Fraud and scams are not new, but new technology gives criminals new ways to try and steal your money. Knowing the techniques they use can help you protect yourself. If you think you've responded to a scam or been a victim of fraud, contact us straight away and report it to Action Fraud on 0300 123 2040.
Here’s a list of things that can help you spot and avoid fraud and scams.
- Take time to think before making a payment, especially if it’s a lot of money. Speak to someone you trust first, like a friend or family member.
- Read the warnings we provide when making a payment. They’re to help you bank safely and avoid being scammed.
- Anyone can be impersonated. Criminals can make the caller ID, email address or name look exactly like a genuine caller. Check that the email, text or call is genuine by phoning them back on a known and trusted number. If it's a family member or friend use the number you have for them. If it's a company use a number from their website or documents.
- Make extra checks when you make a payment to make sure the person and the payment are genuine. This can include reading reviews, researching companies or websites, and checking the person or company is who they say they are.
- Don’t allow anyone remote access to your devices. Criminals can ask you to click on a link or download an app which will give them control over your device.
- Your bank, the police or any trusted organisation will never ask you to withdraw, transfer or send back money from your account. If you’re asked to do this, it’s a scam.
If you think you've replied to a scam email or text or given your details out to the wrong people, call us first on 0330 123 9860 or freephone 0800 011 3414. You should also report it to Action Fraud on 0300 123 2040. |
Social Engineering
Social engineering can happen in person, digitally or over the phone. You don’t know it’s happening because criminals use sophisticated techniques. They may invoke fear, panic or build a friendship.
Criminals use social engineering to make you take action you normally wouldn’t. This might be:
- Sending a payment to an account without checking that it’s genuine
- Allowing someone access to your device
- Giving away personal or security information without realising the other person is a criminal
Common social engineering techniques
Remote Access
Criminals convince you to give them remote control over your device. They ask you to download legitimate apps such as AnyDesk or TeamViewer. They might ask you to click on a link. Once you give them control they can see everything on your device.
Never give anyone remote access to your device, unless you’ve checked the caller is real and you trust them. Even if you give access, never open any banking apps or windows. Remote access gives the other person full access to view and act on everything you can.
The most common social engineering tactics are:
- Phishing (emails)
- Smishing (text)
- Vishing (calls)
Criminals can make messages look real, and sound very convincing when they call. Never act on any request without checking that it’s from a real source. Visit our ‘How to report fraud’ section on this page to learn more.
There are lots of different types of scams and fraud. See our helpful list below to find out more about each type that could affect you or your business.
- Impersonation scams & techniques
- Payment redirection scams
- Purchase scams
- Cheque scams
- Romance & friendship scams
- Investment scams
- HMRC scams
- Cryptocurrency
- Advance fee scams
- Know your staff
- Card fraud
- SIM swapping
- Identity theft
Impersonation scams & techniques
Impersonation scams are when a fraudster contacts you and pretends to be someone else. They’ll pretend to be your bank, HMRC, a colleague, a supplier or another organisation. Their goal is to convince you to send them money.
An example might be: You get a call from Santander on a known and trusted number. The caller claims to be from the fraud department. They tell you that one of your payments has been stopped due to suspicious activity. You're asked to confirm security before they give you any more detail. The information you're asked is actually your log in details. Once revealed, the criminal logs in, amends the destination account details on one of your recent payments. They change it to an account in their control. They'll tell you the details of your recent payment and ask if you still want the payment to be made. You confirm you did want it to go, so you're asked to authenticate the payment to continue. What you're actually doing is authenticating the amend they've just made.
Here are some techniques used to convince you they’re genuine:
Social media criminals make contact through messaging services like WhatsApp, LinkedIn, Facebook and any social media platform. Again, they can impersonate anyone, and use this to build trust.
Spoofing
Many fraudsters use ‘spoofing’. They do this to disguise the origin of their contact. This could be the caller ID, messenger name, or email address. They do this to hide their identity and try to convince you that they’re someone else.
