Types of scams and fraud
Know them to avoid them
Fraud and scams mean the same thing
Account TakeoverA fraudster gains control over your account and poses as you, to remove money from your account. This could be from a Savings, Deposit or Current account. It may also be a credit or debit card.
Online banking accounts are usually taken over as a result of Phishing, Spyware or Malware scams.
Advance Fee Fraud
Also known as Lottery Win / Tax Refund / Bank Compensation / Ministry of Justice / Claims Management Regulator / 419 ScamsThe background stories vary, but the key points are always the same;
- You receive a phone call or an e-mail informing you that you are owed money
- Your ‘money’ will be in various forms, everything from a lottery win, compensation, Govt. refund, to asking for help to move money out of an account.
- To receive it, you only have to pay in advance a small sum, normally about 10% of what is ‘owed to you’.
How you are asked to pay also varies, sometimes you are asked for your bank account details. Sometimes you are asked to send money transfers via an FX /Money Transfer company or purchase Pre-Paid cards i.e. Travel, Gift, Ukash, even ITunes.
Whatever the reason, it is just a scam to get you to send your money to them.
APP - Push Payments – (Authorised/Authenticated Push Payments)See also Invoice (or Billing) Fraud
APP (Push Payment) fraud scams are causing losses that run into hundreds of thousands, all approved by the victim from their bank account.
It happens when a fraudster tricks a victim into changing the bank account details of a known and regular supplier i.e. Utility or Telecom company, even Solicitors, Doctors or an Accountant, to the fraudster’s account.
They can do this by hacking or intercepting the victim’s emails and sending the victim an email that impersonates someone the victim pays regularly or is about to pay a large sum to (House Purchase, Medical Procedure, Building Renovation).
The email to the victim will be simple. It will just say… ‘We have changed our bank details please update your records’ and the email will look authentic. When the victim updates their bank account payees, the fraudster just waits for the next payment and the money appears in their account.
ATMsCash machines have several fraud tricks;
- The Lebanese Loop – This is just a simple piece of packing case strapping that is inserted into the card feed of an ATM, with a face –plate, to create a loop. When a card is inserted into the ATM it is prevented from being fed into the card reader. The card owner thinks the ATM has eaten the card and goes to report it or just walk away. The fraudster removes the face-plate and it brings the loop and plastic card out, ready for the fraudster to use. Sometimes the fraudster may have a micro-camera pointing to the pin-pad, recording the PIN number. Now they have everything to spend on the card.
- False Fronts – Simply a false ATM front which will include the card insertion slot, key pad and sometimes the money drawer.The fraudster simply glues this to the ATM and lets the cardholder insert their card, enter the PIN and they record your PIN from a mini-camera and copy (Skim) your card. They may decide to keep the cash as well.
- Cash Trapping – A piece of cardboard or plastic is painted the same colour as the money drawer. Then it is inserted into the ATM, after the fraudster requests cash from a machine (No, they don’t use their own card). As the drawer opens, the money trap is inserted and it prevents cash being dispensed. Later, the victim requests cash from the ATM in the usual way. The transaction is all approved, the cash drawer opens, but there is no cash. The victim believes the ATM is at fault and goes to report the error. Immediately the fraudster removes the cash and the cash trap. No-one realises.
- Distraction – A fraudster distracts you at the ATM.
A: They may point out the machines are not working and point you to one that is working. This will be the one they have set-up to keep or copy your card.
B: After you have removed cash, they may ask if you have dropped some cash? They point to the floor with the bank-note just lying there. As you pick it up, another fraudster removes your card from the ATM, having memorised your PIN that you entered and replaces your card with another.You don’t realise, as you are busy putting the money away in your purse or wallet.
Boiler Room Fraud, Fake Bonds and InvestmentsThe phrase comes from a small, closed room of fraudsters, using high-pressure sales techniques, which sound impressive. They are professional-sounding but bogus callers, who sell worthless or completely bogus investments or goods.
Here is a list of some of the most common 'scams';
Bonds, Shares, Vintage Wine, Crypto-Currencies, Gold, Silver, Diamonds and other precious metals and stones.Overseas Land, Storage units and parking spaces. Biofuels, Graphene, Solar Panels and Carbon Credits.Binary options (betting on if the price of a share, stock market or asset will be above or below a set price in the future)
The fraudsters will build a relationship with the victim over several calls and emails, but always stressing the urgency of investing, as time is limited.
