/ Money, Technology

Could you spot a scam email?

scam email

The Office of National Statistics reports nearly six million fraud and cyber crimes are committed every year, with one in ten falling victim. So are you savvy at spotting scams or could a fraudster fool you?

If I believed everything I read in my junk folder I would be the lucky winner of countless competitions I didn’t enter, apparently several banks need me to urgently confirm login details and PayPal is threatening to close my non-existent account.

Many scam emails are easy to spot – any message addressing me as a ‘valued customer’ is immediately expelled to the virtual bin. But, so-called ‘phishing’ attacks (messages that attempt to trick you into revealing personal or financial information) have become increasingly convincing.

Spotting a scam

For the first time, the Office of National Statistics has revealed the true scale of people hit by cybercrime and fraud showing that people are 20 times more likely to become a victim of fraud than they are of theft.

When we asked over 1,000 members of the public if they could spot the difference between real and spoof emails, we found that many people were fooled by more sophisticated scams.

A quarter of them fell for a fake BT email asking customers to update their email addresses – the links embedded appeared as ‘bt.com/ linkemail’, but in reality these led to a bogus web page where scammers could potentially steal their details.

An Apple iTunes message asking recipients to confirm a specific purchase split the public right down the middle: 50% correctly identified it as a phishing attempt, but the rest were either unsure (27%) or convinced that it was a real message from the company (23%).

The public were on the ball when it came to a ‘NatWest’ email though, which 79% correctly identified as a fake. And a ‘PayPal’ email which 74% recognised as a scam.

However, in both cases a handful of people were duped by the forged sender addresses which appeared to come from the real companies. If they’d fallen for these messages in real life, they might have handed scammers everything they needed to commit ID fraud – or even raid their bank account.

Test your scam spotting skills

So how do you think you’d fare at spotting a scam email, why not put you scam spotting skills to the test in our quiz.

How did you do? The truth is it can be tricky to spot some scams as some can be very sophisticated and convincing. Fraud has reached record levels costing us £9bn every year. That’s why we’re calling on the government to take action and ensure businesses are doing enough to help safeguard us from scams.

So have you come across any dodgy looking emails recently? What did you do with them?


This comment was removed at the request of the user

tim says:
24 July 2016

Fully agree, Duncan. I’ve just failed the first example(by marking it as fake). But the loss for marking a real email fake is minimal compared with the other way round. And the test emails did not allow you to test where they’d come from or where the reply would go. OK as consciousness-raising exercise, but must be marked down heavily for not taking into account relative risks!

Lucky you – after the first one all I got was black, blank pages!

This comment was removed at the request of the user

I agree with Duncan. No responsible company should be expecting us to click on links in emails. The only safe advice is to ask us to look up the contact details of a company (or other organisation) and contact them. I have not been scammed and don’t expect to be.

I managed 6/7, but a couple I put as real i was nervous about because they contained links. I ignore any links in an email and go direct to the site, either through a web search or, it is my bank etc, through the link I have stored. You never know whether a link purporting to be an email response, or an opt out, is what it says. (Well, experts no doubt know looking at the URL, but most won’t I suspect). We should encourage institutions that may make us vulnerable not to use links.

URLs can be spoofed, just like email addresses. Many of the links don’t even show the URL, just a button or highlighted text. This has been known for years and it needs more than encouragement to address the problem.

Which? should not recommend any company that fails to take security seriously.

This comment was removed at the request of the user

This comment was removed at the request of the user

Rather an idiots quiz. I spotted all the possibly true and all of the fakes. However as I have no relationship with the banks and organisations mentioned that were true the correct response is do not click on them at all as for me they are fakes.

Given I always have the email send address and everything else open in my browser I always check this info.

If one does not have this info open, or if it does not appear on smartphone screens I can understand more why people might be conned.

Incidentally because I also have a No-script script blocker open by default I could not see the quiz at all. Perhaps Which? ought to mention that you need to reduce protection to see the quiz.

In case you wondered there seems to be 16 active companies on this page other than Which?. Google featuring prominently.

