Scam emails – how to spot and avoid falling for them

Have you ever asked yourself “Is this a scam email”? If so, you are not the only one. More and more people are receiving questionable emails and are therefore having to become more and more savvt about the methods that scammers use. You might think “I’m not very interesting” or “I’m not very rich” so no-one would bother stealing your identity, but cyber criminals and hackers don’t think like that. Whether you lose money, or personal information, scammers can make a lot of money either way – those details may even end up on the black web being sold. If in doubt, about any email, report it to Action Fraud and delete the email. The majority of companies will have other methods of contacting you if it was a legitimate email.

Some of the most commonly “spoofed” or faked emails appear to come from Amazon, HMRC, iTunes (or Apple), eBay and PayPal. It is worth always double checking emails from them in particular. It is important to note that just because you receive a scam or spoofed email, it doesn’t mean your account with any of these companies has been compromised. Scammers will usually blindly send out their fake messages and you may receive a scam email from a company who you have never been a customer or client of, and if you are a customer of them it is probably just a coincidence.

Popular Scam Emails

TV Licence Scam Email

Earlier in 2020, the TV Licence scam email made national headline news with the resurgence of people receiving emails and being scammed. They are (on the whole) very convincing looking, and they were playing on the fact that the TV Licence was about to run out, causing people who didn’t want to end up with a fine clicking through the link and entering personal information. TV Licensing have even put a page on their website about the emails.

Amazon Scam Email

Being a massive global company, Amazon is a popular target for scammers, as such a high percentage of people have an Amazon account. Some of them are really very authentic looking, but some, like the one I received below are less convincing. If you receive an email from Amazon and you are not convinced it is from them, as well as reporting to Action Fraud, Amazon ask you to report it as well. You can find out more about what they want you to do here.

HMRC Scams

HMRC (Her Majesty’s Revenue & Customs) are another popular target for scammers. Sometimes they are not just emails, they can be in the form of text messages, phone calls, direct messages on social media, and even through Whatsapp. It is important to check with HMRC which communication methods they use (for example they will never ask for personal or financial information in a text message) and report suspicious contact if you receive anything.

eBay & PayPal Scam Emails

eBay and PayPal scam emails are incredibly common as well. You can report any emails to them at this page for eBay and this page for PayPal.

Apple and iTunes Scams

Apple and it’s brands are another company which is targeted a lot by scammers. It might take the form of a scam email, or it might be a pop up, calendar invitation, software download prompt, support call or a message. Find out what to do if you receive questionable communication from Apple here.

Netflix Scam Emails

Netflix is another target for scammers, but they will never ask for personal information by texts or emails. They also ask you to forward any phishing or suspicious emails or texts to them. Check the details here.

DVLA Scams

The DVLA (Driver and Vehicle Licensing Agency) has received a 20% increase in the number of scams relating to vehicle tax. They have released their own information about scams and how to stay safe online, which you can find here.

DWP and Universal Credit Scam

There has been a large increase in scams relating to the DWP (Department of Work and Pensions) with Universal Credit claimants in particular being targeted. It involves someone offering to submit your claim for a an advanced payment on your behalf, and them taking an admin fee. You will need to return your full advanced payment, including the fees you have paid, which means you will be left short. if you are claiming Universal Credit, you probably really need that money, so it’s best that you apply directly. It’s also worth checking that you aren’t going to end up worse off if you switch from the benefits you are on to Universal Credit before applying, whereas a scammer isn’t going to care about that. Money Advice Service has comprehensive information about this scam and how to avoid it.

What is Phishing?

Phishing is an online scam by someone using e-mail or malicious websites to get personal or confidential information. The attacker sends a fake or phishing email which will (usually) look real. It would probably have a link or an attachment. When you click the link, it can take you to a fake site that looks and feels like the original. The site may ask you to confirm your identity and ask you to put in some confidential information such as your password or bank details, or the answers to popular security questions such as your mother’s maiden name. It may also install malware onto your computer. Any attachment you may open may also have a virus or malware on it as well. Malware is software that’s built to be malicious (hence the name). It is designed to make its way onto your device i.e. your desktop, phone, or tablet and to manipulate and/or damage them. On top of that, malware can also record and steal your information like credit card account details.

Here’s some of the common things to look out for.

Do you know the sender of the email?
Is it their usual email address?
Unusual or poorly written subject lines may hint at fraudulent or scam email. Common things to look out for are using a zero (0) instead of the letter ‘O’, spelling mistakes or excessive punctuation.
If there are any documents attached to the email, are you aware of the file formate (eg Word, PDF etc). ZIP files can be particularly bad dangerous, and if you aren’t expecting any file of that format, it is best to delete the email. Also, ask yourself are you expecting an attachment and does the email mention an attachment?
You should be wary of links in emails as they can easily be disguised and take you to a malicious website.
A sense of urgency e.g. “Your account will be closed if you do not act immediately”.
Generic non personalised e.g. “Dear customer” or “Dear *******@hotmail.com”
A request for personal information such as username or password. e.g. “To confirm you are Mr Smith, please reply with your username and password”.
Fear – They use it to get you to try the link or attachment. No-one wants to be charged for something they have not bought so when you see an email saying a purchase has been made on your account, the instinct is to panic and want to sort it out. They might have sent an attachment saying “if you did not make this transaction, please download our refund form” or “If you did not place this order please click here” and there might be a link to click. Some phishing emails actually warn you of a virus and invite you to click on a link to protect yourself. e.g. “We have been made aware of a dangerous new virus – the Bob Virus. Click here to protect your computer NOW.”
Hovering over the link reveals the website to which it is pointing – does it look unusual? e.g.