They impersonate banks and securities houses and using amended copies of real documentation the have obtained, they create fake financial products or goods.
Their email addresses will look very similar to the company they are impersonating, claiming to be a subsidiary. They may also give the main switchboard number of that company to reinforce their credentials, advising that using their mobile number, the victim has a direct line and avoids waiting in a switchboard queue.
They may even create a false web-site to add to the illusion of authenticity.
CEO FraudAn e-mail arrives with the finance team, which is headed with the name of the company CEO or Managing Director. The email instructs the finance team to make an immediate payment to them and provides bank details.
The e-mail also stresses that the CEO is out on urgent business and must be paid today.
The e-mail is a fake, but many companies fall for it. More recently, schools and colleges are receiving these emails, from the Head Teacher, requesting payment to their supplier immediately, as the recent invoices have not been paid.
See Invoice Fraud
Counterfeit SoftwareYou may be offered at some time cheap software for your computer. It may be an Operating Software or a package that you need to use frequently.
Unfortunately, counterfeit software may contain Malware that is loaded onto your machine and gives fraudsters access to all of your system, emails and potentially your bank accounts.
When the fraudsters empty the victim’s bank account, that cheap software is no longer a bargain!
Courier FraudSomeone calls you (stating they are your bank, the Police or someone you trust) and advises you that you have fraud on your debit/credit card or account.
You are then asked to write your PIN on the back of the card or key it into the telephone handset.You must package up your security card reader (if you have one), your card – with the PIN and hand all his over to a courier who will call to your home.You may be asked to withdraw money from your account and hand it over to the courier, in the package for safe-keeping!
Then a courier arrives and collects all your cards / documents / money ….…
….you never see any of them again.
Dating and Romance ScamsScammers set-up fake profiles on the many dating / social media and chat-rooms sites that exist. Men and women are both targeted.The profile will look impressive, with a lifestyle to match. They will appeal to the need for companionship and build a relationship over a period of time. They will encourage the victim to disclose personal information about themselves, but not offer much detail in return, using photographs to make the victim ‘think’ they know the scammer.
Later they try to direct messaging outside the site – direct contact via emails and mobile. It is at this point they begin to mention that they have ‘issues’ with their family or they are in trouble and need financial help. It is not all distress. Sometimes they talk of building their ‘dream house’ and encourage the victim to join them and build the home together.
They prey on emotional feelings of the victim, enabling them to extract money, which of course is a scam as the dream home or crisis do not exist and the photographs used in the profile and exchanges were taken from another person’s profile.
Men are just as equally victims in this type of fraud as women. Many people do not report the crime, through embarrassment and hurt. This allows the fraudsters to return again and again.
Door to DoorIt might be old-fashioned, but it still occurs.
Remember, you can ask for ID and you do not have to let anyone in. If they tell you to call the number on their ID card – decline. Look the number up yourself.
Fraudsters also pretend to be market-researchers. They are trying to obtain personal information on you and those who live with you, to build a profile and start the process of Identity Theft.
Con-Men (and women) also try to tell you that your property needs repair, as they were ‘in the area’ or use a neighbour’s name in your conversation, to gain trust. They imply and want you to assume they have worked for your neighbour. You then find the work costs more than quoted and they may not have even completed any repair works.
E-MailsPhishing, Spyware or Malware. Hacking, Compromised and Spoofing
We all communicate via email these days, it is a normal part of life. However, access to your emails can occur in many different ways. A fraudster can compromise your account without you knowing, accessing not only your personal mail but sending our further emails to your contact list which contain Spyware or Malware, hoping to infect your friends and family mailboxes.
Look for the warning signs that might indicate that a fraudster may be accessing your account.
- Your contacts receive odd messages from your e-mail address.
- You do not seem to be receiving any e-mails.
- You are not able to log into your e-mail account.
- Unknown e-mail appears in “Sent Items” folder.
Here is how fraudsters could gain access to your email account;
Fraudsters send out thousands of email in the hope they will catch someone, who will open their mail, and reply to them or click on a link sent in the email.
Once they verify the email address is correct, they target the victim with specific emails which have Spyware or Trojan software, in an attempt to take-over someone’s computer or email account.
