Search Icon

Fraud risk: 'Got an email from Amazon or Paypal? Delete it'

A Richard Allen cartoon
'Phishing' emails are designed to trick recipients into handing over personal details  Credit: Richard Allen

Consumers are being left vulnerable to increasingly sophisticated cybercriminals because major companies are not taking measures to protect them from plagues of fake emails, a leading cyber-crime expert has claimed.

Billions of “phishing” emails purporting to be from companies we trust such as Apple and Amazon, or banks, charities and even government departments, are reaching consumers’ inboxes.

Their intention is to trick recipients into visiting a website – specially created to mirror a legitimate business’s site – and entering personal details such as email addresses and passwords.

These can be used by criminals in a number of ways, including accessing bank accounts, making payments or applying for credit or other services.

Phishing emails are cleverly designed to mimic the firm’s real emails. They are increasingly well-written. Worryingly, as fraudsters invest more in their processes, the emails are also more likely to bypass spam filters.

To add to the convincing effect, criminals are buying domain names similar to the companies they are impersonating, so recipients are more likely to think the emails real.

Since January Action Fraud, the national cybercrime reporting service, has issued alerts about scams involving fake correspondence from HMRC, Amazon, and the Department of Education, among others.

But now the proliferation of these emails is causing some to question whether the real businesses are doing enough to protect their customers.

Chris Underhill, chief technical officer at Cyber Security Partners, a consultancy, said firms that communicate by email have a “corporate responsibility” to prevent fraudsters impersonating them online.

He said many firms were failing to take the basic – and inexpensive – precaution of buying up domain names similar to their own.

A sign saying 'easy money'
Experts are warning consumers to be on guard from criminals who see them as easy targets Credit: Alamy

He said: “The technology is there for little cost but sadly the adoption rate is low.

“The responsibility is now placed on the consumer to check the sender of the emails is real.”

Telegraph Money found it was possible, for example, to buy domain names such as amazonuk.org, amazon.eu.co.uk or amazonuk.tech for as little as £5.99 per year.

Andrew Goodwill, of The Goodwill Group, a fraud-prevention consultancy, said consumers should “be incredibly sceptical” about any unsolicited digital communication even from familiar companies. If they contained links or asked for personal information they were “more than likely to be fake”, he said.

He added: “It’s a difficult situation. Why wouldn’t you expect to receive an email from a service you use?

Telegraph Money has put together a list of the organisations currently most likely to be impersonated by fraudsters.

Government organisations

A number of emails are in circulation which purport to come from government bodies such as HMRC and the Crown Prosecution Service.

The messages vary but the intention is the same – to get you to click on links which will either install malicious software onto your computer or take you through to a bogus website.

The more sophisticated emails are well written, feature the familiar HMRC logo and a signature from a fake employee. Some may even include HMRC in the email address.

A fake CPS email
The CPS email uses the logo - but you would only be summoned by post

HMRC said it will never use texts or emails to tell consumers about a tax rebate or penalty. Nor will it ever ask for personal or payment information via these means.

Fake emails should be reported to Action Fraud, the UK’s national cybercrime reporting service. Bogus HMRC emails should be sent to phishing@hmrc.gsi.gov.uk.

Other emails purporting from official bodies include a witness summons from the Crown Prosecution Service, parking fines from the police and payment confirmations from local authorities.

Tech firms

Emails that appear to be from Amazon, PayPal and Apple may well be from fraudsters.

Fake Amazon emails replicate an order confirmation but contain details and delivery dates of a product that the recipient did not order.

The messages come from legitimate-seeming addresses such as server-info@amazononline.co.uk .

However, correspondence from the UK arm of Amazon would be sent from an address ending @amazon.co.uk.

A fake Amazon email
The fake email from Amazon encouraged customers to click on the refund link

These messages are designed to get customers to query the order by clicking on the link at the bottom of the email on a link to a “refund page”.

