In this article
The National Crime Agency identifies fraud as the most commonly experienced crime in the UK. Fraud costs the UK many billions of pounds every year and includes identity theft fraud.
Identity fraud has reached a highpoint and according to fraud prevention group Cifas, a not-for-profit fraud prevention membership organisation, there were more than 189,000 cases in the UK in 2018 and they also found that 65% of identity theft victims had a social media or online presence. In fact, around 35% of identity theft can be traced back to phishing scams.
Identity fraud, or ‘ID theft’, involves the use of a person’s stolen details to commit crime. Many victims never find out exactly how someone got hold of their details, and clearing things up afterwards can be costly and stressful.
Whilst Cifas research shows that victims are most likely to be aged between 31 and 40 years and that the London area had the most cases of identity theft, it can and does happen to anyone in every part of the UK.
As criminals seek to capitalise on the COVID-19 pandemic, the National Crime Agency are now warning everyone to be even more vigilant against fraud, particularly about sharing their financial and personal information as life online increases.
Common types of identity theft
Identity theft occurs when criminals access enough personal information about an individual to commit fraud. They use various techniques to steal these details, from outright theft and social engineering to harvesting data through cybercrime.
Phishing – Is a cybercrime in which a target or targets are contacted by email, telephone or text message by someone posing as a legitimate institution to lure individuals into providing sensitive data such as personally identifiable information, banking and credit card details, and passwords. The information is then used to access important accounts
How can you tell that a communication is “phishing”?
No legitimate organisation will send emails from an address that ends ‘@gmail.com’. Not even Google. Most organisations, except some small operations, will have their own email domain.
Many of us don’t ever look at the email address that a message has come from. Your inbox displays a familiar company name, for example your bank’s name, and the subject line. When you open the email, you already know (or think you know) who the message is from and jump straight into the content.
When criminals create their bogus email addresses, they often have the choice to select the display name, which doesn’t have to relate to the email address at all. They can, therefore, use a bogus email address that will turn up in your inbox with the display name of, for example, your bank.
Their bogus email addresses will use the spoofed organisation’s name in the local part of the address, for example “yourbank@gmail.com” or even yourbank@yourbank.verify.com. But as much as it attempts to replicate a genuine email from your bank, there’s one massive red flag.
A genuine email from your bank would just have the organisation’s name in the domain name, indicating that it had come from someone at (@) your bank. That your bank’s name isn’t in the domain name is proof that this is a scam. Unfortunately, simply including an organisation’s name anywhere in the email address or message is often enough to trick people.
Sadly, criminals have become more sophisticated and simply misspelling a genuine domain name may be enough to trick people. Anyone can buy a domain name from a registrar, and although every domain name must be unique, there are plenty of ways to create addresses that are indistinguishable from the one that’s being spoofed.
For example, criminals may register a domain “yourbnk.com” or “yorbank.com”, close enough to the original real organisation to fool people and to send out emails from @yorbank.com.
Three of the most common ploys used in phishing scams include emails or texts with the following messages:
- “We noticed a suspicious transaction on your account. To make sure your account hasn’t been compromised, please click the link below to verify your identity.”
- “During a review of our accounts, we couldn’t confirm your information. Click here to review and confirm your information.”
- “Your account has been overcharged. Please call within seven days for a refund.”
Financial institutions won’t ever ask you to verify or confirm anything that requires online login information. Your bank or other financial institution already knows this information so they won’t ask you for it.
Also beware if anyone asks you to take immediate action of some kind; sometimes, they will tell you that your account will be suspended unless you update your personal details immediately. Most credible organisations give ample time before they terminate an account and they never ask people to update personal details over the internet.
When in doubt, visit the source directly or telephone them rather than clicking a link in an email and don’t ever use a telephone number provided in an email, always look it up independently.
Remember that legitimate institutions will call, not email you, in the event of a true emergency, and, even then, they won’t ask for sensitive information; they typically just ask you to verify some activity on your account.
Other phishing red flags to look out for include:
- Misspellings and typos – Legitimate emails won’t have misspelled words, poor or missing punctuation, or bad grammar. Emails from financial institutions and credible companies are well-polished and well-edited, so if you see mistakes, leave the email alone.
- Generic salutation – Phishing messages will often begin with nondescript salutations, such as “Dear valued customer” or “Dear account user.” Legitimate companies typically will use your actual name.
- Unusual sender – Whether it looks like it is from someone you do not know or someone you do know, if anything seems out of the ordinary, unexpected, out of character or just suspicious in general, don’t click on it!
- Hyperlinks – A link may not be all it appears to be. Hovering over a link shows you the actual URL where you will be directed to when clicking on it. The link URL may be completely different or it could be a popular website with a misspelling, for example www.bankofarnerica.com, the ‘m’ is actually an ‘r’ and an ‘n’, so look carefully.
What to do if you receive a phishing scam
Prevention is always the best online identity protection:
- Don’t click on links, call phone numbers, or download attachments included in suspicious emails. If you receive an email and have a concern about your account, call the number on the back of your debit or credit card or go to the company’s main website (not the one included in the email).
- Forward the email to the institution. Alert the institution the phisher is pretending to be from about the email, and forward it to their spam or phishing email account (most financial organisations include this email address in their contact details as do organisations such as Amazon and BT). This gives the organisation the opportunity to take action to try and put a stop to the phishing.
- Change your login details. If you revealed any login information, make sure you change your passwords immediately.
- Update your antivirus program and scan your computer. Make sure you have the latest version of your antivirus software and run a full system scan.
- Get in touch with a credit bureau. You can place a fraud alert on your credit with any credit bureau for free. This lets creditors know you might be an identity theft victim.