If the victim clicked on a link in the email, it will take them to a website which will download the Spyware, without them knowing. The site may be a simple sales sites for products the victim does not wish to buy, but the damage is done.
Hacked / Compromised
This is when the fraudsters have your email password and have taken control of your email account. If they have not changed the password, you must regain control by setting a new password and set-up a new email address.
What to do if your e-mail account is compromised
If your email account has been compromised (or ‘hacked’), it is essential that you first disable your email account to prevent hackers from using it to commit fraud. Changing your password is a critical first step to buying some time but by itself will not be sufficient to prevent the account from being compromised again.
Unless you have access to the technical skills and knowledge required to make sure that your compromised email account can be re-secured, it is recommended that the email account is disabled and shut down and a new one created. This is because a fraudster could have changed background settings, recovery questions and email addresses, or set rules to enable them to receive or hide emails arriving in your account. This would enable them to continue monitoring your emails or even to take over your account again.
Please follow the following simple steps to disable and delete your compromised email account.
You should also check any advice provided by your email service provider:
- Inform all of your contacts that your email account has been hacked and they should no longer send emails to this account (use a different email account to do this, not the compromised account). You should ask your contacts not to accept or respond to any emails from your account, including information requests, clicking on any links or opening attachments.
- Immediately change the password of your email account using a strong password (avoiding familiar words, numbers and places and using a mixture of upper and lower case letters, numbers and special characters of at least 8 characters in length). By itself, this will not permanently secure the email account, but it will enable you to follow the process to delete it completely. Do not use the same password for multiple online services as this makes the hacker’s job much easier.
- Review any emails or information stored in the email account as they could have been read or copied by the hacker – for example, password reset information for a different online service or correspondence with financial institutions. This may prompt further action such as re-setting passwords elsewhere.
- Follow your email service provider’s procedures to delete the account. Depending on the provider this may be possible from within the account or you may need to go to a separate account management/termination page to do this.
Some email providers do offer the option of having an extra level of authentication (2-Factor), for example by having an authenticator application on your mobile phone or sending you a code via text message (SMS). It is recommended that you consider using these services when setting up your new email account or to further secure existing accounts.
Businesses suffer from this, but it also affects individuals, hurting them financially.
A business may receive an email from one of their regular suppliers, which advises that they have changed their bank account. When the business pays the next invoice, the money will be transmitted to the fraudster.
The business did not realise that the email was from the fraudster and the email address was slightly different
i.e. ASolicitor.com, when the real address was ASolicitors.com
A small mistake that costs a lot of money. All the fraudster had to do was email the real Solicitor and pretend to be a potential client and when they replied, the fraudster had the letterhead supplied to create a spoof email.
The same happens to consumers. The fraudster may have been tipped-off that you are about to spend a large amount of money and they have been given your email address. They know who you will be paying, so they can create the spoof email. All they have to do now is send you that request for payment and their bank details.
See more information – Invoice Fraud
Government agency fraudVehicle Tax refunds, Income Tax refunds, generally e-mails from a Government department, looking official either advising you that you are owed money or you need to pay some money, immediately.
Both will tell you to register online to authorise the payment, which includes giving your full bank details and the only thing you see is your money leaving your account, not going in!
Identity TheftVictims suffer a great deal of expense and upset trying to resolve this type of fraud. After all, it is their reputation and credit history that has been abused by a fraudster.
It is never easy to find out how a fraudster was able to obtain details of someone’s identity, so it is best to begin researching yourself and try to find out how much information about you is in public domain and how much you need to remove.
Firstly check your social media content and privacy settings. (Check them frequently as software upgrades can sometimes allow them to be re-set to ‘public’). Also check Google and any other accounts you may have and what data they hold. Google yourself and your address – See what you can find out about yourself and how you can change what is published about you. Stop that personal data leak!
Your friends are not the only ones reading your posts. Posting that you are going on holiday or are on holiday, attending a conference or visiting a restaurant, all allow a fraudster to target you with a specific email that you think is from the tour operator, hotel, airline or restaurant. That email will be ‘phishing’ and mostly likely have a malicious attachment.
There is no need for a social media site to know your birth date, where you work, which vehicle you drive and your family – all this information leads towards creating a fraudsters paradise and helps them build a profile of you, ready to submit an application or access your accounts.
