/ Money

Could you be doing more to protect yourself from fraud?

Data breach

Fraud is at record levels in the UK – but have you considered what more you can do to protect yourself from it?

The latest stats from the Office for National Statistics showed that an estimated 5.6 million people were victims of fraud or cybercrime last year. In particular, identity fraud continues to be a big problem – according to anti-fraud body Cifas there were 173,000 cases last year, and that’s a record high.

While fraudsters are constantly updating their tactics, there are some simple steps you can take to lower your risk of becoming a victim of fraud.

Fraud risk

We recently asked more than 1,800 Which? members about their online and offline security. We found that two thirds of them use the same password across multiple accounts, increasing the risk of getting their accounts hacked.

More than one in four of them are also on the open electoral register, which means their details are publicly available, and just one in four check their credit report at least once a year.

Using other risk factors, such as personal information shared social media accounts and using up-to-date antivirus software, we calculated a fraud risk score for those members. What we found is that a sizeable chunk of them had a medium to high risk of fraud.

So we’ve created a quiz to help you identify your fraud risk and take you through a number of things you can do to help to protect yourself.

Bank transfer scams

Even so, these measures won’t guarantee you’ll never get scammed and lose money. Fraudsters’ tactics are becoming evermore sophisticated, and particularly so when it comes to bank transfer scams.

As part of our scams campaign we asked people to share with us their experiences of losing money to bank transfer scams – hundreds of people told us stories of how they, or someone they knew, have collectively lost over £5.5m due to bank transfer scams.

Unfortunately, should you become a victim of a bank transfer scam then you have a slim chance of getting your money back. That’s why we’ve been calling for banks to step up to the plate and do more to protect their customers.

Some of you will recall that in September 2016, we issued a super-complaint to the Payment Systems Regulator about how banks were dealing with bank transfer scams. The regulator stopped short of making banks take on greater responsibility, but it did agree that not enough is being done and asked the industry to make improvements.

We’ve not yet seen many changes from banks, so we’ll be keeping up the pressure and continuing to call on the banks to do more to protect their customers.

Do you think you’re doing enough to protect yourself from fraud?


” Do you think you’re doing enough to protect yourself from fraud? ”

I could do more but I only have one life and perfecting fraud security is a rather futile pursuit for an individual.

What I can do is make sure I am alert to the latest scams by reading “theregister” and “thehacker” and exercising caution when dealing with new approaches by mail, email, and in person.

Crooks have always existed and everyone can be gullible. The problem now is that people are open to far far more scamming as prints, and email are so cheap. We also have had the rise of charities and businesses selling consumer details to make money for themselves.

And then the incompetent companies hacked because they scrimp on back-end costs such as security for the benefit of headline profit figures and resulting bonuses. The personal liability of the Board and the CEO in these matters might focus minds on more robust protection.

In the infamous case of pharmacy2U, punished so leniently by ICO and so ignored by the consumer magazine Which? Scammers were able to select the type of target gender, age contact details, illness, from a shopping list provided by an NHS approved on-line pharmacy. It remains on the NHS list .

SO when you think what more can I do to protect myself just bear in mind the penalties for selling details are laughable in the context of the misery that those on the sold list might suffer. Therefore I would be asking my MP, and the NHS, and my long-supported consumer group why nothing substantive has been done.

In this particular instance the BMJ and the Pharmacists body would be supporting you all the way. NOT revealing patient details is a cardinal part of the medical creed and yet ICO felt a fine of just over £100k was punishment enough. And the NHS not a whimper. However one of the shareholders in pharmacy2u is a relatively big wheel in software for the medical market. I drew no conclusions from this. You may.

I would publish a list of on-line pharmacies to balance up the media exposure that made pharmacy2u so memorable. It is memorable for the wrong reasons but within a few months the name had been engrained in some of the public’s mind and the reason why forgotten.

I have been saying for a long time that it should be illegal to sell personal data.

Pharmacy2U… hmmmm…..

There is a suggestion that there is a link between P2U and GPs computer systems because as soon as GP surgeries upgraded to EMIS software, their patients got flooded with leaflets.

You can read other comments on here:

I got another P2U leaflet in my last Ocado order and it is very misleading printing the NHS logo in the corner as it looks like it comes from the NHS.