A sophisticated PayPal scam is being sent direct to mobile phones. The text message, which uses a number appearing to be linked to PayPal, explains the customer account has been suspended due to “unauthorized login attempts”. It offers a link for customers to confirm their details.

A PayPal spokesman said all communication to account holders regarding account limitation would be sent to the secure message centre within their PayPal account.

Apple is also regularly impersonated.

Consumers receive fake invoices or messages telling them their iTunes ID has been blocked.

In most cases the message contains a link to a fake Apple website which asks users to enter their account information.

Apple said the iTunes Store will “never ask you to provide personal information or sensitive account information (such as passwords or credit card numbers) via email.”

Charities

Action Fraud issued a warning on January 16 about high numbers of phishing emails purporting to come from a charity called Migrant Helpline.

The email thanked the recipient for a donation which was never made. Those who had queries about the donation were invited to click on a link – which would download a virus onto their computer.

A fake email
A phishing email from fraudsters pretending to be Migrant Helpline Credit: Action Fraud

According to Action Fraud, this malware is equipped to target and steal personal and corporate banking details.

Oxfam has a list of scams it is currently aware of including those which request donations and another offering hundreds of thousands pounds as a cash grant. To qualify for the money, you just need to provide personal details including bank information.

If you are unsure about emails received from Oxfam, it advises you email giving@oxfam.org.uk.

An address book contact

Last month a Gmail scam had even the most tech-savvy consumers fooled.

The email appears to come from someone you know who may have had their account hacked.

What appears to be a PDF file is attached. However when recipients click on it, they are taken to a page which looks just like the Gmail sign in page and are prompted to enter their email address and password.

Once the fraudsters have this information, they have complete access to emails, contacts and any information saved on Google Drive.

The scam was highlighted by Mark Maunder, chief executive officer of Wordfence, the software engineering firm, who published details on the firm’s blog.

Even more concerning was the fact that the URL on the fake login page referred to “accounts.google.com”.

A URL of the fake Gmail site
At a glance the URL of the fake Gmail login page appears authentic - but if you expand the toolbar there is much more text Credit: Wordfence

Mr Maunder pointed out that by expanding the tool bar users would see a much longer string of text which would not be the case on the genuine Gmail site.

Google told Mr Maunder it was aware of the issue and would continue to strengthen its defences against it.

Companies on social media

Phishing activity on social media increased by 150pc between 2015 and 2016 according to Proofpoint, a cybersecurity company based in California.

In its Social Media Brand Fraud report, the firm said fraudsters have taken to creating fake company pages on sites such as Facebook which include links to spoofed websites.

Those who visit these pages could be tricked into giving over account login details and credit card information.

Often the criminals attempt to lure customers over social media with promises of incredible deals.

Fraudsters have also been posing as banks on Twitter to target customers looking for advice from their provider.

In September last year, two fake NatWest Twitter accounts emerged within a week of each other.

The criminals tweeted a link to a spoofed website directly to customers who had contacted the bank’s genuine Twitter account with questions, and told them they would need to verify their details.

Those who clicked through were taken to a copycat website resembling NatWest’s online banking page which requested personal information such as name, bank details and Pin number.

The fake accounts and websites were quickly taken down. NatWest told Telegraph Money that no customers had lost money as a result of the scam.

Tony Neate from Get Safe Online, the UK’s leading education cyber safety initiative said social engineering is becoming “ever more targeted and personal which is why it’s no surprise that the number of cases is on the rise.

He said: “What’s worrying, however, is the complex nature of these scams and how they tap perfectly into feelings that make us panic.

"If we get an email purporting to come from someone we trust, such as our bank, about something that is emotive to us all, like money, and then demand that we act urgently, it’s almost like the perfect storm.

“If you do have suspicions regarding an approach, it’s always better to be safe than sorry, so trust your instincts and double-check the person is who they say they are before handing over any information."

Have you been tricked by an online scam? Email amelia.murray@telegraph.co.uk

READ MORE ABOUT:
Comment speech bubble icon
License this content