Keep your personal and business contact details separate. Only connect on social media with people you know.
If you live in a communal apartment block – check your mailbox is locked and not easily accessed.
For the UK
Register to vote. It can take months to update the register, so register as soon as you move home. When registering, tick the ‘Opt Out’ box to not appear in marketing mail-shots.(fyi – The Voters Roll is available to marketing companies and by opting out, you remove yourself from their lists).
Mail Preference Service – This allows you to remove yourself from marketing mailshots. The website has several options available and it is free. Less marketing material means less opportunities for ID Theft.
Register with a credit reference agency to ensure no loans or credit applications have been taken out in your name.
If you have suffered Identity Theft, visit the CIFAS web-site for Protective Registration
Equivalent if MPS , CIFAS , Credit agencies.
Invoice (or Billing) FraudInvoice fraud scams can result in losses that run into hundreds of thousands. It happens when a fraudster tricks a business\person into changing the bank account details of a known and regular supplier i.e. Utility or Telecom company, to that of the fraudster.
Sometimes it can be as simple as the fraudster telephoning the business/person and giving them new bank details, stating they (the supplier) has changed banks.
Alternatively, they may contact the business/person by email, letter or fax, posing as the trusted supplier to make a formal request to change the bank account payment details held.
Fraudsters may attempt to intercept genuine invoices and change the bank payment details.
Often the business/person does not realise they have been scammed until the genuine supplier chases for non-payment, weeks or months later. At this point, it will be impossible for the business to get the stolen funds back.
What steps can I take to protect myself/business from this scam?
Always verify a request BEFORE implementing the change or completing the payment.
Be mindful not to use the contact details provided on the instruction, instead use established previous contact details to validate the change.
Do not presume an email, text or fax request to make an urgent payment is genuine, even if it appears to have been sent by a senior member of the business.
Educating staff with responsibility for processing invoices to be alert to scams and unexpected payment requests. To always check for irregularities and to raise concerns immediately.
Ensuring that senior staff members of your business know about this fraud risk and understand exactly what they are authorising.
Being mindful of supplier information displayed on your company website and if this could be used to facilitate fraud.
See more information in E-Mails
Money MulesA ‘money mule’ is someone who allows their bank account to be used to receive stolen funds which are transferred to a designated account (domestic or offshore) using a money-remitting or wire service, minus a ‘commission’ payment.
The mule is usually approached online, via e-mail, instant messaging or via fake ads placed on legitimate employment websites.The prospect of making easy money appears attractive to younger people who are looking to earn money in their spare time, but it is not restricted to them.
There are serious consequences for anyone who gets involved in a money mule scam. ‘Commission' payments can be confiscated (as proceeds of crime) and the money mule could become the subject of a police investigation that may lead to a maximum penalty of 20 years or imprisonment.
Even if the victim is unaware the money was illegal, the victim has participated in Money Laundering and can be prosecuted. Victims could see themselves being banned from holding bank accounts and without credit facilities.
Mobile / Cellphone FraudMissed call scams - Your phone registers a missed call. You don’t recognise the number so you call it back. Most of the time the call will be perfectly above board, but you may be redirected to a premium rate service which can cost up to £15 per call.
Search for the number on the internet first – It may have already been registered as a scam number.
Recorded message scams - The number you’re asked to call back may be a recorded message telling you that you’ve won a prize, and giving you another number to call to ‘claim’ it. But this second number may be a premium rate one. Also, your prize may be nothing more than a ring tone subscription - which can also be a fraud.
Text / Whatsapp message scams - You’re receive a text/whatsapp message from a number you don’t recognise. The message is worded like the person knows you. When you reply, you inadvertently confirm your phone number exists and therefore you will have a billing account. Whether you text or call, your curiosity leaves you open to a potential premium rate call. If you texted back, you find out later that you’ve been charged a high rate for your text (and sometimes for your received texts as well).
Online Shopping ScamsOnline shopping has become the normal. It saves time and gives you a choice of suppliers from around the world. It also gives fraudsters the opportunity to reach a wider audience and hide behind the internet. Shopping can be anything from clothes to holidays, auction sites to computers.
Just because someone says their company is .co.uk or .co.za does not mean they are located there!