- Inform the police if you have been the victim of a scam, call 101 or call Crimestoppers on 0800 555 111 or call ActionFraud on 0300 123 2040.
Debit card or credit card fraud
You may not realise that anything is wrong until you receive your credit card or bank statement and notice suspicious activity, purchases you didn’t make. The damage has been done, but it’s not irreversible.
Most credit card companies are willing to remove the unauthorised charges from your bill and refund your money as long as you notify them within 60 days of the issued statement. But the real question is, how did this happen?
Criminals can use a number of ways to take your credit card and banking information. Debit and credit card thieves sometimes place debit or credit card skimming devices onto the card readers at petrol pumps or ATMs.
These skimmers capture and store your debit or credit card information and card thieves come back later to get the device. They also position a pinhole camera nearby that records the pin numbers. Fake cards are then encoded with the information and the criminals either use your account themselves or sell the card on to others to use.
How to protect yourself from skimmers
- Don’t use free-standing ATM terminals in badly lit or deserted areas. These are the most likely targets for skimmer action.
- Try to deal directly with a cashier when taking out money. ATMs may be convenient, but you reduce your likelihood of being skimmed by avoiding them where possible.
- Look out for damaged ATMs. Any evidence of tampering should be seen as suggesting a fraudster may be at work.
- Cover the keypad with your hand when you enter your pin number so that it can not be picked up on camera.
- Be vigilant during transactions at ATMs.
Another way that criminals can access your debit or credit card is by scanning the radio frequency identification (RFID) chips on your credit or debit card. The microchip that is implanted in all credit or debit cards is actually a radio transmitter.
Although banks claim that RFID chips on cards are encrypted to protect information, it has been proven that scanners, either homemade or easily bought, can swipe the cardholder’s name and number, and they don’t need to be too close to you either – a scanner can pick up card information from up to 10 feet away.
How to protect yourself from RFID scanners
By using some gadgetry and strategy you can help to protect yourself from card scanning.
- Buy a card sleeve or RFID wallet that blocks RFID transmissions or you can put a few sheets of thick aluminium foil into your purse or wallet behind your cards; this can also do the trick.
- Stack your cards together to mitigate some of the scanner’s ability to read information.
- Leave your cards at home and only use cash in public places or just take one card with you.
The best protection against credit or debit card fraud is being resolutely aware of your spending. This means consistently reading your credit card and bank statements every month and keeping track of your receipts as points of reference.
Inform your bank or credit card company if you have been the victim of credit or debit card fraud. You can also tell the police, call 101 or call Crimestoppers on 0800 555 111 or call ActionFraud on 0300 123 2040.
Mail identity theft
Your mail contains valuable information for potential fraudsters. With your name, address and other personal information criminals can pretend to be you and attempt to open bank accounts or get credit cards, loans, mobile phones or even secure a passport in your name using your personal details.
Fraudsters may get your personal information by either stealing your mail, by rifling through your rubbish and recycling bins, or if you have recently moved, by opening mail that is addressed to your previous address or fraudulently setting up mail redirection.
The National Fraud Intelligence Bureau (NFIB) found that:
- 44% of Britons still don’t shred documents containing sensitive information before placing them in the bin.
- Only 54% of UK residents routinely check financial statements.
- 79% of household waste contains at least one or more items that could assist fraudsters in stealing an identity.
What can you do to protect yourself?
Shred documents – Bank statements, utility bills, application forms, receipts and letters, in fact anything with your name and address on, can all give away information you’d rather keep to yourself and provide fraudsters with the wherewithal to become you.
Forward mail – Have your post forwarded for at least six months when you move house otherwise who knows what kind of sensitive information will be dropping on your old doormat and into the hands of people you don’t know. The new residents may not be as careful with your mail as you might be and could just throw it in the bin for anyone to access it. You can contact the Royal Mail Customer Enquiry line on 08457 740 740 if you suspect your mail is being stolen or that a mail redirection has been fraudulently set up on your address.
Monitor your credit report – This means you will know about any unauthorised or suspicious activity such as new accounts opened in your name or companies doing credit searches on you.
Check your credit card and bank statements – Do this regularly so that you pick up any unusual activity quickly. Your bank or credit card company may refund your money as long as you notify them within 60 days of the issued statement.
What can you do if you realise your identity may have been stolen?
In 2007 the Home Office issued the following advice for anyone who is or may have been the victim of identity fraud.
1. Contact your creditors – Get in touch with creditors with whom you have an account (e.g. banks, credit card companies, store cards, phone & utility companies), even if they have not been affected, so they can monitor your accounts. Your bank, for example, is now responsible for undertaking further verification and investigation and where appropriate will report it to the police for investigation following a change in reporting procedures.
2. Contact a credit reference agency – Callcredit, Equifax or Experian provide suggested steps to resolve the situation and prevent it happening again.
3. Contact the UK’s fraud prevention service – Cifas – If you think you’ve been a victim of identity theft you should consider subscribing to the Cifas Protective Registration Service. A notice will be placed on your credit file indicating that your name and address may be used to perpetrate identity fraud.
Being a victim of identity theft can cost you valuable time and money as well as experiencing the mental anguish of being a victim of fraud.
A few simple steps such as shredding documents and keeping a close eye on personal details can avoid you having to try to retrieve perhaps thousands of pounds from your bank or credit card company. It is also a nightmare cancelling cards and ordering new cards and perhaps being without access to money while they arrive. Finally, your credit rating may take a negative hit too.
Understanding GDPR
Just £20
Study online and gain a full CPD certificate posted out to you the very next working day.