Phishing (email), smishing (text), and vishing (voice calls)
These are when a criminal sends a fake email, text, or calls you pretending to be someone else. It can be hard to know if they’re genuine. Never reply or act on anything without checking that it’s from a genuine source. It's easy for criminals to make contact details look genuine. They might even change the email address slightly so you don’t notice. They all want to trick you into sharing personal or security details which they can then use to commit fraud on your accounts.
Payment redirection scams
These scams are when you get an email asking you to set up a payment. This could be to a new account or to amend existing details. They're usually from someone you’re already dealing with, such as a client, or business contact. They can spoof contact details to make it look genuine. They can even hack a genuine email address. They'll create a sense of urgency to make you panic into making the payment quickly. They want you to make the payment without checking the details first. The money never arrives with the genuine person or business. By this time, it’s unlikely you’ll be able to get the money back.
An example of this could be:
- Receiving new bank details from your supplier by email to make payment before you receive the goods.
- An email from an employee asking to change bank details for their next wages.
- Invoice scams – these happen when you receive a fake invoice or bill, asking you to pay for goods or services. It’s often an email and appears to be from a genuine business contact. They’ll ask for existing payment details to be changed, or to pay a new bill.
- CEO fraud – this is when a criminal pretends to be a senior person in the business to persuade staff to make an urgent payment. The request is usually an email and has new bank details that belong to the criminal.
Protect yourself
- Make sure you confirm new payment requests directly with the company or colleague. This includes changes to existing payments. Check in person when you can, or call on a known and trusted number.
- Never respond to requests by the email address it came from or the contact details in a letter.
- Set up a single point of contact for companies you pay regularly.
- Review your payment approval process. Use dual authorisation for an extra layer of security.
- Review payments due at a future date where account details have been changed to confirm the request is genuine.
Stop and take time to think about what you’re being asked to do. Never feel rushed into making a payment.
Purchase scams
Criminals make you believe you're dealing with a genuine seller or company. They advertise on social media, genuine selling sites, create fake websites or hack genuine accounts.
Buying scams
These scams can happen when you find something online that you want to buy. This could be a holiday, flights, concert tickets or building materials. Once you've paid, you lose contact with the seller. You'll may receive no goods, or goods that are different to those advertised.
Selling scams
These scams can happen when you sell items online. You may send the goods as agreed and never receive payment. Or you may be tricked into returning an overpayment. The criminal may send you a cheque for more money than the value of the item being sold. They ask for the extra money to be transferred back or sent on to a third party, for example a ‘shipping agent’.
How can you spot them?
These criminals are very clever, but sometimes warning signs could help you identify them.
- An item priced under the recommended selling value – does it sound too good to be true?
- The seller makes extra effort in communication to push the sale through.
- The buyer sends you more money than they need to pay for the item. They'll ask you to return the difference.
- A seller you don’t know asks you to use ‘PayPal Friends & Family’ service or to pay for goods by bank transfer.
- Facebook Marketplace is a great way to buy and sell locally. Be cautious when buying an item that you can’t see in person. The seller may be using a fake profile, buying this way is high risk.
How can you protect yourself?
Even if there are no warning signs, we’d recommend considering the following:
- If buying from a reputable buying site such as eBay, Airbnb or Autotrader stick to the payment advice they provide. Use secure payment channels if they're offered. Never communicate outside the site.
- Always use secure payment methods where you can. PayPal (buying goods), debit and credit cards can offer more protection than bank transfer.
- Where possible view items in person before making payment. Never pay for large items like a car in advance.
- Be wary of accepting payment for goods by cheque.
- Never send personal or financial details by email. Emails can be intercepted.
- Research the seller and site and always read the reviews. Check several review sites and compare them. This helps rule out any fake reviews left by fraudsters.
Cheque scams
Cheque scams are when a criminal pays for goods or a service using a fake cheque. They could even make it out for a higher amount than the actual value.
How it works
- A new ‘customer’ contacts your business to order goods or services.
- The ‘customer’ makes the payment. They then phone or email to reduce or cancel the order, or to say that they’ve made an error, for example that shipping fees were included by mistake. They request an urgent refund. Your payments team may spot the overpayment and think it was just a simple typo, e.g. £16000 instead of £1600, and offer to return the difference.
