The internet can be an amazing place. But unfortunately it can also make it easy for fraudsters to create incredibly convincing scams.
So we want to take you behind the scenes of one of these scams. So you can see how fraudsters run them, and learn to spot their tricks.
We'll explain how phishing scams work, how fraudsters can set up websites that look so convincing, and how they actually take your money. So next time you come across a scam, you'll know how to spot it.
Let's look closely at a common scam 👀
It's happened to most of us. You get a text out of nowhere saying HMRC owes you money. The message asks you to click a link to get what they owe you.
The link isn't a website you normally go to, but it does have "HMRC" in it.
You click it, and the website it takes you to looks legit. So you fill out your details and go on with your day.
A bit later, you see some unexpected spending on your account and realise you've been scammed 😞
We call this type of scam "phishing."
Fraudsters can make it very tricky to spot if a text message is real or fake
They can make a text message look like it came from whoever they want it to
The first thing you'll probably notice is who the text is from. You can see it in your phone as "HMRC."
This already makes the message pretty believable: you can trust the sender name, right?
Sadly, no. The text message system was built a long time ago, and doesn't have any of the security features we'd include if we designed it today. The first text message was sent in 1992!
The person sending the text message can control who you think it's from. And they can actually choose any name they want!
⚠️ So when you get a text message, you can't actually trust the sender name or number at all!
And they can add words or websites you're familiar with to fake links to make them look legit
What about the link in the message: "hmrc.tax-refunds.org/login"?
This certainly looks authentic: it's clearly to do with tax refunds and it also includes "hmrc," which you'd expect.
So how did the scammers get such a convincing link?
First lets do a tiny bit of ICT revision on what makes up a link (technically called a URL or Uniform Resource Locator):
The most important part of a link is the "root domain" (here it's "tax-refunds.org").
The "root domain" is a series of letters, numbers, and dashes. Plus a short extension called the "top level domain" (here it's ".org" but there are many others like .com
, .co.uk
, and .net
).
This "root domain" is the thing you buy when you're setting up a website.
Some top level domains can only be used by specific people. For example:
Only the UK government can get domains ending with
.gov.uk
Websites using the
.cat
top level domain, must have content in the Catalan language
Most domains are available for anyone to buy
But most top level domains are available for anyone to buy (just as long as someone else doesn't already own it).
So the scammers were able to buy "tax-refunds.org" without anyone checking what they're using it for.
Fraudsters can use simple tricks to make domains look surprisingly credible
Once you own a root domain, you can create as many "sub-domains" and "paths" as you like.
In this case, the scammers added "hmrc" as a sub-domain to create "hmrc.tax-refunds.org." Adding "hmrc" makes the link look legit, especially at a glance. And they could just have as easily created "hmrc.gov.uk.tax-refunds.org," which looks even more convincing!
In the same way, scammers also sometimes add "paths" onto root domains to mimic credible websites. For example: "tax-refunds.org/hmrc.gov.uk".
Let's use gov.uk/claim-tax-refund as an example of a site a fraudster might want to mimic. What links could a fraudster make to try and trick you into thinking their site was real?
Link | Root domain | Real or fake? |
---|---|---|
gov.uk/claim-tax-refund | gov.uk | ✅ |
gov.uk.claim-tax-refund.com | claim-tax-refund.com | ⛔️ |
gov-uk.tax/claim-tax-refund | gov-uk.tax | ⛔️ |
taxreturn.com/gov.uk/claim-tax-refund | taxreturn.com | ⛔️ |
Using paths and subdomains like this means scammers can make their links look surprisingly real. And as you can see, spotting if a link is safe can be very tricky.
⚠️ So remember, just because a link includes words or websites you're familiar with (like "gov.uk"), it doesn't mean they're real!
Fraudsters can make phishing sites look almost identical to the real thing!
What usually makes phishing scams so believable is just how convincing the fake websites can look.
Take a look at these websites. Which one is the real deal? And which ones are scams?
Number 3 is the only real one!
Don't feel bad if you got it wrong. As you can see, the fake sites are almost identical to the real thing: they all use the same logo, the same fonts, and the same buttons.
Fraudsters clone real sites to make them look convincing
Fraudsters make their sites look as close as possible to the real thing, so you don't get suspicious when they ask you for your sensitive details.
To do this, they take a clone of the real site and then edit it slightly, so that it asks for information like your PIN or email password.
Cloning websites sounds very technical. But if you're reading this on a laptop or desktop, then you're using a super powerful website cloning software right now!
If you click "File → Save As" your web browser will download a complete copy of this page. You might use this feature to save things to read later. But it's unfortunately also very easy for fraudsters to use this file to create a phishing site.
⚠️ So remember, you can't trust a website just because it looks like a legitimate one you've used before.
