/ Money, Technology

Could you spot a scam email?

scam email

The Office of National Statistics reports nearly six million fraud and cyber crimes are committed every year, with one in ten falling victim. So are you savvy at spotting scams or could a fraudster fool you?

If I believed everything I read in my junk folder I would be the lucky winner of countless competitions I didn’t enter, apparently several banks need me to urgently confirm login details and PayPal is threatening to close my non-existent account.

Many scam emails are easy to spot – any message addressing me as a ‘valued customer’ is immediately expelled to the virtual bin. But, so-called ‘phishing’ attacks (messages that attempt to trick you into revealing personal or financial information) have become increasingly convincing.

Spotting a scam

For the first time, the Office of National Statistics has revealed the true scale of people hit by cybercrime and fraud showing that people are 20 times more likely to become a victim of fraud than they are of theft.

When we asked over 1,000 members of the public if they could spot the difference between real and spoof emails, we found that many people were fooled by more sophisticated scams.

A quarter of them fell for a fake BT email asking customers to update their email addresses – the links embedded appeared as ‘bt.com/ linkemail’, but in reality these led to a bogus web page where scammers could potentially steal their details.

An Apple iTunes message asking recipients to confirm a specific purchase split the public right down the middle: 50% correctly identified it as a phishing attempt, but the rest were either unsure (27%) or convinced that it was a real message from the company (23%).

The public were on the ball when it came to a ‘NatWest’ email though, which 79% correctly identified as a fake. And a ‘PayPal’ email which 74% recognised as a scam.

However, in both cases a handful of people were duped by the forged sender addresses which appeared to come from the real companies. If they’d fallen for these messages in real life, they might have handed scammers everything they needed to commit ID fraud – or even raid their bank account.

Test your scam spotting skills

So how do you think you’d fare at spotting a scam email, why not put you scam spotting skills to the test in our quiz.

How did you do? The truth is it can be tricky to spot some scams as some can be very sophisticated and convincing. Fraud has reached record levels costing us £9bn every year. That’s why we’re calling on the government to take action and ensure businesses are doing enough to help safeguard us from scams.

So have you come across any dodgy looking emails recently? What did you do with them?


Is that quiz in the above Convo for real ? .I labeled them all fake , it said 3 out of 7 but some got passed you ?? Really ?? NONE got passed me , I pass myself 100 % safe . Because some were real you judged them as allowing fake ones to pass through -wrong ! . Thats twisted logic . For the record —its been many years since I let an bad email through–scammers/ rip-off emails / phishing emails etc . In the early days of Internet use –yes but now I can not only see them as fake , I can smell them as fake, Look at the URL for a start and there are other ways to see if it is genuine or not.

tim says:
24 July 2016

Fully agree, Duncan. I’ve just failed the first example(by marking it as fake). But the loss for marking a real email fake is minimal compared with the other way round. And the test emails did not allow you to test where they’d come from or where the reply would go. OK as consciousness-raising exercise, but must be marked down heavily for not taking into account relative risks!

Marilyn Smith says:
28 September 2016

Lucky you – after the first one all I got was black, blank pages!


Marilyn – do you have any security plug-ins relating to java script or other types ? I have disabled two of mine on Which otherwise I would have big problems .


I agree with Duncan. No responsible company should be expecting us to click on links in emails. The only safe advice is to ask us to look up the contact details of a company (or other organisation) and contact them. I have not been scammed and don’t expect to be.


I managed 6/7, but a couple I put as real i was nervous about because they contained links. I ignore any links in an email and go direct to the site, either through a web search or, it is my bank etc, through the link I have stored. You never know whether a link purporting to be an email response, or an opt out, is what it says. (Well, experts no doubt know looking at the URL, but most won’t I suspect). We should encourage institutions that may make us vulnerable not to use links.


URLs can be spoofed, just like email addresses. Many of the links don’t even show the URL, just a button or highlighted text. This has been known for years and it needs more than encouragement to address the problem.

Which? should not recommend any company that fails to take security seriously.


wavechange – email URL,s can still be spotted even if they block you by “boxing” part of it and adding > which stops you getting the full URL . As a matter of fact (BT are you listening ) a persistent guy is still trying this out thinking i am stupid enough to to click on porn etc . Never going to happen ! but it shows up Critical Path very badly.


For a deeper analysis , for those unsure of whether to click on a website go to -scamadvisor.com and urlvoid.com , input the website and they will let you know if it is legit or not . Both of those organisations are of long standing and good reputation on the web.


Rather an idiots quiz. I spotted all the possibly true and all of the fakes. However as I have no relationship with the banks and organisations mentioned that were true the correct response is do not click on them at all as for me they are fakes.

Given I always have the email send address and everything else open in my browser I always check this info.

If one does not have this info open, or if it does not appear on smartphone screens I can understand more why people might be conned.

Incidentally because I also have a No-script script blocker open by default I could not see the quiz at all. Perhaps Which? ought to mention that you need to reduce protection to see the quiz.

In case you wondered there seems to be 16 active companies on this page other than Which?. Google featuring prominently.


Diesel I didnt want to be impolite with Which so I mentioned the number of trackers here I didnt make a big issue of it as I have made “concessions to Which and WordPress in that they allow me to post as I am a bit radical and WordPress is actually used in some US radical sites I post on , so I think it has a Liberal attitude when compared to fox news CNN and a whole host of US websites where I was banned right away . I have 429 trackers blocked on Privacy badger , except wordpress but I have blocked all the Google trackers you talk of . There are 45 Google trackers blocked but only a much smaller number apply to here . Like you I have NO Script but in another obligement to Which I labeled it safe (white listed ) which allows me to use the quiz . Diesel I wouldnt be too harsh with Which there are much ,much worse websites on the Internet. I also have two other comprehensive blockers that are even better than some anti-virus companies when blocking bad URL,s and virus websites as well as HTTPS everywhere + clean links . Yes it slows Firefox down and some sites look text only but I can live with it for safety.


The quiz software is developed by a company called Riddle. On the other cookies – all the Amazon URLs relate to our server as we use Amazon Web Servers, based in the EU, to keep the website up for you to access. Google Analytics is how we track the traffic to the website, which pages are visited and where the traffic has come from. DoubleClick relates to the panels you sometimes see on the right-hand side, showing our nuisance call reporting tool for example. I hope that explains what those are.

If you’re interested to read about our cookie policy, you can here: http://www.which.co.uk/privacy-policy/cookie-policy

And I hope you found the quiz fun nonetheless – we’ll post the statistics on how everyone is doing at a later date 🙂


Too easy 7/7.

So to getting scam emails, I guess my provider does a good job of blocking 99.999% of them, although they do tend to block a fair number of legit emails too.

I do hate it when companies embed links in emails but use different words to hide the actual URL. Hello, that’s exactly what scammers do. Banks etc should be banned from doing it, so at least, the scam emails will be more obvious to spot. They should also be banned from routing through ad mailers website too for the same reason.