Phishing scams are on the rise, here’s what you need to know

Author: Darren

‘Cyber’ scams have risen exponentially in the last five years. They are now the largest type of crime in the UK according to Which? magazine. Recent reports by the European Commission and The Crime Survey England and Wales demonstrate terrible emotional as well as financial impacts.

At BpH Wealth, all necessary steps are taken to help ensure our clients are protected. Part of my role as Compliance Manager is to keep track of the latest in the world of scamming. I implement security and procedures to ensure that the data of our clients and staff is protected. I also believe it is important to update you on what we are learning to help you protect yourself at home.

Phishing is a common scam

Phishing is one of the most common types of scam. They occur when scammers use emails, text messages, calls or fake webpages to trick you into giving them personal information. Your personal information is used to pose as you to a third party or as a trusted source like your bank, an anti-virus provider, the HMRC, the police or a bills company.

In a phishing scam, cybercriminals will typically want to get your:

  • Date of birth
  • Password information (or what they need to reset your password)
  • National Insurance number
  • Phone number
  • Credit card or banking details
  • Home address

If affected, you should act with speed

1. Change your passwords: This makes them useless to the scammer. You should never use the same password for different accounts. If you do, change the password for every account. Your password should not be related to any information a scammer could easily find out i.e. date of birth or children’s’ names.

2. Check your bank for any suspicious activity: Even if nothing appears to have happened yet, you should call your bank and let them know you may be under particular threat. If you have any planned payments coming up, you may want to let them know so they are not blocked.

3. Contact us. We have had scammers posing as clients, including recently. We have procedures in place to combat this, the sooner you contact us the better.  

4. Contact Action Fraud: Action Fraud is the UK’s official reporting centre for fraud and cybercrime. Reporting can be done online here, by forwarding suspect scam emails to report@phishing.gov.uk or reporting scam texts to 7726.

5. Get support if you need it: This document details the services available for emotional, financial and legal support.

6. Stay Vigilant: Being scammed once increases your chance of having more attempts against you in the future.

There are several kinds of phishing scam

Email or Social Media Hacking

Scammers gain access to account if you input your information into a nefarious site that may seem legitimate. Some scammers use malware to hack into your computer, phone or accounts just from clicking a link from an email or a message. Once hackers have access, they can send messages to your friends and family posing as you. They may pose as you either to solicit money or personal information from your contacts. They may also hack your contacts’ email to keep the cycle going.

A malware virus can normally be removed by a system update or installing anti-virus software from a reputable company.

Watch out for:

  • Friends or family asking about strange messages
  • Sent messages you don’t recognise
  • Your sent messages are deleted or you don’t appear to be getting new messages
  • Difficulty logging in to your email or social media account

While a hacked email often sends out automated messages, they can be more sophisticated. Elspeth Bedford, our Client Services Manager received an email from one client asking to sell £10,000 of their investments for a friend who badly needed help. They reported that they couldn’t speak at the time because they were “spitting blood”. Sometimes scammers will make up oddly specific circumstances to convince their victims that it must be real.

Elspeth followed our best practice and rang up the client to check if the request was legitimate. They were in fact not “spitting blood” and had not sent the email. They reported that many of their friends had also received emails asking for money but had not yet taken action. Clearly, the scammer had realised that BpH Wealth dealt with the client’s finances and sent us a bespoke, targeted email.

It is imperative that action is taken as soon as you suspect your account is compromised. The longer the scammer has access, the more they can read your emails and the more targeted and convincing their messages can become. This attempted scam came as the result of a phishing attack. and was clearly reasonably sophisticated. we have procedures in place to ensure scams like this are not successful. However, it is not hard to see how a scam like this could succeed if the perpetrator sends the right email at the right time.

Messaging through SMS, WhatsApp and Social Media

Scammers may pose as a company or other organisation to trick you into giving them personal information or pay them directly. Commonly, scammers pose as a bank or HMRC claiming you need to pay an outstanding balance or that someone has tried to log in to your account. They may also pose as a utility provider, or a delivery company like Royal Mail or DPD. These emails will often provide links (i.e. to ‘track a parcel’) to steal login or bank details, or install a virus after you have clicked a link. Scammers will often use identity masking technology, so their name displayed as the sender looks genuine.

These scams are generally easy to spot if you know how. If an organisation you know is contacting you by a different method than usual, you should be wary. A genuine organisation will never contact you out of the blue and ask you to verify your details, request personal or banking details or tell you to transfer money via a message. Banks or HMRC especially will never ask for personal details through an SMS or message.

Never reply to a scam message. If you’re not sure a message is real, login or contact the organisation directly rather than using a link.

Pre-emptive measures

1. Protect your computer and smart phone by updating to the latest operating system. Updates to your computer or phone will contain new measures to deal with the latest security threats. Set the software to update automatically so it is always best equipped to deal with viruses.

2. Protect your accounts by using two- or multi-factor authentication. Some accounts offer extra security by requiring two or more credentials to log in to your account. This is called two- or multi-factor authentication. The additional credentials you need to log in to your account fall into two categories:

  • Something you have — like a one-time use passcode you receive via text message or an authentication app.
  • Biometric — like a scan of your fingerprint, your retina, or your face.

Multi-factor authentication makes it harder for scammers to log in to your accounts, even if they have your username and password. Two such examples are Google Authenticator and Microsoft Authenticator. These are both free and easy to set up services for your smartphone.

3. Use a password manager alongside multi-factor authentication. Password managers keep all your passcodes in a digital vault, which will mean you never have to worry about forgetting your passcode. This allows you to have different passwords for every account. Having two-factor authentication for your password manager means a scammer will not be able to get into your vault with your passcode alone. A list of password managers can be found here.

4. Protect your data by backing it up. Backing up your data regularly to cloud or online storage will ensure you do not lose it if it is compromised. You can copy your computer files to an encrypted external hard drive or cloud storage. In addition, back-up the data on your phone, and other devices too.

To ensure something is not a scam:

1. Check who is contacting you. If an email comes from a company or other body relevant to you, check the email address by clicking on the name of the sender so that the full address is viable, often, but not always the actual address will either be a code or something that only looks similar to the real address. The email signature at the bottom of the email may also look different from the official one.

Although these are a good initial checks, sometimes email addresses are not discernible from the real thing. You should always be suspicious if someone is calling you from an international or blocked number, a company contacts you using details you didn’t think they had, or if an organisation calls with an automated message.

2. Don’t use suggested links or phone numbers. It is sensible to call an official number or visit an official site instead of using the ones provided in an email or other message.

3. Take time to think. If you get an email or message giving you a very short deadline, or someone is trying to threaten you with consequences if you don’t do what they say, it is likely to be a scam. No one should ever rush you into making a decision concerning your money or confidential data

4. Be aware of the signs. A genuine organisation should never contact you out of the blue and ask to verify personal details or transfer money.

5. Never input information into a website that does not have https at the front of the web address.The ‘s’ in ‘https’ stands for ‘secure’. Any inputs into a site that is not secure could potentially be stolen by third parties.

Share this content

LinkedIn