachment, or giving information out over the phone. While online fraud is a big issue at the moment, the big thing to know is that you can often easily prevent it, if you keep an eye out.

by Tim Mitchell

Tim works for Get Safe Online, one of the leading organisations helping people to protect themselves and their money online. He produces all their helpful content across their website. He’s always writing, researching and talking to other experts to make sure they’re always providing the best help for everyone. He's shared his expertise especially with ClearScore.

ClearScore exists to make your finances simple.
We offer a free service where you can handle everything to do with credit in one place. In your ClearScore account, you can see your credit score and the full details of your credit report. Your credit cards, mortgages, mobile phone contracts, loans, overdrafts and utilities all on the record. Our goal is to make ClearScore as simple, calm and straightforward as possible. Money is stressful enough.