Resorting to this

There was no coincidence in the timing (again) of a number of social media posts I woke up to today, the so-called “Freedom Day”. The hot weather here in the UK has seen hundreds of thousands of Brits head to the beach as the “staycation” as taken over from the “vacation”. Many prospective holiday makers will not risk booking an overseas trip just yet whilst the destinations list remains so fluid in terms of restrictions going out and coming back in. So most of us will stay right here in the beautiful British Isles.

With restrictions being eased, then bookings at some of the most popular locations have understandably gone through the roof. One of the most popular family destinations is Center Parcs, who have a number of parks across the UK, with plenty of outdoor activities for all as well as restaurants and their spa facilities. Such is the demand for accommodation in their parks that it is often hard to find any free spaces. But fear not because they are offering a free break for four people, plus spending money and all travel paid. And it couldn’t be easier to enter the competition – just share the competition page on Facebook, comment and like it. Who wouldn’t enter that with it being so easy.

Except we all know that because it is too easy there should be a red flag being frantically waved in our heads. Let’s take a look at what can be found on Facebook.

Picture 1 is a genuine Center Parcs UK post – a news story about a location for a new site being found in West Sussex. There isn’t a call to action, the spelling and grammar are spot on, the logo is correct, the name of the company is also correct and they have been verified with the blue tick.

Picture 2 is the first attempt at trying to pretend to be Center Parcs. As you can see they have made a terrible attempt at spelling the company name plus there is some poor grammar in the text. Picture 3 is better, at least the name is correct but the logo isn’t. The pictures are taken direct from the Center Parcs website.

Irrespective if they are genuine-looking, why would Center Parcs have any reason or motivation to give away such a prize? They are turning people away such is the demand for staycations. Why would they need you to “Like”, “Share” and “Comment” on the post?

Because this is all about collecting as much personal data from social media users as possible which can be used or sold on at a later date. When I first saw the “competition” on Facebook, over 33,000 had shared it, even more had liked it. Who is to say that a significant percentage may be contacted because they have “won” the holiday? What is the next step? An admin fee payable, which requires bank details to be shared?

I know the last 18 months have been tough on us all, and the thought of a holiday is incredibly tempting which is why we all need to be extra vigilant and really think before we are tempted to act. If you see similar offers, take a step back and ask “what’s in it for them”? Big brands rarely give away anything so cheaply, yet thousands of social media users will.

Topical hacking

Let’s roll back a week when everything was rosy in the English garden – well, at least in terms of football. The nation was on a high as a victory over Denmark in the European Championships Semi-Final would see the country take on Italy for the right to be proclaimed Champion of Europe. Talk was of trying to find tickets and replica shirts, both as rare as an England appearance in the final itself.

With little chance of finding a current replica shirt, unless you were a politician where it seemed you only had to stand in front of a camera to get a “box fresh” one, complete with creases, fans looked at the next best thing and went retro. Like any sporting side, there have been a fair few terrible kit designs over the years mixed in with a few design classics. Thankfully, most of the latter (and some of the former), have been produced again and sold through websites over the last few years. In fact, the retro sporting shirt market is probably as strong today as it ever has been, with many fans shunning the incredibly expensive new shirts and preferring the bygone day look.

One company that has been providing this retro shirts for many years is Classic Football Shirts. They offer a fantastic range of replica shirts (over 30,000 different shirts), at decent prices and are an example of a small business that has found its niche and become quite big (remember my adage of “Get Big, Get Niche or Get Out”? Here’s an example of how being niche can lead to growing big). With the whole nation becoming gripped with football fever, what better time to buy a retro shirt?

Sensing the demand out there, as if by magic emails started appearing in inboxes from the company offering a 15% cash back on previous orders to customers – what a fantastic gesture. Except it wasn’t from Classic Football Shirts. The emails looked like they were but there were some tell-tale signs that it wasn’t from them. The emails were phishing attempts, looking to cash in on the football euphoria and a short supply of the replica England shirts.