It's very easy for fraudsters to use the same logos, fonts and buttons to make their fake sites look like the real thing.
Fraudsters use the information they get to steal your money
A fraudster running a phishing scam wants to get as much information about you as possible, so they can make money off you.
They'll be interested in getting information like:
Your card details: your card number, expiry date, PIN, and CVC
Your home address
Your email address and password
Your National Insurance number
Your bank account details: your account number and sort code
Answers to classic security questions like the name of your first pet or your mother's maiden name
The most obvious thing on this list is your card details. With your card number, expiry date, and CVC in hand, fraudsters can go on an online shopping spree and buy anything they want with your money.
The rest of the list is a bit less obvious though. Why would a fraudster want your email address and password? What can they realistically do with all those unread email newsletters?
Fraudsters could steal your money, even if they don't get your card details!
Fraudsters want access to your emails because so much of your online life depends on your email account. If someone else has access to your emails, they could reset your passwords for your other online accounts and log in there as well.
If a fraudster's able to log into your online banking, they could transfer all of your money to their own account. They could even apply for a massive loan and steal all of that as well 😞
Even if you realise it's a scam halfway through, you might've given fraudsters information they can use to trick you later
What if you start filling out your details, but part way through realise it's a phishing scam and stop? Can you rest easy knowing you didn't enter your card details or give up any passwords?
Not quite! Even though the fraudsters didn't get information they can use to take your money straight away, they still learnt a lot about you.
Even if you didn't fill out all the information they asked for, or click 'submit', you have to assume the fraudsters know everything you typed into the phishing site.
They could know your date of birth, your home address, your mother's maiden name, and anything else you filled out before quitting.
Armed with this information, they can craft an even more convincing phishing attack that's customised just for you!
Some fraudsters use the information to try and trick you into sending them your own money
If a fraudster has some sensitive information about you, they'll sometimes phone you up pretending to be the police, the government, or even your bank's fraud team. They'll use all the information they know about you to convince you they're legitimate.
Once they convince you, they'll try to trick or pressure you into sending your own money to another account!
Because they know so much about you, they can seem very credible. When you hear them tell you all sorts of information about yourself, it's hard not to believe that they are who they say they are. If they know your bank account number and your mother's maiden name, surely they must be from your bank!
Fraudsters can even spoof their phone number so it looks like they're really calling from the government or your bank. Just like with text messages, you can't trust the phone number on a call either!
A spoofed phone call from a fraudster might happen really soon after you fill out your details on a phishing site, or it could be weeks later.
This type of scam (where you're tricked into giving away your own money) is known as authorised push payment (APP) fraud.
Getting your money back can be very difficult if you’ve been scammed into sending it to another account. Bank transfers are instant, meaning they're almost impossible to cancel. And the fraudster can quickly move the stolen money elsewhere before they’re caught.
How to protect yourself against even the most convincing phishing scams
It might be disturbing to realise just how sophisticated some fraudsters can be.
But there are professional security teams who work to protect you
There are security teams all over the world looking out for phishing sites and getting them removed before you even see them. At Monzo, we scan about 12 million websites every single day to find and get rid of phishing sites!
Once we've found a phishing site, it can take a while for it to be taken down. We have to coordinate with the companies running the website to make sure they're taking it down for legitimate reasons. And this process often takes a few hours, or sometimes even days.
And you can protect yourself and your money, even if you do fall for a scam!
The good news is that there's some easy steps you can take to keep your accounts secure, even if you do fall for a phishing scam.
1. Never give out your email password
Your email account is the gateway to the rest of your online life. So keep your email password extra safe! 🔐
There's no reason for any website to ask for your email password, except for your actual email provider.
If you have a Monzo account, we'll never ask for your email password.
2. Set up "Two-Factor Authentication" (2FA) on your email account
If you set up 2FA, even if you fall for a phishing scam and tell a fraudster your password, they still won't be able to log into your account!
Most email providers offer this feature. If you turn on 2FA, whenever you log in to your email account, you'll need to give two pieces of information to log in:
your password
another piece of information, like a code that your email provider will text you, or one that you can generate with an app on your phone.
Here are some guides on how to turn on 2FA with common email providers:
3. Follow warnings from your web browser
If you click on a link and see a warning like this, listen to it!
It's extremely unlikely that the site you're visiting is real. Your browser will show you these warnings when people have reported that a website's malicious, but they haven't taken it down yet.
Just remember, if you don't see a warning, that doesn't mean the site's real. Always take a good look at the link to decide if you trust it.
4. Take your time. And, if in doubt, double check!
Fraudsters make their messages sound very urgent and alarming, to try and panic you into believing them before you realise it's a scam.
Real companies won't try to rush or panic you. So if you suspect a message might be phishing, it's always better to reach out to the company that supposedly sent it to double-check if it's real.