This comment was removed at the request of the user

The quiz software is developed by a company called Riddle. On the other cookies – all the Amazon URLs relate to our server as we use Amazon Web Servers, based in the EU, to keep the website up for you to access. Google Analytics is how we track the traffic to the website, which pages are visited and where the traffic has come from. DoubleClick relates to the panels you sometimes see on the right-hand side, showing our nuisance call reporting tool for example. I hope that explains what those are.

If you’re interested to read about our cookie policy, you can here: http://www.which.co.uk/privacy-policy/cookie-policy

And I hope you found the quiz fun nonetheless – we’ll post the statistics on how everyone is doing at a later date 🙂

Too easy 7/7.

So to getting scam emails, I guess my provider does a good job of blocking 99.999% of them, although they do tend to block a fair number of legit emails too.

I do hate it when companies embed links in emails but use different words to hide the actual URL. Hello, that’s exactly what scammers do. Banks etc should be banned from doing it, so at least, the scam emails will be more obvious to spot. They should also be banned from routing through ad mailers website too for the same reason.

I erred on the side of caution and put the E-Bay one down as a fake. I am not familiar with how E-Bay writes to people so it was a right-side failure. I got all the others right after due consideration but was not happy with some of the genuine ones. I have written before about the sloppy use of language and casualisation of serious messages from commercial organisations and I have taken it up with companies to no avail. The E-Bay one was a good example of a bad communication and I was very disappointed by the NatWest one with clumsy language, an “&” in a sentence, and the command “logon” shown as all one word. Companies must write correctly and carefully if they want to distinguish their communications from the increasingly clever scam messages. Trying to be friendly in official communications plays right into the scammers’ hands with their love of contractions [“you’re”], exclamation marks, and false courtesies [“sincerely”] as it makes their text more plausible.

I agree with previous comments that there need to be much better safeguards before people are invited to click on links; my building society at least gets my name right and includes my postcode as a reality test. Not perfect, but it’s a start. I would prefer it if they wouldn’t send me marketing messages but if I unsubscribe I am concerned I might miss something rather important one day.

My bank ALWAYS addresses me by name that’s why a I said the Nat West one was fake. I studied them all for just a short time to make my decision about them. Take your time with all Emails and if in any doubt as someone else’s opinion or just delete. You must play safe with unexpected Emails

Can anyone tell me if smartphones only show limited source information ? I get them exceedingly rarely and never from unknowns.

It seems very important that if more people are using their phones for banking [or is it using the smartphone more often?] then there must be high security levels and seeing the source is important.

This comment was removed at the request of the user

jacqueline Dickinson says:
22 July 2016

If I don’t know the sender personally, I just delete every thing. If I miss something genuine, tough.

This comment was removed at the request of the user

This comment was removed at the request of the user

Is Which really telling us it is ok to click on a link in an email when we cannot be sure who sent it (first example re eBAY)? Surely that has to be incorrect advice.

This comment was removed at the request of the user

Hello Bernard, thanks for your comment. The quiz is simply spotting the real emails from the fake ones. It shows how sophisticated some of these emails are getting.

Some of the real ones aren’t great. For example, the email from Natwest, although real, does not address the sender by their name. This is something all banks should do – we contacted Natwest who said they are going to update their systems to ensure this is done in the future.

This is why our scams campaign calls on companies to do better to protect their customers from scams.

If the NatWest email had been sent to ‘John’, some people could be taken in. Including the full name would be better, but some people have common names, for example John Smith. In any case, it is easy to find people’s names, judging from the amount of junk email and nuisance calls many of us receive.

I don’t mean to be rude, but please can you tell those who advise us about security that the only safe approach is not to click links, and if the email is from a company or organisation that you have dealings with, to look up their contact details and make contact with them. I wonder how many people could be scammed by following the well meant advice here.

Sorry Patrick – I realise you are only the messenger.

This comment was removed at the request of the user

To be fair, the UK government consistently warns people not to click on links in e-mails and to check the authenticity of communications. I wish our banks would support the official advice and not include links in any of their customer communications. I feel that the standards in banking should be higher than in commerce generally. There are thousands of e-mails which contain links, for example the Which? Connect surveys that arrive every few days, and for convenience I do indeed click through to the survey . But then, I trust Which? and would be more hesitant with an unknown or irregular e-mail.