The email address it came from had an extra “s” in – – a domain name registered on the 25th June and at first glance doesn’t raise any red flags. The email itself contained poor grammar that should have been a warning sign for a scam but many customers, not based in the UK or who may not be fluent in English, it was an offer too good to miss. All they needed to do was click on a link in the email and complete the form to get their 15% cash back.

The firm reacted quickly when it became aware of the issue (within 30 minutes of emails being received by customers), promising an immediate investigation. They took the correct course of action in contacting the authorities and informing customers of the situation. What is clear is this was a very deliberate and targeted attack, with the fraudsters taking advantage of the footballing euphoria in the country. The domain name still appears to be registered although any website attached to it has been removed.

Whilst there are still ongoing investigations on the source of the attack and what data was used by the scammers, it is a timely reminder to all of us about taking a moment to check any similar offers that appear to be too good to be true. In this case, asking yourself why the company would simply be giving free money away, rather than discounting future orders for instance? It doesn’t matter how small or big an organisation is – one of their core objectives is to make money and giving it away is contrary to that strategy.

A week on and we are all footballed out. The bunting has come down, the wallcharts put away and those little flags you attach to the windows in your car lay discarded on roads up and down the country. Security incidents like this remind us that no firms are safe from the eyes of the fraudsters and that we, as consumers, need to be cautious about any too good to be true offers we receive. In doing so we all become part of the solution rather than the growing problem of online fraud.

It’s coming home…but is it real?

After 18 months of restrictions, regulations and down right misery for many in England, the performance of the England National Football Team in the European Championships has been a source of escapism for many and downright joy and national pride for the rest. In case you didn’t already know, It’s coming home* this week. Should England overcome Denmark at Wembley on Wednesday night they will face a final in London on Sunday night against either Italy, the favourites, and previous winners, Spain. It’s a tough ask, but the team under the management of Gareth Southgate, has given the nation hope at a time when it was seriously lacking. Good times indeed. But good times also bring bad people out in force, looking to exploit the situation and profit from the opportunity.

The interest and support for the England team has led to unprecedented demand both for tickets for games to see them play at Wembley and for replica shirts. Prior to the tournament, an official Nike England shirt (adult size) would cost a minimum of £70, and there was stock with most of the online retailers. Three weeks later and it is almost impossible to find one in the same stores.

That is excellent news for Nike, the manufacturer, the retailers and also the Football Association who will also get a cut from each sale. But it is also excellent news for the scammers and counterfeiters who will play on that increased demand and limited supply to fill the vacuum. There have been adverts on social media in recent weeks, carefully designed to say they aren’t selling the actual Nike replica shirts, but using language and imagery that suggests they are. Many of these stores will be genuine, but the products not what people are expecting. But there will also be online retailers who are offering what appears to be the genuine items but nothing will ever arrive – they have been scammed out of personal and financial information. That is hardly a feel-good moment. Unfortunately, it doesn’t take much searching to find websites selling the shirts at what appears to be too good to be true pricing (search “cheap England replica shirt” and see for yourself), whilst a search on some of the more popular market place websites review very cheap products, but using imagery from the back which means the images avoid detection from brand recognition software and also allows the sellers to ship low quality goods.

The cheap and often infringing merchandise situation is nothing new. In the US, Operation Team Player is the annual crackdown on merchandise around the Super Bowl. In the days leading up to the last Super Bowl in Tampa in February 2021, over 169,000 counterfeit items, with a street value of $44 million were seized. The war on counterfeits continues, fuelled by rampant demand for products such as the replica shirts.

It isn’t only fake merchandise which will cause issues in the next week for football fans. Whilst the number of fans allowed into Wembley has increased as social distancing regulations have been relaxed, the 90,000 capacity stadium will not be full, which means tickets will be at an extra premium. The face value price for tickets for the Final on Sunday range from £250 to approximately £815. Ticket resale websites are selling them from £1,800 per ticket up to £15,000.

If England do beat Denmark then demand for a place at Wembley for the team’s biggest game in over 50 years will be huge. The good news is that Covid-19 has meant that paper tickets have been replaced by e-tickets, which can be transferred securely via the UEFA App, so the sight of ticket touts/scalpers, on the way to the stadium with fistfuls of tickets is thankfully a thing of the past. However, like genuine buyers, they too have gone digital and will claim to be able to transfer tickets immediately to a willing buyer.