The key trend in online fraud is to encourage you to pay outside of the main site – offering a discount to do so. If you do pay outside, you will certainly lose any protection provided by the host site.
Goods could be counterfeit, stolen and even non-existent. Fraudsters will sell goods or try to buy yours.
Whether you are buying at an Auction site, a Holiday Villa, Flights, Tickets for Concerts or Theatre, Employment Opportunities, the fraudsters operate much in the same way.
Look for ‘spoofed’ web-site names like ebayz, Amazn ArBnB, etc.
- Check the description carefully. Read the fine print - The wording is key. It is written to give you assurance and mislead.
- Check the seller’s feedback history or if they are a new seller.
- Private messages offering to buy/sell directly are always a ‘red-flag’.
- Is the offer, too good to be true (like any good scam!)
- This affects children as well as adults. A ‘gamer’ has seen an advert on a social media channel which claims that by following a web link and entering some information, they will receive free currency for the game.
- Fraudsters will ask the victim for information about their account, their phone numbers, which will then allow them to log in and create fraudulent charges and subscribe them to premium rate calls.
- They may also ask for ‘virtual’ Pre-paid cards to be purchased and to forward the ID number, to access the Gaming currency.
Holidays / Apartment Rentals
The Holiday / Vacation Villa may exist, but it does not belong to the advertiser!
- If they say they belong to a trade association, check their claims.
- Does the property have its own web-site
- Are the photographs from another property (Check by using a reverse image search)
- Is the contact phone number from that country?
- Have you checked the address on Streetview?
- Have you looked for the Villa being advertised elsewhere, at a possible higher (true) rental rate, with a different contact number?
Tickets – Shows, Concerts, Theatre
- Where important social events occur, so do fraudsters.
- When you want a ticket, they will sell you one, even if they don’t have one.
- Always use an approved web-site and do check the promoter allows resales first – Many do not.
- Tickets can be counterfeited or they may be stolen – check the news and site feedback.
In the UK, STAR – Secure Tickets from Authorised Retailers help to reduce fraud, but still check if someone says these are a member –anyone can put a logo on their website.
PasswordsThe problem with passwords is that we need so many of them. So, we create simple passwords or use the same password for multiple accounts to make our lives easier. And make the lives of hackers easier too.
A hacker can crack an eight-character password of lower-case letters fairly easily and quickly. However, by using a 15-character password with uppercase and lowercase letters, combined with numbers and symbols, it becomes far more secure.
Seven ways to practice good password management
- Don’t give your password to anyone else. No bank will ever ask you for it.
- Create a different password for every account
- Create a at least 15 characters long, if possible. Use upper and lower case letters with numbers and symbols i.e. 1nvestecZebra$tripe$! Although it looks complex, it will actually be easier to remember
- Never use information in your password that can easily be found online, like your date of birth or family names.
- Enable two-factor authentication for online banking accounts if possible. 2-Factor (as it is known) is when you receive a one-time password to a pre-registered device (like a mobile/cellphone) after you have signed into to your account, to ensure it is really you logging on and not a fraudster .
- Don’t store passwords on your computer, phone or tablet. Lost devices with data backed up to a cloud account will, if hacked, provide cyber criminals with access to all the passwords that you have saved to the device.
- Never save passwords when prompted by your browser.
PhishingSimply, an e-mail from a fraudster who is impersonating a bank, claiming your security has been compromised or a retail company you may have purchased from in the past, in the hope you will not notice it is a ‘spoof’ e-mail and click on the hyper-link contained in the email. The link may download Malware or take the victim to a web-site which is a mock-up of the bank or retail company, in the hope the victim will try and logon, disclosing their Username and Password.
See also Spyware or Malware
Recruitment / Employment ScamsFraudsters set-up fake job ads via legitimate web-sites for vacancies that do not exist.
They encourage people to submit CV’s / Resume’s with detailed personal information that can be harvested towards Identity Theft.
Operating out of rented service offices with mail forwarded, they give the impression of an established business in a prestigious area. The fake ads will use words like ‘work from home’, ‘no experience necessary’ or ‘part-time 4 hours per week’.
They can also be a recruiting point for ‘Money Mules’.
Try to research the company. Are there detrimental comments on a blog somewhere? Be cautious.
They obtain money in several ways;
- The fraudsters request an up-front payment for submitting your application.
