Online scams are getting more complex and more believable. There are still a lot of emails pretending to be from Paypal that have terrible spelling and address you as Dear *firstname*, but criminals are getting smarter by the day.
A few weeks ago one of our clients was duped by a pretty convincing email purporting to be from their internet service provider, so we thought it would be useful to take a look at common themes in online scams and how to spot them.
GDPR
One of our clients received a call from 'Mark' at 'Data Security Agency' to say that our client's GDPR privacy terms weren't compliant and they had 72 hours to put it right - or he could fix it for £149.00. He was calling from a 0203 number which seems it's London-based but anyone can set up a virtual 0203 number, so there's no guarantee he's even in the UK.
The ICO is the UK authority for information rights. As far as we're aware, there are no penalties for a badly written privacy policy. They only issue penalties for things like refusing to disclose data when requested, or not notifying if you've had a data breach. More information about GDPR here.
If you're ever concerned, call the ICO helpline.
Phishing
Here's a rather unconvincing email I got last week. It's full of typos, it's missing my name in the introduction, I honestly don't know how these emails get passed the scammers' QA department.
But don't get complacent, there are much more well-crafted examples. Here's a much more believable one - the design is better, and if you were expecting a FedEx delivery or you're just curious, you might click the link.
Finally, here's one that tells me that someone's tried to access my Google account:
Essentially these scams are all the same - the key points are that the emails are usually urgent, and there's always a link to click. If you click it you'll be redirected to a fake website that looks like the genuine one, where they'll ask you to log in, then steal your username and password.
How to avoid: be suspicious of any emails that want you to click a link in an email to access your account. If you're not sure whether it's real, type the domain name into your browser to ensure you're accessing the real website. Set up two-factor authentication for all your important accounts.
Unexpected attachments
In this scam, you'll get an email with an unexpected attachment, often from someone you know. They've been around for years by email, and they're starting to crop up on Facebook too, after the criminals steal someone's Facebook identity using the scam above.
Things to look out for here are an unusual use of language from people you know - either too informal or formal - and impersonal emails from people you know well.
In the example below, I've never communicated with this person through Facebook Messenger before, I know they have a good grasp of English grammar and I doubt they know what OMG means.
Variations on this theme include emails from people saying that they're suing you and attaching documentation about the non-existent case, emails about overdue invoices that must be paid immediately, or even emails with details about a payment that's been made to your account with a malicious attachment.
How to avoid: don't open attachments that you're not expecting, even if they're from people you know. Contact them via another method of communication and check if they really sent it to you.
Investment scams
Investment scams are on the rise. You'll get an official-looking email from a company like the one below, who promise astronomical guaranteed returns in a short timeframe.
Maybe they're giving a hot tip on a stock tomorrow, which they're going to buy like crazy in the morning to inflate the price and then sell it to anyone who's watching it. This is called a pump-and-dump scam.
Mat recently got an email inviting him to be part of an "exclusive investment club". He was intrigued and discovered that the way this "club" worked was that they told all their members to buy a lot of a particular penny stock, then the club would send over 500 million emails across the world promoting it. They claimed that this was guaranteed to make the stock price soar, and all the club members could then offload their shares at a tidy profit. We don't know whether this was, in itself, another scam but we can believe it might work.
How to avoid: If it looks too good to be true, it is. Disregard any unsolicited investment advice you get via email.
Trouble on holiday
This is the most unpleasant kind of scam, as it relies on generosity instead of greed. Typically you'll get an email or a Facebook message from someone you know, who says that they've been robbed on holiday and urgently need you to send them some money to cover their costs until they get home. They're usually written in very good English, genuinely come from the person's email address and often include some specific details that make you think they're real. An important part of this is that they've lost their phone so you can't ring them to check.
The reason that these can work so well is that the scammer has hacked your friend's email / Facebook and with a bit of research they can impersonate your friend quite well, using words and phrases that your friends uses, and their real email signature too.
How to avoid: This one's tricky. The best thing you can do to protect yourself here is to know that these scams exist. Then if you're unlucky enough to receive one, you can make a judgement about whether it might be real, and try contacting your friend's partner or family to see if they're really in that country.
Facebook impersonation
This is the only one we've never seen personally, so we don't have a screenshot. You'll get a friend request from someone you know on Facebook, usually someone you thought you were already friends with. What's really happened is that a scammer has created a duplicate of your friend's Facebook account, using the same name and profile picture.
Once they're friends with you, they can see lots of useful information about you like your mother's name, favourite pet, birthday - all useful things to help them access your bank account.
How to avoid: be cautious accepting any friend requests. If you receive a request from someone you're already friends with, report it to Facebook and they'll delete the account. Be careful with your personal information on Facebook, even if it's marked as "Friends only" - consider removing the year from your birthday (you don't want anyone to know how old you are anyway, right?)
Blackmail scams
These are pretty nasty too. You'll receive an email saying that someone has taken control of your webcam and has a video of you in flagrante delicto. If you don't give them a bunch of money they're going to send it to your friends and family. Here's an example that Mat received the other day.
At first glance it might be concerning, but the total lack of personally-identifiable information gives this away as a scam. It doesn't include a name, the supposed web site he was visiting, a still image from the video they supposedly have, or even the date it was recorded. There are real examples of people being duped into recording sex acts and getting blackmailed but this isn't one of them.
How to avoid: delete the message, smile and get on with your day. Don't be tempted to respond or you'll just get sucked into the scam.
In summary
Common sense isn't quite enough to spot some of the more complex scams these days, so it's important to know what kind of scams are out there. If you're not sure whether a message is real, contact the sender using a different method - phone your bank to check if your account is suddenly overdrawn, or WhatsApp your friend to see if they really are on holiday.
Copy and paste phrases from the message into Google and see if the results talk about this scam, and there's always the excellent Snopes which has a huge vault of scams that you can use to avoid being caught out.