Be Fraud Aware: Learn How to Spot Phishing, Smishing and Vishing Attempts

20o October 2022

From Paypal account updates to HMRC tax refunds - criminals are finding new ways to access our sensitive information through phishing every single day. And with many of us working from home and completing more activities online than ever before, it's important to be able to identify a fake message. This blog helps you do just that.

Phishing is one of the most common ways for scammers to get the information they need to commit fraud. According to the Telephone-operated Crime Survey for England and Wales (TCSEW) April 2021 - March 2022, 50% of respondents had received a possible phishing attempt through email, text or social media in just the previous month. In fact, of those who reported having received a phishing attempt, 54% were from scammers pretending to be delivery companies, 32% posed as financial institutions such as banks and 29% claimed to be e-commerce brands.

What is Phishing?

Phishing is a common tactic criminals use in an attempt to collect sensitive and/or personal information to commit crimes such as identity theft, fraud and to access things like bank accounts.

Many of us may associate phishing with email communications. Email phishing is when fraudsters send out emails, pretending to be a legitimate and trusted business, like your bank, to access your personal information by prompting you to complete an action. These actions may be clicking on a link, sharing personal information or downloading a file that contains some kind of malicious software.

However, phishing isn’t just malicious emails - as fraudsters are becoming more sophisticated, so are their phishing methods. Fraudsters are also using Text Messages (Smishing) and Voice Calls (Vishing) to collect your details in similar ways.

What is Smishing?

Smishing attempts have the same goals as phishing but use text messages to collect personal information. Like email phishing, these text messages are made to seem like they're from a trusted business or organisation. The messages often include a prompt to send your personal information in a reply, or a URL to a fake website or malicious software.

What is Vishing?

Vishing is exactly the same thing but is perpetrated over the phone. In many cases, scammers can make it seem like they're calling from a reputable company or organisation. If you pick up the phone, you may be talking to a real person or a pre-recorded message.

These calls might also try to make you say certain things out loud like your name or 'yes'. The scammers will then record you without letting you know so that they can use your voice recording to impersonate you at a later stage.

Common email phishing campaigns

In July 2022, consumers reported receiving phishing emails impersonating PayPal, claiming that their account was suspended with a link to log into PayPal to activate their account. Consumers who logged into their accounts through this link were unknowingly giving away their PayPal login information to the scammers by entering this into the fake website. This kind of phishing, where victims are directed to a fake website is an example of both URL phishing and domain impersonation phishing.

Spear phishing

In most phishing cases, fraudsters are sending out automated messages to target a large group of people. These often impersonate larger and well-trusted companies and organisations such as The UK Government, NHS, high street banks or companies like PayPal. But this isn’t always the case. Spear phishing is a personalised phishing attempt that targets specific individuals or groups using information gathered about them online (such as your own social media accounts). In these cases, the criminals research their targets to seem as legitimate as possible. They might impersonate your bank, a family member or a business you've been in contact with previously.

Common smishing campaigns

Although not as prevalent as email phishing, smishing continues to be a threat to the UK public.

In May 2021, 61% of respondents to a Which? survey reported that they'd received a smishing attempt from fraudsters posing as a delivery company within the last year. These texts might tell you you've got an unpaid shipping fee and to click on a link to pay the fee, or they might send you a malicious tracking link.

Another common type of smishing campaign is messages that look like they're from your bank. They might ask you to click on a link to log into your bank account or update your personal details through a link. By providing the sensitive and/or personal information, the fraudsters are then able to commit crimes such as identity theft, fraud and to potentially access things like your bank account.

Common vishing campaigns

HMRC warns against automated calls that claim that HMRC is filing a lawsuit against individuals. As HMRC is a well-known and trusted government organisation in the UK, most individuals will have some kind of relationship with them and are more likely to trust them. These calls may also claim that you owe tax, are owed a rebate, or that you're eligible for some kind of financial support. The call might prompt you to verify your NI number, your bank details or similar.

Other tactics fraudsters use through vishing is claiming they need access to your device. They might claim to be from your device company, such as Microsoft, and need access to your device to fix a device issue. During the call, the fraudster will guide you through downloading a Remote Access Software and then take control of your device once you've downloaded it and given them access. Through your device, they're able to gather personal information and passwords and access sensitive accounts. Remote Access Software related scams are becoming more sophisticated as they claim to be from reputable sources such as your phone company or an investment company. BBC’s Rip of Britain Series 14 Episode 14 focused on this type of scam, which you can watch on BBC iPlayer.