- Your business wants to keep the relationship with this new ‘customer’. Your team process the refund quickly and make the refund by Faster payment.
- Then, the original cheque is returned unpaid. This is because it’s fake. Your business is left with a loss because it refunded the amount ‘overpaid’.
Protect yourself
- Never accept a cheque for a higher value than you were expecting.
- Never feel pressured into making a refund or payment.
- Keep your chequebook in a safe place. Always report any missing cheques to your bank straight away. Make sure you check your bank statements thoroughly.
- Make sure any cheques have cleared and credited your account before you provide any goods to services. If you've receive more money than expected, make sure the cheque is before you send back the extra.
- Never pre-sign blank cheques. When writing cheques, be sure to complete all sections leaving as little space as possible.
Romance and friendship scams
Criminals take advantage and trick you into thinking they want to be friends or a romantic interest. They will often create fake online profiles designed to lure you in. They may use a fake name or falsely take on the identities of real people such as military personnel, or professionals working abroad.
These criminals can spend a long time building trust, or it could all happen rather quickly. They’ll make up a reason to ask for your help. They'll use the emotional attachment they've built with you and say that they'll pay you back.
For example, they might say they need help with travel costs or hospital bills. Or they may prey on your sympathies by telling you a family member or someone else they're responsible for is ill and needs money for medical treatment.
How to protect yourself
- Never send money to someone you haven’t met in person.
- Always consider that the approach may be a scam. Especially if the warning signs listed above appear. Try to remove the emotion from your decision making no matter how caring or persistent they are.
- Be wary of requests for money. Never send money, give security details, or copies of important personal documents to anyone you have met online. Criminals may use your information to open accounts in your name.
- Online friendships are based on profile. It’s important to check if the person you’re talking to is who they say they are. For example, you can check if profile photos are genuine by performing a reverse image search on a web search engine. This can find photos that have been taken from someone else.
Investment Scams
Investment scams are very common. Criminals use clever and pushy techniques to trick you into investing in worthless or fake shares.
They might get in touch with you if you have shown interest in their fake firm on social media, or found them using google. Or they might just call you out of the blue. They might offer you a big return in a short amount of time. These criminals can be very convincing.
Warning signs to look for that can help you to spot a possible investment fraud:
- An unexpected email, message or cold call offering any form of investment. Did you know cold calling to sell you shares or investments is illegal?
- 'Limited time only' offers that don't give you enough time to think the investment through.
- A pushy and persistent sales technique.
- Company names which sound familiar or have a slight change to a legitimate company that is registered with the Financial Conduct Authority. These are known as clone companies.
- A company that wants you to keep your investment a secret to get maximum returns.
Be ScamSmart
The FCA has created ScamSmart, an online tool to help consumers find out if their investment is a scam. It aims to help you understand whether the company you’re going to invest with is regulated by the FCA. It helps you spot if it is a cloned or spoofed company. Remember, you still need to do your own checks on the company.
How to keep yourself safe
- Check it out. Check the Financial Conduct Authority (FCA) register. You should use their ScamSmart tool to check the investment and the company are regulated.
- Avoid clones and fakes. Confirm you’re dealing with a genuine and registered firm. Only use the contact details for a firm that are on the FCA register.
- Stay in control. Avoid uninvited investment offers especially those made on social media or over the phone. Research the company first and think about getting independent financial advice. You should always check the IFA firm and people you’re dealing with are genuine.
- Take extra crypto care. Never let anyone set up a cryptocurrency wallet or upload ID documents. Make sure you don’t let anyone remotely manage an investment for you.
- Don't assume it's real. If a website, advert or social media post looks professional, it doesn’t mean they are genuine. Well-known brands or people can be cloned to make scams look real.
- Never download software or apps that allow remote access to any of your devices. When you allow remote access you give the person full access to see what you can.
Visit the FCA website to learn more about how to avoid investment scams and protect yourself.
Remember: If something sounds too good to be true, it's probably a scam.
HMRC scams
Criminals impersonate HMRC to try and persuade you to make an urgent payment, or click on a link in a message. For example, they could send an outstanding bill or tax rebate messages. They may even threaten you with court action, bailiffs, or police arrest if you don't take urgent action.