What can I do to protect myself?

A reminder on passwords

Never use common things e.g. the name of your spouse or your date of birth
Never share it with anyone
Never write it down
Try not to use the same password for different accounts
Never tell anyone over the phone – if someone asks, this should raise alarm bells!
Be aware of premium rate phone numbers – scammers can make money
Always use a complex passphrase with numbers, upper/lower case and special characters (~#!”£$%^&*)
Stick with passwords that are at least 8 characters long

A note about secure websites

Think carefully when entering personal or financial information over the internet.

Look for a padlock and https:// within the website address and NEVER enter personal or sensitive information into a website that only has http:// (without the ‘s’ at the end)

What else you can do to protect your identity?

Do not throw sensitive information in a bin – shred it – ideally with a cross cut shredder as this is harder to reassemble a document.
Lock computers and devices when away from them
Always check a cash machine hasn’t been tampered with it before using it
Always shield your PIN number at cash machines or when making a purchase
If possible get expensive parcels and packages or documents delivered to somewhere where you know someone will be available (e.g. a receptionist at work or a relative who doesn’t work during the day).
Never transfer money to someone you have never met. This particularly applies to online dating.

Other forms of Cyber Crime

Hacking

Hacking is an attempt by someone to remotely access your personal computer or your company’s IT system, often using widely available tools and known IT system vulnerabilities. Hackers target online services and IT systems, and try to steal, corrupt or destroy information. Hackers attack IT systems and online services usually for financial gain or to break the security on a secure website for kudos.

You can help to protect yourself from hacking by:

Ensuring all your devices have anti-virus and firewall software on all your devices and it is switched on.
Backup your data and documents in a secure location.
Encrypt data where possible.
Check privacy settings used across social media, the more people know about you, the easier you will be to target.
Be careful what you share on social media and who you share information with.
Only use well known or reputable WiFi hotspots, public WiFi is not private.
Use a VPN (virtual private network) to clack yourself and your data.
If making an online purchase, use a credit card where possible. You get more protection with credit cards than with other payment methods. A pre-paid debit card is an option if you don’t have a credit card, you aren’t protected, but they won’t have access to your fill bank account, only the amount loaded on the card.

If you think you have been hacked, tell the relevant people – any sites involved, your bank or financial instituations you use, and possible even the police. Make sure you change your passwords and inform people you know that you’ve been hacked. On some deviced you can wipe your data remotely.

Social Engineering

Social engineering is the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes. The telephone is the most common form of social engineering. Some of the most common methods of social engineering are pretending to be some sort of support team telling you that you have a technical issue, or unless you perform a specific action you will have. They will ask for username and password details in order for them to login to your computer and access systems and files.

It exploits elements of human nature such as fear of loss, being protective, wishing to be helpful, or obliging others.

If you receive a phone call requesting confidential information, ask for the person’s name and call them back on a previously confirmed number e.g. the number on a bank statement or a legitimate website. Remember: a bank or other reputable organisation will NEVER ask you for your password via email or a phone call.

Smishing

Smishing is simple terms phishing in the form of a text message (SMS). Due to the large amounts of time people spend on smart phones, they are a popular target for scammers. Financial institutions and mobile phone providers are some of the most common companies which are impersonated in these messages. Our smart phones are smart, but they aren’t always as safe as a PC which is another reason that they can make an easy target.

How to protect yourself from smishing:

Don’t click on any links in SMS messages unless you are 100% sure you know who it has come from.
Telephone numbers can easily be impersonated – would the sender really be contacting you in this way, even if the message appears to be from someone you deal with (a bank etc).
If you are not sure about the message, contact the so called provider using details you have separately from the message (on a bank card or on the website) and confirm with them.
Some providers are able to block smishing messages – speak to them to find out if you are able to do this.
Report any smishing messages to your mobile phone provider. The smishing message I had below claimed to be from my mobile phone provider. I reached out to them on Twitter and they confirmed that it was not legitamate.

Conclusion

If you feel even slightly suspicious about an email or other method of contact, just delete it or hang up a call. If it is from a real company who needs to contact you – they will try again, and probably even have other methods to contact you (phone or letter in the post for example). You should definitely ignore anything that asks you to click a link or open a file.

You can always check on the website of the company the email is claiming to be from. Don’t get there through any link in the email – search from Google or a similar search engine and find out what that company says about what they would and wouldn’t say in an email. There may even be a mechanism for reporting a fake email. The more you can do this, the more chance there is of getting these shut down. A company won’t mind if you report a suspicious email and it turns out it was from them – like me, they would rather that you erred on the side of caution.

2 Replies to “Scam emails – how to spot and avoid falling for them”

Francesca - From Pennies to Pounds says:
18/12/2016 at 9:54 am
I’ve had some scam Paypal emails and they look SO realistic. It’s definitely a worry, especially for people who are not very tech savvy.
- VE says:
  24/01/2017 at 10:48 pm
  My mum calls me about them all the time. I’ve basically told her if she thinks it might be spam to delete it straightaway.