With entry on digital devices by QR Codes, the danger is that rather than tickets being sold, they are screenshots of a genuine ticket, sold multiple times, which can only be verified as genuine on arrival at the stadium and presentation of the QR code. If it has already been used, then access will be denied, meaning someone could have paid a huge sum for what appears to be a genuine ticket, only to find out at the last minute it is counterfeit.

Unfortunately, there is very little that can be done to stop this happening – should England lose to the Danes then that is one way whereby demand will fall very quickly, but even then tickets will be changing hands about face value for the final.

The message hasn’t changed – if something looks too good to be true it probably is, whether that is an England shirt for a big discount or tickets to the sold out final. Whilst we all want to play our part in supporting our nation in what could be our biggest and most successful week of football since 1966, we also need to be pragmatic enough not to be part of the problem fuelling intellectual property infringements and making the lives of the fraudsters easier and richer.

Enjoy the games and Come On England!

And yes, I do believe It’s Coming Home*

*It’s coming home is the opening line to a song, first released back in 1996 by Frank Skinner, David Baddiel and The Lightning Seeds for the 1996 European Championships held in England, and re-released two years later for the 1998 World Cup. Unfortunately, England didn’t manage to bring the trophy home on either occasion, nor at any subsequent tournament they have taken part in.

The reality behind the smishers

We are all familiar with the scam text messages that have become so common over the last year. The fraudsters have adapted their business models, realised that quantity rather than quality is the way forward and have bombarded us with requests for payment for undelivered parcels, fines for social media transgressions, payment requests to jump the Covid testing and vaccination queues and all such variants. Many of the texts have been poorly written with spelling and grammatical errors, whilst some just use URLs that are clearly not right. Those scammers are reliant on the less clued up recipients not checking or realising what they are doing.

The motivation for the fraudsters is always financial gain. Even if by following a URL there is no request for payment or money, the chances are that somewhere, someone will profit from your action. That may be simply confirming that the mobile number is genuine and can be sold on to another fraudster, or that there has been a download of malware onto the recipients computer, which in turn could be used to gain resellable or reusable personal and financial information. In worst case scenarios, personal medical information could be shared which is incredibly valueable to fraudsters.

The warnings about these scams are being broadcast but they are often lost in the noise of every day life. If you are suspicious of any text message you receive, you can report it to your mobile network operator by forwarding the text (in the UK) to 7726. Your network operator will then investigate.

But is is rare that we hear of major successes in talking this simple form of fraud. But last week police in Manchester raided a hotel room and arrested a man as well as removing equipment that had been used to send over 26,000 text messages in a single day claiming to be from courier and logistics firm Hermes, asking for payment to re-arrange a delivery. These such text scams have been on the rise in recent months, with the fraudsters trying the tactic of asking for a small payment (usually under £2) and hoping that it will not raise any concerns. However, the small payment is only the start of a bigger scam, as the fraudsters then have personal and financial information they can exploit even further.

Example of a Hermes text message received last week

Not only did the arrested individual have the equipment capable of creating the fraudulent text messages but also had over 44,000 mobile phone numbers stored, ready for more smishing attacks. Whilst this was a major success for the police, it is only the tip of the iceberg. There is likely to be hundreds of similar individuals up and down the country who are operating similar operations at the moment, creating havoc on a daily basis.

The diligence of the police and authorities is key in the war against fraud, but we all need to be ready and willing to take to the battlefield in the fight. That means questioning every suspicious text we receive, reporting them if necessary but most importantly, not giving the fraudsters any fuel to continue their operations by not engaging in any ways with them.

Copy that. No return on investment from cloned firms

Investment scams have been with us for hundreds of years. The South Sea Bubble investment scam dates back to 1720 and cost hundreds of investors their life savings. Ponzi schemes were the flavour of the times at the turn of the millennium to entice innocent investors to art with their money, whilst the current trend of cryptocurrency based fraud is a major concern for authorities.