Criminals can contact you at any time of year, but they're more frequent as tax deadline dates approach. They might make contact through:
- text messages
- instant messaging services like WhatsApp
- emails
- phone calls
- or even social media.
The caller ID or email address might say it's from HMRC or HM Revenue and Custom. They can fake these details to appear the same as the genuine ID. HMRC will never call you out of the blue about something you're unaware of and will never call threatening legal action.
How you can protect yourself
- Never make a payment to HMRC if they contact you out of the blue. Especially if you're threatened with police or court action.
- Always check what you owe directly with HMRC on the GOV.UK website.
- Never rely on the number on the caller display as proof that it's HMRC you're talking to. This can be falsified (known as spoofing).
- Never be pressured into sharing personal or financial details to anyone.
- HMRC will never notify you of a tax rebate or refund by email.
Cryptocurrency
We want to help protect you from fraud. We do this in line with the Financial Conduct Authority's (FCA) warnings in 2021. It means that, where possible, we stop payments going from your account to Binance. We don't restrict payments from Binance coming in to your account(s).
Investment in crypto assets can be high risk
Before you invest, you need to know the basics and understand the risks. Crypto activity is not regulated yet in the UK. This means there is no safety net if things go wrong. If you decide to invest in crypto, then you should be prepared to lose all your money.
Crypto related scams are common. These types of investments are accessible and available to all budgets. Criminals will use attractive adverts and fake celebrity endorsements. They do this to make people believe the investment is real. Remember, if something sounds too good to be true, then it probably is.
We want to do everything we can to protect our customers. Limiting payments to cryptocurrency exchanges is the best way to make sure your money stays safe.
Advance fee scams
Criminals will make an excuse why they need upfront payment. The real reason is because you're not going to receive the goods or service agreed.
Examples could be:
- Paying an ‘admin fee’ to release funds from a loan
- Paying a deposit for property which doesn’t exist. This could be office space or storage.
- Paying a fee to release money in an investment
- Paying a ‘recovery fee’ to recover money lost in a previous scam. If you have been a previous victim of a scam, you can be targeted.
Criminals will use a variety of methods to contact you. This can be email, text message, a phone call or social media. They may use two or more of these methods to build trust. Always be cautious. Think about how you can check that the person, organisation or opportunity is genuine.
How to protect yourself:
- Use legitimate companies when applying for any credit. Avoid companies that ask for an admin fee to be paid to release funds.
- Always read reviews and complete checks to check the company exists. Don’t believe everything in the job advert is real.
- Always take time to think about any request you are asked to do that involves paying upfront.
- Avoid applying for jobs on social media, use legitimate job sites.
- Don't pay to release winnings on any competitions or lottery. Especially if you have not entered anything.
- Don’t pay money to an employer, especially prior to starting the role.
- Avoid paying any deposits for properties until you have seen the property in person. Always have a tenancy agreement before paying. Use a reputable company to avoid any problems.
Know your staff
Most employees are reliable, and trustworthy. To help stop any risk of fraud, you should have internal controls in place. All companies are at risk of staff fraud.
Examples of staff fraud could be:
- Stealing office stationery or stock.
- Pretending to have worked extra hours.
- Creating fake invoices or cheques.
- Abusing the company credit cards.
- Offering cheaper services without consent.
- Stealing company data. This could be client lists, processes or passwords.
You can help reduce the risk. If you make sure your business has effective controls in place. Make sure your guidance is clear and this will help safeguard your company assets.
Key things to look out for
These can be signs of fraudulent activity:
- A member of staff who quits not long after joining.
- Suppliers or contractors who refuse to deal with certain staff members.
- A member of staff with financial problems. This could be linked to a change in circumstances such as the death of a spouse.
- A sudden change in an employee’s lifestyle. This could be a standard of living beyond their means.
- Documents with sensitive information going missing. This could be client or company data.
- Changes in an employee’s behaviour or actions.