Graeme says:
3 October 2016

My bank would never contact me by Email. In the past they have sent a letter to me and asked me to verify the letter in my nearest branch before giving out any information. Now that’s what I call security

sue says:
23 July 2016

Several of the emails were from banks/companies I don’t deal with and would therefore have ignored. At least one was from a bank I do have an account with but they do NOT have an email address for me so I would have instantly have deleted it.

david raymond says:
23 July 2016

If in doubt call the “sender”

I think that this quiz is simply to highlight the methods used by scammers and raise awareness of them rather than a check on which banks etc you already use and familiarity with how they contact you. I got 6/7 right, the Pru one I got wrong by erring on the side of caution, on a matter of principle I NEVER click on a link in an email about ANY financial matters but go to the website via a stored link. On another matter of principle I NEVER disclose personal details on websites which I’ve visited as a result of speculative, unsolicited emails.
Occasionally I google email or web addresses to check out a company or email for a possible known scam before doing anything (except delete it) then if doubtful alert family and friends. Bottom line is you can’t be too careful but there are a lot of good things out there too and not everything is a scam so judgement, experience, knowledge and care are the order of the day.

I got 5 out of 7 but the last two I wasn’t sure about and said fake instead of real. I’d rather be safe than sure though.

Failed just one, Q3 Barclays. I totally disagree Which as, it states to login online. If you login online to any financial institution with that financial institutions official link saved, and not that in any e-mail, it’s then you would discover it’s a fake, and not from the example alone. Anybody agree/disagree.

I got them all correct except the NatWest one. Apart from “Dear Customer”, I would be suspicious of any communication that uses non-words such as “pre-advice” and “logon” instead of “log on”.

The NatWest example was very badly written and presented. I wonder how long that particular template has been in use without any competent person in the bank reviewing it. Rather worrying really. I should have thought it would be an internal protocol for any mail-outs to be submitted in draft to their fraud prevention team for clearance. In a sense it’s been an own-foot shooting exercise for them because many customers would have regarded it as a scam and disposed of it. Ideally, banks would not send out any customer messages by e-mail as it is all too easy for scammers to mimic the template for their own fraudulent purposes.

The cost of scams will to some extent be shared by other customers. Efforts to get companies and other organisations to improve the standard of their written communication has generally been effective, so perhaps we need to focus on security issues.

I don’t know how much fraud costs business, but employing someone competent to critically review all forms of communication is likely to be money well spent.

It is likely that the perpetrators of scams have accounts with the banks whose customers they attack so they can be up-to-date with the types of communication routinely issued and model their e-mails accordingly. In fact, they are probably ‘valued customers’ if their criminal efforts are successful.

7/7 right. Not such a stupid 82 year old!

Robert Harding says:
23 July 2016

Sorry Which? but I’m not impressed by your fake email quiz. You gave me 4/7 but didn’t observe that I spotted all the real scams, and classed 3 of the “genuine” ones as unsafe because a) you didn’t give me the chance to check their “from” addresses, and b) they all contained links that I couldn’t examine, and c) no security conscious organisation should EVER present a link in an email. There should just say “log in to you account and check ….”. No-one should EVER click on a link in an unsolicited email. It annoys me that eBay is sending out that “check you details” email in that form, for example.

I agree with the principle of “No-one should EVER click on a link in an unsolicited email. ”

Simple rules like that can help keep us safe. If we have to stop and think, then we risk making errors that compromise our security.

I recently contacted my bank after a targeted but unsolicited call from them, which had asked me to confirm my identity by giving details such as my date of birth etc. I refused because it is poor practice to disclose any such details in response to an unsolicited call. When I refused, the caller hung up – which made it seem even more like a scam. My subsequent contact confirmed that it had been a genuine “marketing” call.

Hello Robert, thanks for the comment. Some of the ‘real’ emails weren’t great, so well done for being cautious. We’ve asked Natwest to ensure they use the customer’s full name, for example. I’ve also tweaked the end of the quiz to reference that you may have been extra cautious.