The 2000 film ‘The Boiler Room’ focused on the a chop stock brokerage firm that runs a “pump and dump”, using brokers to create artificial demand in the stock of delisted or fake companies. When the firm is done pumping the stock, the firm founders sell and trade for legitimate stocks for record profits. However, the investors then have no one to sell their shares to in the market when the price of the stock plummets, causing them to lose their investment.

Whilst the film focused on the fictitious investment firm “J.T Marlin” and their illegal practices, it isn’t a pure work of fiction. Rogue investment companies exist today, to such an extent that the Financial Conduct Authority (FCA) have issued a report on clone investment scams.

In 2020 scammers sold more than £78 million in fake investment products in the UK alone, with the average loss to victims over £45,000. Some may think a 20 year old film was a work of fiction but it seems that clone investment firm scams are closer to the truth than we all believe.

The modus operandi used by many of these fraudulent firms is in the first instance to replicate/copy/rip-off legitimate firms, licensed in the case of the UK by the FCA. Websites can be quickly copied, replacing the name of the firm and the logo within a few minutes. Domain names can be easily registered, now using relevant gTLDs such as .Fund or .Investments, investment material and fake prospectuses can be generated quickly. It doesn’t take too long, too much investment and too many innocent victims for a fraudulent financial services firm to be making a profit.

The concept of the “Boiler room”, a high pressured, cold calling sales environment is often the starting point for the fraudsters, using cheap labour to plough through lists that have been bought, often segmented through social media interactions and profiles so that the calls are never truly random. But the nature of that conversation will be very much focused on the hard sell of these “once in a lifetime” investments.

They’ll try to convince you that they work for a genuine company and use high-pressure selling tactics to get you to buy ‘investments’. These ‘investments’ are worthless and often aren’t even offered by the company they’re pretending to be. Some may make multiple calls to build that element of a relationship and thus credibility. However, the investment and the subsequent promised high returns don’t exist.

Whilst most of us will say we wouldn’t fall for such a scam, we do. As the figures from the FCA prove, this is a highly lucrative business for the fraudsters, one that has delivered at least £78 million in the last twelve months to them, and that is only the cases that have been reported to them.

The common sense approach is if something sounds too good to be true, especially financial investments, it probably is. Regulated investment firms in the UK operate to a Code of Conduct and will not simply call anyone up randomly and ask them to invest over the phone. Virtually all regulated financial services companies will contact you via secure message. They certainly won’t ask for deposits to be sent via Paypal, Western Union or normally bank transfer.

If you are in any doubt, check their details on the FCA website ( If they do appear on their register but you are still unsure, look up their details and call them or email using those to check if the approach was genuine. Incoming phone numbers are easily spoofed by fraudsters to make it appear they’re calling from the expected location or company, as too are emails.

A few minutes of research could save you being the victim of a scam that could cost you thousands.

Interview techniques

Having spent the last few months looking at opportunities in the market place, I am getting familiar with the tactics used by organisations to “streamline” the process. The last time I was looking for work was sixteen years ago when LinkedIn had just started to be a thing and the reliance was on searching print media for job openings as well as some of the bigger online recruiters. Most insisted on a face to face interview to discuss your cv, your job ambitions and what potential openings they had.

Today, it has all changed. It is now very easy for a company to post a position online, create an automated process and quickly create short-lists based on algorithms, AI and automation. The consequence is that far more applicants are applying for each job listed, because the odds of making a short-list have been significantly reduced as the filtering based on a cv or a LinkedIn profile can be done by computers in seconds. Consequently, with in many instances the human element in the initial job search being removed, more applicants apply, creating a catch 22 situation.

In the excitement to find an interesting role that ticks as many boxes as it can, we are often prepared to give away more personal information than is often needed. But we do so because the prize is so worthwhile. Except, what if there isn’t a job? What if the ad posted online is simply an elaborate phishing scheme to get candidates to share personal data that could be used for their financial gain?

Employment/Recruitment scams are nothing new. They have been with us for many years and have cost some victims thousands of pounds. There have been cases of individuals selling up and moving their families to a new country because they have a new role only to find on day one that there was never a job and the fees they paid to sort out visas or short-term accommodation have been pocketed by fraudsters. But the acceptance of our digital lives today has led us to be less cautious when it comes to giving out personal details.

