/ Money, Technology

Sneaky scam emails claiming to be from your bank

Scam written on keyboard

Two thirds of Which? members have had a scam email falsely claiming to be from a bank or social network. Are scam emails clogging up your inbox?

I have plenty of dodgy emails clogging up my junk email inbox – not just offers for Viagra, but also emails claiming to be from my bank. Sometimes I even get scam emails from banks I’ve never banked with before!

It turns out I’m not alone. More than two thirds of Which? members have also received emails purporting to be from a financial institution or social network.

So which financial institution is most often impersonated by fraudsters? That dubious accolade goes to Barclays, with more than a third having received an email claiming to be from this particular bank. Other institutions impersonated include Lloyds TSB, Santander, Halifax and HSBC. And just over 10% have had a scam email claiming to be from Facebook.

Spotting a scam email

Bank email scams often say there’s a problem with your account, and ask you to update your bank details, either by email or by clicking on a link. Hyperlinks or attached files can also be used to infect your computer with malicious software.

You should never reply to an email that claims to be from your bank, or click on suspicious looking links. We’ve also put together a gallery of example phishing emails sent to Which? employees – have a look to ensure you’re not caught out.

You need to look out for inconsistent and emotive wording, anything that creates a sense of urgency to respond (eg that you must review your account within 12 hours), or that clicking a link will help verify your account immediately.

Reporting a scam email

So, now that you’ve spotted a sneaky scam email – what’s next? It can be difficult to know who to report them to.

If you’re the victim of a mimicking scam, where fraudsters pretend to be from a genuine company, it’s worth contacting the company that has been mimicked. This will allow them to take steps to prevent others falling victim. It’s also a good idea to report it to Action Fraud, the UK’s national fraud and crime reporting centre.

Have you ever been sent a scam email claiming to be from your bank? If so, which bank and what did you do about it?


I send all my spam to Spamcop. Most of it does stop after a while.
Spammers are now using link shortening sites like Twitter (http://support.twitter.com//entries/109623) and Yahoo (http://y.ahoo.it/) to create one-off links to their websites. As there is a different link in every spam email, they are not picked up as habitual spammers.
Twitter and Yahoo need to do a lot more to stop these spammers especially as they are sex/teen/video related and could end up on kids computers.

The big issue here is that many legit companies quite often use the same tactics, which is why its easy for scammers.

Companies should be made by law to have any routing / tracking done of their website and not a 3rd party. I for one refuse to link on links in emails of the words say one thing and the link says something else regardless if its scam or not. The only losers there are the legit companies using scammer friendly tactics.

Funnily enough I did do an epetetion for that as well, but it got nowhere 🙁

A prime example was the which big switch emails where links were routed via a .nl web address and not as the words stated. I did ask which to change this but got nowhere 🙁

I received one from NatWest; not my bank, but went to their website and immediately found a reporting email address – phishing@natwest.com . Good for them. I then had one purporting to be from Barclaycard but could not find any means of easily reporting it on their site, so gave up.

Malcolm R – there is a very useful list on the BankSafeOnline website. Have a look at

Barclays is at internetsecurity@barclays.co.uk

These turn up from time to time [often in clusters with similar origination codes]. Mostly they are for banks where no account is held and are so badly contrived they give the game away in an instant. Occasionally, they look good enough to be authentic, especially if it relates to your own bank, or you have never seen one before, or you are have concerns over the (fake) warning of “irregular activity on your account”.

My bank always includes my postcode twice in any of its routine communications or newsletters as a form of reassurance – a scammer would not have knowledge of that. It also has a reminder on its online banking system that it will never ask customers by e-mail for personal information and also warns about e-mail scams recommending deletion without opening any links. Personally, I would not even forward a scam e-mail to a bank’s internal security section for fear that any such action could trigger a malware incursion; unlikely, perhaps, but I am cautious.

One bank I had an account with some time ago was trying to make its messages to customers more informal in style; it was so successful that at first I thought it was a scam. I asked the bank to adopt a more correct use of language and grammar, with slightly more complicated sentence construction and paragraphing. The bank did make their communications more formal and less easily mimicked.

The publicity and warnings about e-mails purporting to come from banks seems to have led to a reduction in such scams. A more recent trick is to pretend that a FedEx or UPS delivery has failed and you need to contact them with account details for verification purposes. This plays on the likelihood that most people seem to be expecting an on-line purchase to arrive but don’t know which company is the carrier. I would say never use e-mail to contact a parcel carrier – they’ve already got your name and postal address and there’s no point in also letting them have your e-mail address. There is always a phone line and anyway it is easier to sort out a delivery over the phone.

I don’t fall for the old bank routine, as I know they would never email me requiring a response.

I also have a unique email address for my important commercial contacts, e.g. barclays@[myurl].co.uk. If an email purporting to come from my bank is received with my personal email address, I can be pretty sure it’s a fake and some social contact has been careless with their address book, or even another commercial organisation who should know better than to let their customers’ email addresses fall into the hands of fraudsters.

If I have any doubt about the authenticity of an email, I right click and select View source. If you know what to look for, you can check the real URLs behind the clickable links and other tell-tale signs of a fake.

It’s amazing what you can find sometimes. If you View source on this Which? Convo page, someone has taken the time to draw a picture of a nice pterodactyl. Clearly the web programmers at Which? have time on their hands … . 🙂

And there was me thinking it was an albatross. Thanks Em.

For those who don’t know what to look for in mail headers, here is a simpler solution. Copy and paste some of the text from a suspect email into Google and you are likely to find that you have received a well known scam email. If in doubt, phone the bank and ask.

Surely an albatross belongs in the Conversation on two-pin plugs, but that has the pterodactyl too. 🙂

Only just spotted your comment Em, but glad you enjoyed our dinosaur. We call him Terry the Pterodactyl

i got 1 from google saying i had won a large amount of money they even used 2 peoples names who are top directers of google so i just played along with and gave all false info so they could wast there time think i will e-mail google and send them the e-mail

I need some clarification on the following:

“If you receive a scam or phishing email, report it to the internet service provider (ISP) that was used to send you the email.

If the email came from a Yahoo! account, send it to abuse@yahoo.com. Gmail has a ‘Report spam’ button and Hotmail has a ‘Report phishing’ button.”

If I receive a spam email originating from a Yahoo email address I can just forward it to abuse@yahoo.com. If the email is from a BT, Google,Hotmail or other account I’m not going to log into their systems to find a button. I wish to deal with it from my email account and forward it to a spam reporting email address for that ISP. What are they other ISP reporting addresses.

Figgerty – that does seem a little odd and if you are looking at http://www.which.co.uk/consumer-rights/action/how-to-report-a-scam/ then I read it in the same way that you have.

I think that what Which? meant to say was that if you use Gmail and you receive spam, you use the ‘Report Spam’ button in Gmail, or if you use Hotmail you use their ‘Report Phishing’ button.

i.e. you report through your own email provider (not an ISP as the guidance states), rather than having to negotiate the systems of the sender’s displayed ISP – which may well be fake anyway.

After all, what spammer worth their salt would want spam traced back to them easily?

Could Which? please clarify what they actually suggest?