Online safety: avoid phishing, identity theft, hacking and other scams

News that Facebook has been hacked could lead to a surge in phishing attacks. Here are some of the most common scams and how to avoid them.

50 million Facebook accounts hacked

Up to 50 million Facebook accounts were hacked last week, in the latest of a series of cyber-attacks to hit major companies.

Facebook says they have fixed the flaw and that no credit card information was taken.

However, the Government's National Cyber Security Centre warns that users could still be tricked by follow-up phishing attacks:

“There is no evidence that people have to take action such as changing their passwords or deleting their profiles. However, users should be particularly vigilant to possible phishing attacks, as if data has been accessed it could be used to make scam messages more credible.”

According to the Centre, scammers could make emails look particularly convincing by using details taken during the Facebook hack, such as the user's name or date of birth. These emails could ask for personal details that give scammers access to victims' bank accounts.

Facebook has taken the precautionary step of requiring 90 million losers to log back into to their account and smartphone Facebook app, but you should be wary of any emails or phone calls purporting to be from the company.

In the rest of this article, we look at how to stay safe online in general, including how to spot a phishing scam and the other ways criminals try to get your information.

Phishing

Phishing involves bogus communications which ask for your personal or financial details and may contain links to viruses and malware.

They often appear to be legitimate, which is what fools victims into clicking on them. You’ll be asked for details to confirm an account (like Amazon, for example) and the scammer will harvest your details.

This is the closest I've ever come to falling for a Gmail phishing attack. If it hadn't been for my high-DPI screen making the image fuzzy… pic.twitter.com/MizEWYksBh

— Tom Scott (@tomscott) December 23, 2016

Read more about this scam at Gmail phishing scam 2017: how to spot a fake email.

It’s not just limited to email either. Victims could fall for similar scams through phone or voicemail message (vishing) and by text message (smishing).

Then there’s spear phishing which appears to be from someone you know, say your friend or your boss, to try and get you to fall for it.

Image credit: Action Fraud

This example tells the victim that they have outstanding debt to pay to Optex, a real company. What's so worrying about this is that the email contains personal information like their full name and their postcode. It also contained a link which may have contained malware. 

Stay safe: When you get an email, watch out for the classic signs of a fraudster like dodgy spelling and grammar, pressure to respond quickly and addressing you very generically, like ‘Dear valued customer’ rather than your name. 

If you receive an email and you’re not sure who the sender is, check the email address. The domain name (after the @ symbol) might seem off, like it's not related to the company.

Don’t click on any of the attachments if you have any doubt who it’s from.

Identity theft

When a scammer steals vital details from you like your full name, your address or your date of birth, they can use it to commit identity fraud.

They might try and open bank accounts and credit cards, order goods or get a mortgage in your name.

Often the first sign of your identity being stolen is when you receive a bill for an item you didn’t order or letter from debt collectors for debts you didn't know you had.

Stay safe: Don’t throw out anything with your name, address or other vital details without shredding it first. Check your bank statements and credit report regularly for signs of unusual goings on. 

Read Identity theft: what to do if you fall victim to ID fraud for more.

Email hacking

Email hacking involves emails between a buyer and a seller, commonly a homebuyer and their estate agent.

In short, a hacker will follow a thread of emails, waiting for word of a payment being made. The hacker will then email the buyer posing as the seller and say that the bank details of the company have changed, sending the buyer the details of their own account.

The victim puts their money into the account and the fraudster is never heard from again.

We’ve written about these a few times in the past. Check out Homebuyers beware: this hack and scam email fraud could cost you your next home for more info. 

Stay safe: First of all, watch out for a change in language or tone in emails. If it suddenly becomes more aggressive or pressurising, be suspicious.

Before you make any payments, give the recipient a call just to confirm that the message was from them and that the details you have are still correct. Only transfer a small amount of money to begin with, just to make sure the payment clears and it has gone to the right person.

Keylogging

A keylogger is a piece of software or hardware that captures everything you type so it can pick up your messages, logins, passwords and other valuable details.

It can be combined with other monitoring software which is even more dangerous. For example, keylogging can be combined with a history tracker so the scammer will know who you bank with and can use your details to swipe your cash.

Most keyloggers are installed by malware that could come from dodgy emails or even from someone who has access to your machine and wants to spy on you.

The software typically runs in the background so that it goes unnoticed. It can also be set to monitor specific patterns like sequences of numbers (these could be credit card numbers) and then put them on a database.

Stay safe: The best piece of advice is not to click on any suspicious links from people unless you’re 100% sure what they are. 

For extra security, use a password manager. Keyloggers often go on raw information in the form of keystrokes. However, they can’t log information which isn’t typed, so forms that fill in automatically are well guarded against keyloggers.Password managers will also change your passwords frequently without you having to type anything.