It would take a fraudster a matter of minutes to create a fake company profile on Social Media, adding in a few exotic office locations, a fictitious management team and of course, some interesting open vacancies as the company looks to expand into new markets. Applicants for the roles need to submit CVs, a cover letter and complete a suitability questionnaire, all designed to glean information that could be resold on, or used by the fraudsters themselves to lure the candidate deeper into their web of lies.

Sounds far fetched? Well, have a read of this article, written by security expert Brian Krebs who reports on just this type of scam taking place a few weeks ago. This is just one example of a practice that is still far too common, especially as it looks to exploit those who may be in desperate need of employment. We need to take as many cautionary steps when seeking a new role as we do when buying from an unknown online store, or responding to a dubious text or WhatsApp message, and be especially wary if the firm approaches you cold, with an amazing offer of employment.

It doesn’t take much to determine whether a job opening is real or not. Whilst many of us will use LinkedIn or popular job sites such as Indeed, most firms will also list the roles on their own websites. So a starting point is to check to see if the role exists there. Still unsure about the company? When did they register their domain name – if it appears very recent and through a proxy registration that should be a red flag. Look at their address on an online map – does it appear to be real? When you search for the address, what companies are listed? Use tools such as Glassdoor to check on what current and former employees say about the business. Also, search for key individuals on LinkedIn – do they appear to be genuine?

The global economy is still in a state of flux and with economic support for many firms slowly being reduced, the employment market is likely to hot up again. A major “supply” of available people will ultimately increase the demand on vacant positions, and the one thing we know from the world of the fraudsters is when demand increases, so too does fraud.

Just too good to be true…again

We’ve all seen the giveaways on Social Media – whether they are free meals, free holidays, free technology and free cars and we’ve all reacted in the same way, ignoring them. Or have we? Has one particular offer ticked all the boxes and we’ve been tempted?

That’s not a surprise – the amount of personal information available to advertisers on some social media networks means that adds are incredibly targeted today. We can see that in action when you click on a link for a product and then it seems our timeline is awash with similar offers – as we can see from the examples below with these five different ads for the same items that appeared on my timeline within a few days – the legitimacy of the websites hasn’t been verified but that’s another story for another day. This is why social media advertising is an effective solution for many brands – the complex engagement algorithms ensure that we see, frequently, ads for products we like or at least appear to.

The more outlandish the giveaway, the smaller the number of people who engage. However, with over one billion active Social Media users, even a 1% engagement is a million people, all willingly giving away personal (and in extreme cases, financial) data that can be used by advertisers, or worse, sold onto scammers who have more nefarious intentions.

The modus operandi of many of these giveaways is the same. “Like our post, share it with your friends and click on this link so we know where to send the prize”. There is no prize, there is no giveaway. At the best, you will be sharing that personal data, at the worst, by following the link you could infect your machines will all sorts of malicious scripts and programmes that could seriously damage your wealth. The page may look authentic – correct logo, even some branding, but it is so easy to set up as the template of the pages is that of the social media network. People believe that if it is on Facebook/Instagram/Twitter then it must be real. Whilst the networks do their best to remove content that infringes on intellectual property, they often have to work reactively, and that means some damage will be done.

One recent example involved the car manufacturer Toyota, as reported in this article, with the promise of a new car for one lucky person, to commemorate the brand’s 80th birthday. Except their birthday was nearly four years ago and all someone has done is repurposed their marketing from 2017 to make it seem like a new giveaway. That is how easy it is to create these scams. The return on investment for those behind the fake giveaways is minute – personal information is very valuable to rogue parties and so it only needs a handful of people to engage with an ad for the scammers to be in profit.

It isn’t just expensive items that are given away though. One recent example, prior to the return to pubs and restaurants in the UK promised a free meal at a popular chain just for liking/sharing and submitting a few details. With over 50 million Brits unable to eat or drink out since Christmas, the pent up demand to return to something normal was such that no bar or restaurant would need to offer freebies to get people back!