I mentioned theregister and almost daily one sees worrying examples of commercial greed and stupidity as in today#s batch. The first one is unbelievable as it could involve physical endangerment:

And then Hotpoint [owned by Whirlpool] seems to have felt securing a customer facing website was not really worth the effort.
” As spotted by Netcraft, fake Java update dialogs started appearing on Hotpoint’s UK and Republic of Ireland sites this week. If you click “Install” you won’t be updating Java, you’ll be firing up obfuscated JavaScript that Hotpoint did not place on its site…………………..
That payload won’t do nice things to your endpoint and may expose you to attacks like drive-by malware or phishing.
Netcraft says the source of the problem is almost certainly Hotpoint’s WordPress installation, and notes that the content management system “is notorious for being compromised if both it and its plugins are not kept up to date.”
The website in question – hotpointservice.co.uk – is a fine target for crims because it’s suggested as the place to register new products. …

I was going to post a picture of the P2U leaflet on Tinypic but got a “Sky” survey instead where I would be offered a choice of 4 rewards worth around £60 for taking part.

A search on the “Sky” survey revealed the rewards would be a freebie that you paid postage on but at the same you would probably be signing up to a monthly subscription of the product, a fraudulent way to get you to buy.

You can read more about it here:

I could do alot more, however the question that should be asked is am I able to. The answer being no.
I currently identify half a dozen scam sites a day, yet I am not in a position to get the taken down. I don’t run facebook so again I’m limited by their shockingly ineffective reporting tools.

Here’s how I’m helping tackle fraud, the screenshots taken from Trading Standards twitter feed where supplied by me. ( I didn’t do the annotations )


That’s a very good point William and precisely why we have our campaign. Raising awareness to these scams is really important and it’s great to see that you’ve had a hand in highlighting those supermarket coupon scams. We see these a lot and share them on our social media pages to warn people about them, we have run a few convos on these too. Don’t forget that you can report scam sites to Action Fraud too https://reportlite.actionfraud.police.uk/

I get regular emails to win 100GBP vouchers for different supermarkets (win a 500GBP Asda voucher actually today), many from dailyworkoutguides, for completing a survey. Why should someone give you anything unless you give something in return – whether it is personal details or worse? As in fake on line purchases at much less than the normal price, ask yourself why. In most cases greed overtakes common sense and in taking a risk you need to accept the negative consequences. Unfortunately many do in the hope they’ll win, but then do not like accepting those consequences. Best bet is to play safe; if you are not certain of the sound basis of the deal then avoid it.

Action Fraud didn’t seem interested, however Trading Standards did so I email the examples via http://www.tradingstandardsecrime.org.uk/contact/

One thing I would like is to be able to report such scams via social media where they’re happening. I’m also trying to get Trading standards to netter highlight these scams on facebook as they seem to focus mostly on twitter.

I was talking with a colleague yesterday about how many people tend to believe things, if they are told what they want to hear. Our technical term for this is “confirmation bias”.

Down the years, I’ve seen a number of business investment projects and merger deals go down the swanee because enthusiasm for the deal (which some might call corporate greed) has overridden contrary advice from naysayers (that ultimately turned out to be sound).

As the proverb says, you can fool some of the people all of the time, you can fool all of the people some of the time, but you cannot fool all of the people all of the time.

‘Confirmation bias’ is seen by many as a growing threat to democracy. It certainly seems to have helped a person whom leading Psychiatrists fear may be seriously mentally ill to get elected to the highest position on the planet.

Indeed it has been said that democracy is the worst form of Government except for all those other forms that have been tried from time to time…

As I suspected, my internet security software will not allow me to participate in the W?C fraud risk quiz unless I override script blocking for the web pages involved.

Always beware of greeks (or geeks) bearing gifts. Try not to fall prey to trojan horse scams…

Further to this thread, and other recent discussions, I’ve just noticed the following gems at the foot of page 7 in a certain monthly magazine:

“Microsoft has stopped providing security updates to Windows Vista, so it will no longer be safe to go online with a Vista PC”. I think this advice has been “dumbed down” to the point where it no longer presents all the facts properly. As evidenced by this Convo, I would argue that is has never been absolutely safe to go online with any PC, irrespective of its OS. Obviously, using a supported OS ought to be safer than using an unsupported one, but the inference that the only step one needs to take to stay safe on-line is to use a supported OS is incorrect.

“You could install Linux – but your only support will be internet forums…”. Again, I think this advice has been “dumbed down” to the point where it no longer presents all the facts properly, so I don’t think it’s a fair comparison. The majority of Linux software versions are supported by the companies that produce them, just as other OSes are.

Anyone who owns any PC also has the option of paying for support from local computer specialists, some of whom will be capable of supporting Linux.

Also, whilst not absolutely invulnerable, Linux is inherently much more secure than Windows – because it cannot run malware in the form of old-school executable programs that are targeted against Windows PCs. Having said that, modern malware that runs within web browsers, will run under any OS, if appropriate browser security s/w is not enabled.