Read our guide on Password managers: the best free and premium services on Android, iOS and PC to get started. 

Ransomware

Ransonware is similar to phishing in that it often finds its way on to the victim’s computer if they click a link in a dodgy email.

After the link is downloaded, the victim’s data and the server its attached to get encrypted by ransomware so that they can’t access it. In order to unlock it they have to pay the hacker a sum of money within a short period of time. If they fail to make that payment, the price goes up. After that, the decryption key gets destroyed, so the user no longer has access to their files.

Image credit: Action Fraud

Even in this example, scammers tried to convince victims that Action Fraud itself was trying to block content by using the organisation's own branding.

Stay safe: Aside from avoiding suspicious emails and keeping your anti-virus software up-to-date, make sure your data is backed up on an external hard drive, memory stick or online storage programme. 

Holiday fraud

Holiday fraud is everyone’s worst nightmare: you’ve booked your essentials, your bags are packed and you’re on your way to your destination. However, once you get there, you find that your accommodation doesn’t exist.

Read: Holiday villa scam - how to stay safe

Stay safe: To avoid this horrible scam, book through a tour operator as it will be responsible for your booking.

Check whether or not the holiday company you go with is registered with ABTA. Not only does this prove that they’re legitimate, but you’ll get more protection if the company goes bust.

Never pay for your holiday by cash or bank transfer. Pay by credit card if you can – you’ll get extra protection from your credit card provider should something go wrong. You’ll be covered under Section 75 of the Consumer Credit Act.

And as ever, don’t respond to unsolicited communications promising unrealistically low prices.

Advance fee fraud

An advance fee fraud is when a scammer will ask you for money upfront or in advance. They can take many forms like overpayment, impersonating an official, lottery and rental fraud.

In many cases, once the money is paid, the fraudster will disappear and the victim is left out of pocket.

We’ve listed a couple of different examples.

Investment scams

Investment scams are fairly common, but they normally come with the promise of impossibly high returns for very little effort.

For example, someone will send you a message through Facebook promising a dream investment.

It all seems dandy when you exchange messages, but once you’ve handed over the cash, your mystery broker disappears.

In some cases, unlucky victims might be scammed twice. The broker tells them their first investment has been successful and they need to send money to ‘release’ their investment, and then they disappear.

Find out more at Facebook investment scam - how to stay safe.

Stay safe: If someone sends you a message claiming to have a magnificent investment opportunity, ignore it and send the offending message straight to Action Fraud.

Try and identify the fraudster using their social media profile. They often set up fake accounts for these investment scams so their activity will be pretty suspicious. They’ll have very few friends and their posts may be sporadic and contain poor grammar.

Be sceptical about money-making schemes on social media. If it was such a well-kept secret, why would it be on Facebook?!

Finally, never use a money transfer to make a payment. It’ll go straight into the scammer’s pocket and your bank won't be able to help you get it back.

Dating or romance fraud

Be careful if you’re looking for love online. Some fraudsters jump at the chance to swindle lonely hearts out of a hefty bit of cash.

After the initial introductions, you’ll find your new beau being very attentive and complimentary. You’ll develop a relationship through instant messaging, emails and texts. Once they’ve earned your trust, they’ll ask you for a sizeable sum of money for something emotive like some sort of treatment or travel costs to come and see you.

Naturally, the person isn’t who they say they are and in some cases you may even have been talking to several different members of a gang.

There’ll no doubt be repeated requests for money and once you start denying their requests they’ll blackmail you with any explicit material you may have sent them.

Stay safe: Watch out for a profile picture that is a bit too perfect. A model-esque photo could be a sign of a fraudster. 

Beyond that, you can pinpoint one of these fraudsters because they’ll ask loads of questions about you and reveal very little about themselves, often unable to tell you where they live or work.

They’ll also want to take the conversation away from the dating website and on to texts and instant messenger.

You can avoid these by not revealing too much information about yourself. In your initial ad, don’t give out your full name or date of birth. If you’re ever asked for your financial details, don’t give them out and beware of any suspect links the person you’re chatting to might send.

If something doesn’t feel right, stop responding to their messages and block them.

General tips

As well as the above, considering a few things will help you to avoid the scammers altogether.

Banks, building societies and other companies will never ask for your details through email or over the phone. If you’re unsure about the validity of a caller, say you’ll ring them back and then call your bank on a number you trust. Check with them if the call was legitimate.

Keep your personal information close. Never give out your card details, PINs, address or other important info unless you absolutely know and trust the recipient.

If you receive anything suspicious, report it to Action Fraud.

Check your credit report with loveMONEY