Top 5 tips on spotting a phishing attempt through email and text messaging:

1. The message includes pressure tactics:

A common tactic used by fraudsters is Social Engineering - this involves different types of manipulation tactics that may influence the victim to do things they usually wouldn't, such as providing sensitive information.

The fraudsters might try to frighten or rush you by claiming that you've been a victim of a crime, owe taxes, won a prize, or something else that needs immediate action. They may also give you false warnings about what could happen if you don't take immediate action.

In the majority of cases, businesses that are genuine will avoid alarming their customers to take immediate action. If you think it might be a legitimate message, get in touch with the business directly through their official contact channel on their website and confirm if they've sent the email/text message.

2. Check the sender's email address and phone number:

Fraudsters are often able to conceal their actual email addresses and phone number, which is why it’s important to get in touch directly with the company they’re claiming to be if you have any doubts.

If you're not sure if an email is legitimate or not, there are some things you can look for. For example, the email address might look correct at first, but on closer inspection you might notice that a vowel is missing, two letters are swapped around, or the domain name is a little different to what it ought to be. If you're unsure, it's best to delete the email and contact the supposed sender through official channels that you trust.

For text messages, many phone companies offer further protection by flagging some messages as possible scams. If the message isn’t flagged, but looks suspicious, get in touch with the organisation through their stated contact channels and ask them if the text message is legitimate.

3. The contact is unexpected:

Chances are that if you haven't ordered a package, any messages asking you to pay or click a link for delivery are a scam.

If you're expecting a package or any form of contact, go back to the original order confirmation, contact or website to confirm any deliveries and additional actions.

4. They’re asking for personal information:

If you receive an email or phone call from someone you don't know asking for personal information, be wary.

Make sure you’re verifying that you’re speaking to the right people through a secure channel. And if you’re still unsure, get in touch through the organisation’s listed contact method on their website.

5. The message includes suspicious links or attachments:

If you receive an email with suspicious links or attachments, research before clicking the link or opening the attachment.

It's important to be careful when opening email attachments or links, even if they appear to come from a legitimate sender. These could contain malware or viruses that can harm your computer. If the message is unexpected and looks suspicious, don’t click any links or download attachments, report the email by forwarding it to your email provider or the National Cyber Security Centre at [email protected] and delete the message.

Top 5 tips to stay safe from vishing attempts

1. Be suspicious of unsolicited calls from unknown numbers. If you don't recognize the number, don't answer the call or respond to the text. If it's a legitimate call they’ll most likely leave a voicemail or contact you again.

2. Use a caller ID app to filter out potential scam calls. However, be aware that callers might make their caller ID look like it’s legitimate through ‘number spoofing’.

3. Stay alert whenever you're talking to someone over the phone - particularly if they're presenting themselves as someone official. Hang up if the call seems suspicious.

4. Don’t give away personal information to anyone who calls you. Banks will ask security questions, but to know you're talking to your bank, hang up and find their official contact number before giving security answers and details. Your bank will also never ask you for details such as your password, PIN number or request access to your personal device.

5. Don’t give access to your personal device over the phone. With the increase in Remote Access Software scams, fraudsters may attempt to convince you to grant them remote access to your device through a call.

What to do if you think you’ve received a phishing message:

It’s important to report suspicious messages and calls as soon as possible. Doing so will help put a stop to the activity and help protect others from becoming victims of phishing attempts and future fraud.

You can report phishing, smishing and vishing attempts at the National Cyber Security Centre.

Additional reporting sites:

Action Fraud
Citizens Advice
Financial Conduct Authority

Useful resources:

For more information, visit these useful websites to find insight and advice on fraud and how to defend against it:

Take Five
Action Fraud
Victim Support
Get Safe Online
National Cyber Security Centre
No More Ransom

The risk of being a victim of a phishing scam isn't always so obvious. The best way to protect yourself is by being vigilant, as well as educating others on the subject. After all, no one wants to be a victim of a crime that they didn't even realise existed.

Like most things, the best defence against phishing scams involves taking a little time to know your enemy. By knowing the source of your emails and phone calls, their potential methods and taking the time to read through your emails and texts thoroughly, you can better spot when they're trying to fool you — and prevent someone you know from being tricked into giving up their sensitive information by reporting the attempts and stopping them before they get further.

Want to strengthen your fraud defence even more? Read our ten top tips on how to protect yourself from fraud.