It is unlikely that we will see less of these ads or giveaways, despite our vigilance, which is why we all have a part to play. As Social Media users we can report any ad that ticks the boxes of being suspicious so their abuse teams can investigate; as brand holders we can use monitoring solutions that detect the use of brand names in social media adverts and campaigns and can take action accordingly. But it is important we do something. The ads may have poor spelling, terrible grammar, use misleading pictures and clearly infringe on intellectual property to an extent that they are laughable, but unless we do something they will continue to get more sophisticated and dupe more people.

Bad maths – when 401 = 40

Unfortunately, it is rare that online fraudsters are caught, let alone prosecuted which is why the news that one such criminal was arrested and brought to justice is something to note. The case in question didn’t rely on technology or high levels of complex deception, but it underline that often the simplest attempts at scams often yield the biggest results.

In April 2021 in the case heard in front of the Southern District of New York court, the Department of Justice won their case against a Nigerian man, living in Atlanta for conspiracy to commit wire fraud. The guilty party was fined $2.7m and imprisoned for 40 months for his scheme based on Business Email Compromise (BEC), a particular form of 401 scams that target firms to send money to genuine looking third parties.

The defendant worked with a number of other individuals, all of whom targeted large organisations, both in the US and overseas, trying to trick them to pay bogus invoices. The court proceedings outlined the nature of the fraud as follows:

“The group perpetrated a fraudulent BEC scheme through which they deceived dozens of victims, both foreign and domestic, into wiring millions of dollars to bank accounts controlled by the syndicate. The fraud was perpetrated by sending victims “spoofed” emails, which purported to be from counterparties whom the victims knew and trusted, and which contained wiring instructions fraudulently directing the victims to send funds to accounts that were in fact controlled by the defendants and others involved in the scheme.”

In order words, the group gained knowledge of who some of the suppliers of services were to their victims, set up bank accounts in those organisations names and then sent fake invoices to the companies being targeted. Once of the companies defrauded was an intergovernmental organisation headquartered in New York who lost nearly $200,000.

Over the course of a two year period, 35 known organisations were defrauded out of almost $2.7m using a relatively rudimentary approach before they were caught by the FBI.

We are beginning to be accustomed to fraud and cyber attacks at an every growing level of sophistication, which is great. Staff are being educated to see the signs of BEC attacks, social engineering and malware attempts, but sometimes, as this case proves, we also need to ensure that basic procedures on the sign off of invoices and payments are checked and checked again. Many organisations will use specialised payment systems that will ensure any authorised invoices to be paid will only go to the bank details held on file rather than on the invoice, but that shouldn’t stop any organisation just erring on the side of caution if something doesn’t look right.

Pop Quiz

“The name of your first pet + your mother’s maiden name is your stripper name”

I’m sure we have all seen similar questions on Social Media that are designed “just for a laugh” and when we read some of the responses they can be quite amusing. But they are also very revealing. Too revealing in all honesty.

Mother’s maiden name is a frequent question that is part of identification and verification used by many banks and institutions that keep our personal and financial information secure. Whilst we may feel the question is harmless, if a criminal is trying to build a profile of someone, then it is another piece in the jigsaw. Questions about people’s first cars, favourite teachers and best holidays can easily be neatly packaged into something that looks fun on Social Media but is designed to gather valuable information.

Whilst “Speedy McGraw” may mean nothing to anyone else, to a criminal it is two pieces of valuable information they can use in the future not just to try to trick you into revealing more information by pretending to be from a bank or other official institute that needs to urgently discuss important matters with you, but can be very valuable to resell onto more hardened criminals whose intentions are certainly not whimsical.

A large number of people seem to think because someone is asking a question on Social Media then their identity and intentions are known and well meaning. Few of us would respond to a random email asking such questions as “Can I just ask what is your Mother’s maiden name?” nor would we give that information to a stranger who approached us in the street, but on Social Media, as part of a “bit of fun” then many people share away.

For those who are active on Social Media, it is important to ensure your have the right levels of privacy on your profiles and limit who can see that information. Is it really necessary to have your full date of birth on there for instance? All your family members? First School? Pet Names? And so on. Cyber criminals can build profiles in a matter of minutes for some people and then put in place sophisticated attacks that can be devasting.