- If the job is overseas, they will ask for payment to organise travel, accommodation and visas, as of course the victim was successful in their application and a ‘face to face’ interview is required
- They will ask for bank account details to set up salary payments. These details help them to remove money from the victim’s account.
There is no job and any fees paid go straight to the fraudsters. Victims may already have given up their previous job and made new accommodation arrangements.
See more details – Online Scams
Spyware, Trojans, Key-logging, RansomwareAll of these are malicious pieces of software which have been downloaded to the victim’s computer. They send data back to the fraudster on what type of computer the victim has, if their anti-virus or operating software is up to date.
From this they know how to take control of the machine and with key-logging software they can record account numbers and security passwords of a victim’s bank account.
Ransomware is just that. It takes control of your PC and demands money, before the release code is given to free up the PC.
See more information in E-Mails
Technical SupportSomeone calls and claims something is wrong with your computer. You haven’t noticed any issues.
Fraudsters may claim to be from Microsoft, a computer manufacturer, your internet or national telecom provider and state that according to their equipment, your computer is running slow and they can help, to give you a better service.
They may claim they are upgrading the wi-fi / broadband speed in your area and need to access your machine to configure it correctly.
They will ask you to look for certain files – and claim these are viruses - Of course they are not, just files that exist on every computer. It just makes them look legitimate.
They may even ask you to delete them – and because your machine does not stop working, again, they make themselves look legitimate.
Expect a few technical-jargon phrases on the way to confuse and impress you.
All this is to gain your confidence and encourage you to concede, when they ask you to help them switch-on ‘Remote Access’ or sell you a (worthless) I.T. Support package.
Don’t believe anyone who calls and says and claims to be the telecom company / Technical Support.
If your computer was not working well – You would know!
Simply - Never give control of your computer to a third party.
VishingIs simply a fraudster or con-person, telephoning you and trying to convince you they are someone you trust and after gaining your confidence, obtain your money.
By pretending to be your bank, the Police or someone in authority, it is far easier to trick you into giving away your password than trying to use a complex system to ‘hack’ it.
Vishing attacks are designed to generate fear with an immediate response from the victim.
They may tell you your utility bill had not been paid for several months and needs paying immediately… Their intention is to get you to call them and key your card number into their machine, with your security code. Or they may just simply connect you to a premium rate number and you will not know until your real Phone bill appears.
As the attacks get increasingly global and sophisticated, fraudsters are using pre-recorded messages, which means they can leave voicemails and do not even have to speak English. As a victim, you might believe a pre-recorded message because that is what your bank normally calls you with.
The simple prevention is to listen carefully to any voicemail left, don’t panic and remember your bank or anyone calling you that you know, has already sent you mail with their contact details, so you can call them from their number, not the one the fraudsters left for you.
See also Phishing , Spyware or Malware
Wi-Fi and SniffingBe cautious when using public Wi-Fi. There is software called ‘Sniffing’ that registers what you do and where you go. Free wi-fi is risky, but even a password controlled Wi-Fi belonging to a bar or café for example, still means a hacker has also logged on, just as you did.
Public Wi-Fi is generally unsecure. This means using their software, fraudsters can read your Usernames and Passwords in plain text (not encrypted) as you logon to social media sites, email or any site you use.
Using additional software they can even capture your ‘cookies’ to mimic your login, after you have left the Wi-Fi network.
Some web-sites do offer secure connections https:// when you login, but not all do. However all that means is your password is safe, but not your ‘cookies’. So, with your password obtained from another web-site you just logged into on the Wi-Fi (because you use the same password!), they can now mimic your Login, after you have left the Wi-Fi location and help themselves to your social media, shopping or bank accounts.
We advise our clients NOT to logon to their banking systems using public Wi-Fi, free or with a password, as both of these networks are unsecure and may have hackers logged in.
ZebraLast but not least, the most important thing to remember with fraud prevention
You will never receive a telephone call from any bank, the Police or other trusted organisations asking you to;
- Make a payment or transfer money to a ‘safe’ account.
- Disclose your PIN.
- Divulge Passwords or Authorisation codes.
If you suspect any fraud or suspicious transaction or call, contact the CSC Customer Service Centre immediately. They are open 24 hours, to manage any queries you may have.