Martin Lewis: How to teach yourself scam self-defence

Criminals aren’t always thugs with meaty arms and little between the ears. In our ever more interconnected world, these days many thieves wear suits, have charm, act in a sophisticated manner and make out they are on our side.

Update Mon 24 Feb: This post was first published in June 2018 but the info still applies.

A scam is simply a fraudulent scheme that dupes people into parting with their cash and/or personal details. Sadly I’ve been personally engaged in this world over the last year, as my image has been used across social media and online advertising, to try to dupe vulnerable people. I’m fighting it as hard as I can (see why I’m suing Facebook and beware fake MSE ads blogs).

Yet there’ll always be scum who try to rip you off. So here are my six scam self-defence rules and how to detect if you’ve already been scammed…

Six scam self-defence rules

1. Never give personal details if they text or email. The classic scam is fraudsters sending messages asking for your details to break into your accounts, claiming to be from a bank, insurer, HMRC, me, or even the police. This falls into two camps:

a) Phishing (a more geek spelling of 'fishing'). This is a scam email from a sender purporting to be from a company they hope you have a connection with, eg, your bank saying something like "your bank security is broken, click here" or "we need your help to retrieve funds".

It’ll then take you through to a professional-looking website – often a mirror image of the real thing, and it’ll ask you to put your password or personal details in.

Never, ever, EVER click a link in an unexpected email or open an attachment unless you're 100% sure of its contents (and sadly any ‘tax rebate’ email from HMRC is a fake; it never emails these).

b) Smishing
(ie, SMS-phishing). Like phishing but by text, not email. What’s tricky here is deciding whether it is just spam or a scam. If it is spam – in other words a legit company sending sales messages – it should allow you to text back to stop future messages. More help on stopping spam texts, phone calls and door-knockers in our Stop Spam guide.

Yet if it’s a scammer, texting back isn’t a good idea as you’re just validating that they’ve texted a legit phone number, so you could get more sent to you – and of course never call them. If unsure, play safe and delete it.

2. Beware fake dialling tones when you call them back. Vishing (voice-phishing over the phone) is a growing issue. Callers can pretend to be from banks, insurers, police, HMRC, utility providers and more, all asking for passwords or personal details. Don’t give them. Legit companies won’t ever ask.

Ironically they could even purport to be scam protection calls with patter such as “there are lots of untrustworthy people out there, we need to call to protect you, it’s a horrid world”.

So if it’s an unexpected call ALWAYS say you’ll call them back. If it is legit, they won’t mind. And don’t call the number they give you – go and find that institution’s official number.

Even that may not be enough protection though. An increasingly common trick is where they call, and tell you to call back. However, when you hang up they don’t, and instead just play a dial tone, tricking you into thinking it’s a new call, but they answer.

If you’ve any suspicions, as well as finding the right number to call back, take one of three precautions…

- Call from another phone.
- If using the same phone, call a friend first – if ‘the bank’ answers, you know they’ve spoofed a dial tone.
- Wait a decent time before calling.

3. Know the scammers’ tells. In poker a ‘tell’ is how you judge when someone is bluffing. Similar tells apply to cold calls from scammers, including…

- Anyone rushing you. You never need to make a decision straightaway (even if not a scam at best it’s usually dodgy sales patter).
- Anyone asking you to pay in an unusual way (such as vouchers).
- Poor grammar or dodgy spelling in emails, or emails opening with “Dear sir or madam”.
- If someone you’ve never met asks you to send money.
- Job adverts that ask for money in advance.
- Unsolicited calls to help you fix your computer (genuine computer firms don’t do that) and generally I’m not in favour of any cold calling anyway, even if legit.
- Facebook ads for cryptocurrencies. It’s banned those ads, so if they get through they’re not legit.

4. Don't fall for fake deals on WhatsApp, Facebook & other social media. Many bogus offers pop up in people’s feeds and messages, eg, Alton Towers and Ryanair giving away free tickets on WhatsApp.

The key here is to know the source. Is the person giving you the information trustworthy, and are you certain it really is that person? Go to where you know it’s legit and look for the same offer.  

Yet even if you think you’re reading an article from The Times, the Mirror or even – think about whether you went direct or clicked a link. If the latter, it may be a spoof.

Remember on a website a link to doesn’t always take you where you think it may – click this one and you’ll see what I mean (see our full Stop Scams guide for more help on spotting dodgy web links). In other words, even if it looks legit, never just click without separately checking. 

And as I’ve said, I’m in the midst of a campaigning lawsuit against Facebook, which has published over 1,000 scam ads with my pic in. None of these is genuine. I’ve said it before and I’ll say it again I DON’T DO ADS, so any with me in is a lie. 

5. Ensure you've antivirus software installed on your computer. You can get free software which, while not as fully featured as paid-for programs, still keeps on top of threats.

There’s a full rundown on all of these in our Free Antivirus Software guide. Do remember to update your software regularly. And ensure your computer firewall settings are on and set to a high-enough security level.

6. The safest way to pay for anything is via credit or debit card. Credit cards are covered by Section 75 protection which means if goods cost £100 to £30,000 then by law the credit card firm is jointly responsible. All other plastic transactions are covered by Visa, Mastercard and Amex’s chargeback protection rules. This way if you pay and it’s a scam you have a route to try to get your money back through the card firm. 

Pay by bank transfer, cash, cheque or vouchers and there’s little protection.

How do I know if I’ve been scammed?

There’s a number of checks you can make which will give you a good indication if you’re not sure.

  • Regularly check your bank account and credit card statements. Are there any transactions on there that look suspicious or you don’t know who they are to? And monitor how often you’re getting your statements. If they aren’t being delivered when they should, this could be a sign of ID fraud.

  • Check your (free) credit file regularly. Even just as normal financial housekeeping you should do this at least once a year, but if you think you’ve been scammed, do so once a month, to see if someone else is making false applications.

    Do it with all three of the UK’s credit reference agencies if possible, which you can do for free. The biggest agency is Experian and you can check its credit report via the free MSE Credit Club. There’s also Equifax with Clearscore, and Callcredit with Noddle

    Look for any financial products you don’t recognise applying for, and take note if you’ve been rejected for credit when you’ve got a good credit history.

  • A quick check to see if you’ve been a victim of a group hack: if a company has been hacked and your data’s been stolen – as in recent years with LinkedIn, Equifax and Uber – the website HaveIBeenPwned? allows you to check if your accounts have been compromised. (‘Pwned’ is geek-speak for being made a fool of – it’s pronounced ‘poned’.)

    Enter your email address and if there’s been a breach, it’ll tell you what data was compromised – eg, email address, password, date of birth etc. If this happens, change your passwords immediately.

What to do if you’ve been scammed

Here’s a checklist of things to do…

  1. If you’ve already responded to a scam, end all further communication immediately.

  2. Call your bank and cancel any recurring payments.

  3. Report the scam to the police through Action Fraud on 0300 123 2040, or report a scam anonymously on its website.

  4. Speak to the Citizens Advice consumer helpline on 03454 040506 or the Financial Conduct Authority’s helpline on 0800 111 6768.

  5. If you’ve been a victim of ID fraud then contact the fraud prevention service CIFAS, and ask it to put a ‘protective registration’ flag on its national fraud database. It costs £20 and for two years it alerts all lenders which are members of the database (which is most) to carry out further checks before approving credit applications.

    However, don't use this lightly. Getting ‘protective registration’ will slow up any credit searches, including the ones you do. More help in my How to boost your credit score guide.