We all have a part to play in keeping ourselves and those around us safe – a good starting point is just to think what you are sharing and who with.

Daisy May – April 2021, Milton Keynes

Why Vishing is on the rise

We’ve become used to getting email-based scams for some time. The original 419 email scams, so-called because the offence is detailed in section 419 of the Nigerian legal code, are on the most part very easy to spot these days as they follow the same modus operandi. Rich widow of a dictator, dying philanthropist, benevolent banker – the stories haven’t changed over the years – they are fanciful, each to verify and simply too good to be true. However, fraud through email scams, “phishing” continues to rise. What has changed is the sophistication of the emails, the detail that the fraudsters go into to create their traps for innocent victims. However, it hasn’t just been the growth in phishing that has been worrying the authorities.

A new generation of smart phone users now favour message-based communication such as WhatsApp, SnapChat, Direct Messaging via Instagram and texting rather than using email. That has seem the fraudsters adapt their approach and targets, where sophistication is significantly less. Whereas emails needs to look authentic, using HTML-based email templates, branding and styles, text-based messaging does not. As long as the call to action, normally a URL to click, has the respective keywords in somewhere, then people will believe it.

The last year has seen a massive increase in the number of these text-based scams, known as “smishing”, with fraudsters looking to take advantage of our home-bound situations such as deliveries as well as Covid-related situations such as testing and access to the vaccines. Examples of URLs include, and where a well-known brand is included in the domain name string to make the URL look authentic.

One more recent, high profile scam, has focused on requesting a small amount, in many cases £2 or less, for postage on a parcel that is due for delivery. By asking for such a small amount, potential victims believe it is a genuine request – most of us have increased our online shopping and have pending deliveries. What harm does paying such a small amount cause? Actually, at the most extreme end of cases, almost everything you own as this story proves.

However, one of the main consequences of interacting with any smishing attempts is that it verifies that the mobile number is valid. Criminals buy mobile numbers in bulk on the dark web and send out these fraud attempts en-masse. However, any “live” number becomes more valuable to be sold on to other scammers which is why you should never engage with any text messages that you may receive, whether that is by following the call to action via the URL or replying to the text message.

Once fraudsters have a live mobile number then they can take their attempts to defraud to the next level, “vishing”, which is defined as the fraudulent practice of making phone calls or leaving voice messages purporting to be from reputable companies in order to induce individuals to reveal personal information, such as bank details and credit card numbers.

Vishing scams play on fear. Whilst phishing and smishing tend to play on victim confusion, such as using typosquatted domain names within a URL, or revealing username and passwords on a convincing fake website, vishing attempts to scare victims into acting. A common example, one that I received myself just a few days ago went along the lines of an automated voice telling me:

“Your National Insurance number has been used in a financial fraud on the border of North Wales. Press 1 now to speak to a fraud investigator to confirm that it wasn’t you. Failure to press 1 now will result in an arrest warrant being issued and you being summoned to court to face serious criminal charges”

Not nice. Similar calls will use the subject of tax fraud, bank fraud or that your car has been involved in a hit and run. The call to action is always the same though – “Press x to speak to an operative/agent/police/investigator now”. By pressing the key, the call is transferred to a real life operative who will then go through a script to to try to get you to reveal personal and financial details that they will claim is to verify your identity “so that you won’t be charged/arrested” but in reality, as with the case highlighted in the BBC report, will be used to defraud victims to the maximum extend.

Whilst some may be tempted to play along with the fraudsters, attempting to engage with them for sport, the best course of action is to hang up on the numbers and block them on your phone, although in most instances they will be using unregistered SIM cards that will be destroyed or never used again. You can also report the numbers to the mobile network providers by sending details of the number used to 7726.

Technology means that vishing attempts will become more sophisticated over time, just like phishing emails have progressed from the original 419-style attempts. Whilst they will become more believable over time it is vital that we all need to take a few seconds if we do receive a suspicious call and if it doesn’t feel right then ignore it.