You can get some useful information by visiting: - (cifas.org.uk)
Remember
It's important for you and your staff to know how to protect your business. This should be a top priority within your business. All staff should have the knowledge and tools to keep themselves safe and your business.
Card Fraud
Criminals steal your cards, or obtain your cards details and use them to make purchases. You don’t know your details have been stolen until you see activity on your account that you don't recognise. Here are some of the ways criminals can steal your card information.
Card-not-present (CNP) fraud: When a criminal uses stolen card details to make payments online, by phone or mail order.
Counterfeit card fraud: This is when criminals make a copy of your credit or debit card. This usually involves skimming, where the magnetic stripe data on the back of the card is copied using a device fitted to an ATM or card reader. Your card details are then transferred onto a fake magnetic stripe card and used to make purchases.
Lost and stolen card fraud: A criminal physically steals your card and uses it.
Card ID theft: this occurs when a criminal has obtained details other than your credit or debit card. They may steal personal information, to improve or takeover a card account in your name
ATM (Cash Machine) fraud, this could be:
- Card entrapment, physical card is captured.
- Card skimming, details of the card captured.
- Cash entrapment, where a device is fitted to the cash dispenser. This device will then catch your cash instead of dispensing it.
Digital card Fraud: Payments made using the contactless feature on your credit/ debit card. Or using a digital wallet e.g. Apple/Google pay. Contactless card payments have a £100 limit per transaction, but digital wallet transactions have a larger limit.
Card fraud can't always be avoided, but there are some tips you can follow.
- Check the cash machine (ATM) before inserting your card. Check the card slot and keypad for unusual or loose attachments.
- Always cover your PIN number.
- Never keep your card and PIN together. Change your PIN to something memorable. It's best to not write it down.
- Your card is for your use only.
- Check the website is secure before entering payment details. Websites that start https are the most secure.
SIM Swapping
SIM swapping is when a criminal gets your mobile phone provider to issue a new SIM card. Once they get the new SIM they can access your mobile banking messages while your SIM card is deactivated.
Santander has developed award-winning SIM swapping detection technology. However, you still need to be aware of any issues with your mobile phone which could be related to SIM swapping.
The warning signs are:
- Getting an unexpected text message to say your SIM is transferring
- Losing connection for an unusual length of time in a place where you would normally have a connection
- Your phone showing the message ‘invalid SIM’ or ‘no SIM’.
- If you think any of the above has happened to you, contact your mobile phone provider. Always use a number from their website.
How to protect yourself:
- Set a secure password with all phone service providers
- Dispose of your phone bills securely
- Use online bills instead of post if you can
- Keep your phone switched on at all times – this way you’ll spot if it’s not working.
Identity Theft
Identity theft can have devastating impacts on its victims. Criminals can open new accounts, claim benefits and apply for official documents in your name. These accounts are opened in your name and will all appear to be linked to you.
Criminals may only need a few of your personal details.
The warning signs are:
- ‘Lost' mail, this may be that your statements or bills suddenly stop arriving
- Your rubbish bags have been tampered with
- You start getting bills you don’t know about
- Strange Direct Debits or payments appear on your account.
How to protect yourself:
- Shred all sensitive information. Never throw it away or recycle it.
- Delete suspicious emails that ask for personal information. Remember we'll never ask for that by email
- Think twice before giving out personal information
- If you move house, redirect your mail
- Use online bank statements instead of printed or posted ones
What you should do if you think you might be a victim
- If you think any of your account or personal information has been stolen, cancel your card or freeze your account straight away.
- If you are not receiving mail, contact the company to let them know. You should also contact Royal Mail to make sure that a mail redirection has not been placed.
- If you see a transaction on your statement that you don't recognise, call us on 0800 092 3300.
If you've been a victim of identity theft, get a copy of your credit file. This will show if anything has been applied for in your name. Look for new accounts and for credit searches that you didn't authorise. This can suggest there's been an attempt to impersonate you. Remember, it's the data holder's responsibility to make sure that all data held is correct. Any credit searches not authorised by you will need to be deleted from your credit file.
You can find an A-Z of fraud and scams on Action Fraud's website
Read our latest fraud updates to learn about how fraudsters are duping businesses.