My experience to date is that some Vista PCs are supported under Windows 10 – but many aren’t. Of those that aren’t, I have not so far encountered one that I couldn’t upgrade to Linux .

Has Which never heard of Linux? It seems to think that the only two operating systems are Windows and Apple. I don’t have an anti-virus product because Linux is a far more secure system than Windows and so does not require one (and they are not available as far as I know!) Criminals do not write viruses for Linux as that would be extremely difficult, they are not clever enough and the the market would not be large enough for them to be profitable.

Sadly not true. Both Sophos and Comodo do anti virus packages for various flavours of Linux. Linux/Rst-B or Troj/SrvInjRk-A are all known Linux viruses and Linux server distros have almost 40% of the market share, while they hold a near-monopoly on supercomputers, making them attractive to baddies. Troj/JavaDl-NJ, BTW, is a cross platform nasty that can run on both PCs and Linux.

The criminals out there are targeting Linux and Mac OS in the same sorts of ways; neither system is immune to viruses, although the chances of infection on both are very slim. But they exist and complacency simply isn’t an option.

This comment was removed at the request of the user

Which? does now acknowledge the existence of Linux for home use, but hesitates to recommend it for homes lacking easy access to enthusiast and/or expert local advocates.

As Ian says, viruses can be targeted against Linux (and against virtual machines, such as java, that may run on Linux, e.g. in web browsers).

Linux is probably the most commonly used OS for servers, so attacks tend to be targeted there, rather than towards home users. As evidence of that, I’ve seen (and suffered) more malware attacks on Windows PCs that on Linux.

Last month, I experienced my first example of a successful malware attack against a family Linux PC. It was “only” a moderately annoying browser hijack, and it was easily removed (by sledgehammer methods). It could never have affected more than the user’s home space (because she can never remember the root password). But, nonetheless, there it was.

From a system architecture viewpoint both Linux and Unix are inherently more secure than Windows. For home use, Android and ChromeOS are effectively locked down versions of Linux maintained by Google, while OSX is effectively a bespoke version of Unix maintained by Apple.

I believe customer choice is important for consumers. Linux is not going to be everyone’s OS of choice. Firstly, if you are happy to spend “loads of wonga”, then paying for Apple products arguably gives a better version of the same sort of thing. Secondly, whilst freely available, Linux is not an exact replacement for Windows, so it may not meet everyone’s expectations for what a PC OS should be.

In a similar fashion, Windows 10 is also not a direct replacement for the likes of XP/Vista/W7 because it significantly changes the business proposition on which the OS is provided to the consumer.

I’m not a W10 expert, but in effect, I believe that W10 does not allow you to refuse system updates and effectively requires you to allow M$ to monitor all your activities, so there is a significant change to your “digital rights”. Many won’t mind that, but some will, and may “upgrade” to OSX or Linux as a result.

This comment was removed at the request of the user

Tom Bramble says:
22 April 2017

Like most people I get a number of phishing emails over the course of a year. Most are instantly recognisable as such but one suggesting I’d applied for a Dorothy Perkins credit card looked almost genuine and appeared to come from a credit card company with which I have an account. On closer investigation I concluded that this was a scam, but I decided to let the credit card company know what was being done in their name. I was asked to write enclosing copies of the emails. No acknowledgment, no reply, nothing. Doesn’t encourage us, as consumers, to help detect and prevent this kind of scam.

This comment was removed at the request of the user

I am 77 and, for my age, reasonably computer savvy. But I don’t really understand words like phishing and Trojans. When they are explained I instantly forget. I try hard to use different passwords and I don’t use public wifi to do my banking. But I would like to be able to bank using my iPad, but daren’t. Your recent articles about fraud, scams and security make me panic somewhat and I really try to do something about it all. I understand some of the text of your guides but still feel that it is mostly understood by those who already understand! And I am left with the feeling that the world is after my details and my money. I’m sure I am not alone. But what can I do about it?

This comment was removed at the request of the user

It is quite amazing that banks aren’t forced to refund the full amount of any fraudulent transaction that takes place through an account in any of their branches. They should be held responsible because they should know their customer.

Anyone can commit fraud. They don’t normally advertise their intent. If people lose money through greed, carelessness or doing something they are not competent to do, then I do not see why my money (that is what the bank’s money is) should be given back to them. On the other hand, if a bank has been incompetent, negligent, knew the fraudsters were operating an account with them then they should be (and probably are) liable. The danger with recompensing everyone who loses money to fraud is they will have no reason to use their common sense in future.