We’ve all been targeted by online scammers and the scams are getting smarter and more sophisticated. Top fraud expert Becky Holmes reveals what not to do.
Becky Holmes: “The number of different ways scammers have found to take our money is astonishing”
‘Gullible.” “Naïve.” “Vulnerable.” Even “stupid”. Too often these are the words used to describe victims of fraud. The fact is that anyone — and I mean anyone — can be caught out by a scam. And if you’re reading this thinking, “Not me, I’m way too smart,” then I hate to be the one to tell you, but you’re wrong.
Fraud works because fraudsters know what makes us tick. By exploiting our most basic human emotions, whether that be fear, excitement, greed or even love, scammers can empty the bank accounts of the most savvy among us. I know of CEOs, lawyers, doctors, detectives — even one head of fraud at a bank — who have been the victim of a fraudster.
The current fraud landscape is pretty bleak. The National Crime Agency estimates that fraud accounts for over 40 per cent of crime in England and Wales. The situation takes on an even more dismal hue when you learn that only 1 per cent of police resources are dedicated to dealing with fraud. The problem is huge and it’s very much on the rise.
You can blame technology in part for how quickly it’s all kicking off. Every day we use fantastical technology, the likes of which was entirely inconceivable not that long ago. However, all this magic at our fingertips comes at a cost: bad people have it too, and they can be abominably creative with it. AI can build a professional-looking website in no time at all, completely cost free. Which means that fraudsters can create duplicate sites designed with one thing in mind… to rob you.
The number of different ways they have found to take our money is astonishing. Some cases, like emotionally devastating romance fraud, can take place over months or even years, with the fraudster gaining the absolute trust of their victim and pretending to plan a life together. Others, such as investment fraud, can use elaborate cloned trading platforms and complicated cryptocurrency transactions. But there are also some clever scams happening in the UK right now that take mere minutes from start to finish, and we all need to be aware of them. Forewarned is forearmed. Apparently.
Before I look at some examples, it’s important to note that it isn’t just money that fraudsters want from us. Our personal details often hold even greater value than what they can get out of our bank accounts without us noticing. One reason that data leaks are so dangerous is that nefarious types can get their mitts on the personal information we keep private. With enough info, a fraudster can use your identity to get a loan, buy something on credit, apply for benefits and all manner of things that are great for them, but not so great for us.
I’m going to kick things off and confess to recently finding myself just seconds away from filling in my debit card details on a fraudulent website. How? It was really convincing, that’s how.
The unpaid postage scam
I am hopelessly addicted to the second-hand clothing app Vinted. It’s quick and easy, but my compulsion means that there is a steady stream of packages arriving at my flat each week. My “nearly gotcha day”, as it is known in our household, was a busy one and I was in full multitasking mode. I got a text, supposedly from Royal Mail, informing me that a parcel was on its way to me but the sender hadn’t paid the correct postage, so unless I wanted it to be returned, I’d need to pay the outstanding balance. It just so happened that I was waiting for something I really wanted for that weekend, so with a lot of huffing and puffing, but no caution whatsoever, I clicked on the link and got put through to what appeared to be the Royal Mail website. I filled in the reference number and was halfway through entering my debit card details when I stopped dead.
What was I doing? I have written two books on fraud and regularly speak at conferences about social engineering, and yet here I was, about to give away my card details without a second thought. So I checked the website address and saw that there were a couple of letters out of place. It was so subtle that it was virtually indistinguishable on my small phone screen. Aside from that, the website was identical. My £5 Vinted bargain very nearly cost me an awful lot more.
The unpaid parking fine scam
Fraudsters know that we are busy, and they know that we have to deal with life’s little annoyances. These catch us out because, like having parcels delivered, parking our car is something we all do regularly. Plus, if you’re anything like me, you’re never 100 per cent sure you’ve done what you’re supposed to when it comes to paying for parking, so the threat of getting a ticket is always hovering. The days of simply putting money into a machine and pressing a button to choose how many hours we want to park for are almost gone. We can now pay by phone, via an app or manually on a machine before leaving an automatic numberplate recognition car park. There is room for error, and fraudsters know this.
One of the most successful parking fine scams goes like this: the victim receives a text or email telling them they have an outstanding fine and if payment isn’t made immediately there will be additional fines, and their credit history may be affected. They are told to click on a link to an exact replica of the official parking fines payment webpage. They fill in their details and debit card details. As this is happening, the fraudster behind the fake website is copying these details into a digital wallet such as Apple Pay on a separate smartphone. The bank will send the victim a one-time passcode to authorise their card being added to a new digital wallet — a standard security feature. The fraudster behind the fake website is waiting for this and asks for that code, saying it is the authorisation code for the parking fine. Once the victim hands this over, the fraudster has the victim’s card details and an authorisation code from their bank to set up a new digital wallet on the new device, meaning they have the debit card ready to use from their phone. The fraudster could just use your money to buy stuff, but it’s much more lucrative to repeat this process many times and sell smartphones loaded with other people’s debit cards.
And while I hate to be the bearer of bad news, I’m going to be. Tactics like this aren’t just employed on parking fine scams; fraudsters can use tricks like this across any number of scams. Remember — just because they don’t make off with a lump sum immediately doesn’t mean they haven’t got exactly what they want.
The parking QR code scam
Speaking of parking fines … Fake QR codes — those funny little black and white squares that you scan, which take you through to a website — are popping up everywhere. Many are now used on parking meters to take you through to a site where you can pay for your chosen number of hours. However, fraudsters have found a way to turn this convenient payment method into a scam, and they have put stickers with fake QR codes over the legitimate ones or simply stuck them on a parking meter. I have been told of someone trying to park in Kew Gardens who experienced this. You scan a fake QR sticker, which takes you to a fake website where you submit your card details. They take your money, your personal details … and then you get a real parking ticket for non-payment.
The parcel stuck in UK customs scam
A BBC journalist, as worldly-wise as they come, recently ordered several medical testing kits from the US for her son. She received an email from Global Express (which she looked up to see was a legitimate international carrier) with a tracking number and status of delivery, saying a parcel was being held up by UK customs. It made sense as all the other tests had arrived except one. She clicked on the tracking link on the email and it took her to the DHL website telling her she had $1.99 in duty to pay to release the package before it was shipped and she had 48 hours to do it. She put in her Amex details and then was asked for an SMS confirmation code. She didn’t get one, so in a panic she put in her Mastercard details as well. When there was no confirmation for that either she went to the email on the contact page and when that bounced back she realised it was a scam and immediately cancelled her cards. But it was a horrible, time-consuming experience. Worse, she felt someone knew that she was waiting for an outstanding package and the DHL site looked so legitimate.
The debt recovery scam
These ratchet up the fear factor another notch. Last week a friend sent me a screenshot of a text she had received claiming to be from a debt recovery agency. It said she owed £235 and gave her a number to call and a reference to quote. She was panicking as she couldn’t think what she owed money for. She had looked up the company name online and saw it was that of a legitimate bailiff. The phone number on the bailiff’s website also appeared to match the one she had been told to call. When I looked it over with a fresh pair of eyes, I saw that there was one different digit between the real number and the one she had been sent. Just to make sure, I googled the phone number, and it showed up as being reported as being part of a scam thousands of times. The fraudsters behind this one would be relying on some of the recipients calling the number, being told that if they don’t pay, they risk repossession of some of their belongings, maybe being offered a reduced fine if they settle the debt right away, then paying out of fear and wanting to make the problem go away.
The Instagram bargain scam
Some scams are simply waiting for us in the places we choose to visit, and work by tempting us with something we all love: a bargain. Nowhere is more rife with “purchase scams” than social media. Most of the big platforms such as Instagram, TikTok or Facebook have their own marketplaces where users can buy and sell, advertise and collaborate, and it is on these that so many people are scammed.
A software developer I know was the victim of a purchase scam. He paid for some North Face hiking boots he saw through a link shared by someone on Instagram. Normally retailing for £160, the boots were offered for the bargain price of £50 if the buyer was willing to take a survey about their walking habits for market research purposes. The offer was only live for another 30 minutes so he clicked on the link, took the online survey, gave his contact information and delivery address then paid the £50 using his debit card. A few days later he was emailed by the company to say they were no longer able to source the hiking boots in his size and would therefore be issuing a full refund. Fair enough, you may be thinking. Au contraire. The “company” issued the refund and the chap put it out of his mind, not noticing that over the subsequent six months a series of small transactions were going through his bank — £10 here, £20 there, not enough to raise any alarms at the bank and missed by the victim among his regular outgoings. He only became aware of it when he was sorting out some bank statements for his accountant.
Imagine if a scammer defrauded 100 people that way. Say that they took £250 out of each of those people’s accounts over six months: that’s £25,000. These small amounts that fly under the radar add up to a very nice payday for a scammer.
The fake fashion website scam
Another one lurking on Instagram is the post promoting a closing-down sale of a much loved business, or last-minute bargain. One friend told me about one she had seen on what was proudly billed as a “family-run” London-based company. The site looked like any other fashion website with clothes shot on models, product information, even a press area. A fabulous shirt was on offer at £20, down from £99 — so she bought one in three colours.
Only one arrived and was nowhere near the quality shown on the website photos. My friend noticed that the parcel had a postal address from China. She emailed customer services to say she wasn’t happy with it. They apologised and offered her a refund, saying she could also keep the shirt. Not to be trifled with, she demanded a refund for all three shirts, which she got, despite the other shirts arriving as well. She felt a little uneasy so decided to cancel her card just to be on the safe side. Over the next three weeks, she noticed several attempts to charge her account had been made from another fashion website, which looked exactly the same, but had a different name.
The Facebook Marketplace fake buyer scam
It’s worth knowing that there are scams where people selling on social media are targeted, rather than people buying, and this is another one that nearly got me.
A few years ago I won an Apple watch. Given that the most frequent walk I do is from my desk to the fridge, I decided to sell it on Facebook Marketplace. I advertised it for a reasonable price and had a lot of messages straight away. A woman asked if she could pick it up within the hour if she paid me by bank transfer straight away. I agreed and she sent me a screenshot of her payment to prove the money had left her account.
Less than ten minutes later she rang the buzzer for my flat and on the way downstairs to meet her I checked my bank to make sure the money had gone in. Nothing. I told her that I hadn’t received the money and she showed me the screenshot on her phone. She then accused me of being a scammer and taking her money. It was a really uncomfortable situation and it was tempting to just hand over the watch to get this increasingly aggressive woman away from my flat. As luck would have it, someone had heard her shouting and poked their head out of the door to see what was going on. When I explained he told me in no uncertain terms that it was a scam. When I turned round to address the woman she was half way across the car park. I went back into my flat, looked up her profile to report it to Facebook but she’d already deactivated it.
Putting aside the financial loss, the inconvenience of having to contact the bank and the inevitable feelings of anger and/or embarrassment, the most frustrating thing about scams on online platforms is that a great deal of the social media companies don’t even pretend to be bothered about it. They usually just say they are merely the host and cannot be responsible for what happens on their site.
The concert ticket scam
We all know someone who tried to get Oasis tickets for their tour. In my case, it was my friend’s brother who spent hours online waiting for his turn to buy tickets in the general sale. Just as he was nearing the front of the queue the website crashed and he was back to square one — or square 4,283 in this case. By the time he was within 1,000 places of a ticket they had sold out and it seemed that he and his bucket hat were destined to stay at home.
He was soon inundated with adverts on social media promoting sold-out Oasis tickets at “rock bottom prices”. He recognised these as likely to be a scam. But when he came across a site with Oasis tickets for sale at a reasonable price, he jumped at them. He had been expecting to pay around £200 per ticket initially and these were £350 each, which he thought was expensive but realistic.
He put two tickets into his online shopping basket and paid via PayPal. A message came up to tell him to choose PayPal’s “Friends and family” payment option as not using the “Paying for an item or service” option would allow the company to pass on savings to customers. In reality, using this option just means that the payment won’t be covered by Paypal’s buyer protection. Unfortunately, he wasn’t aware of this and paid. Two weeks later, and still no tickets, he went back online and the website had disappeared. He really did “look back in anger”.
The job hunter’s scam
Something that is being talked about a lot in the counterfraud world now is the number of job scams out there: a text or email claiming to be from a recruiter who has seen your CV online and wants to speak to you about an opportunity. Or is making great money as a digital nomad. If you aren’t looking for work and you haven’t got a CV, these are easier to ignore, but it’s a different story if you are actively seeking employment.
Some scams are simple: you are sent a “formal” application to fill in; a short time later you’re told you have been successful and asked to send over a fee to cover admin/uniform/equipment. Others are more elaborate. I heard of a woman who, last year, answered an advert for a teaching position in the Middle East. After getting through the first round of selection, she was interviewed via Zoom by someone claiming to be a head of department at the school, who offered her the job. She signed the forms, paid the school for her first month’s lodgings and booked her flight. When she got out to the Middle East, it soon became clear that it had been a scam. The school hadn’t heard of her; there was no job; the money she sent them had gone straight into a fraudster’s pocket.
The recovery scam
Fraudsters have such a flagrant disregard for the devastation their actions cause that they are even prepared to use victims’ feelings of desperation to enable them to commit further fraud. “Recovery scams” consist of scammers offering to recover money that has been lost to… You guessed it. Fraud. Sometimes it’s even the same people who scammed you in the first place, just using a different identity. Fraudsters posing as “recovery experts” will comment on social media posts offering help, post in online chatrooms, even send letters touting their services. They speak to victims personally, sympathise, promise to recover what has been taken from them. They just need that upfront fee first…
So, what can you do to protect yourself?
Having possibly scared the bejesus out of you with just how many baddies are out to get us, what I’d love to be able to finish with is a surefire guide to how to stay safe from fraud for ever. Unfortunately, that’s not something I, or anyone else, can offer. But there are some basic things we can do to minimise our risk.
The first thing is to stop and think. Remember that scammers want you to act on impulse. Taking a few minutes to consider a message you have received, or an offer you’ve seen, can kick-start your rational side and prevent you making decisions based on emotional reactions. Equally, ask someone else what they think before replying to a message or clicking on any links. A fresh perspective never hurts.
We need to take care of our passwords — don’t have the same one for everything, don’t have them written down in a little book called “Passwords” and don’t give your bank’s one-time passcode to anyone.
It’s also worth setting up a secret word between family members that no one outside that circle knows. This way, if you receive any messages starting, “Hi Mum, I’ve lost my phone and need help,” you can say: “OK. What’s the secret word?” If they don’t know it, it’s not them.
In the past, fake websites and emails would be fairly easy to spot as there would often be clear errors — the font changing halfway through, logos blurred, basic spelling and grammatical errors. However, fraudulent communications are way more sophisticated these days. With websites it is crucial to check the URL carefully and crosscheck it online. For example, amazon.com is a real site, amazon-secure.com isn’t, and yet looks like something that would exist as part of Amazon’s website security.
We need to be as vigilant with emails — check the sender’s full address and don’t open any attachments you aren’t expecting. It may take time but calling the number or emailing the address from a company’s website will help ascertain whether an email, text or letter is real.
There are tools too to help identify and report fraud. Ask Silver allows you to take a photo or a screenshot of any letter, leaflet, email, text, QR code or website address, send it to them on WhatsApp and within a few seconds receive a message back highlighting any red flags within the image you’ve sent. It then asks if you want Ask Silver to report the potential scam to the appropriate body for you.
The answer to that question should always be yes. Report. Report. Report. Fraud in 2025 is sophisticated, highly technological and very, very quick, and to develop tools to combat it, the counterfraud industry needs to know what is happening. So, tell your bank, tell Action Fraud, tell social media companies, tell your friends, your family. Don’t ever stop talking about this. I certainly won’t.
Becky Holmes Thursday August 07 2025, 5.00am BST, The Times