Author Archives: Steven Wilson

The Evolving Face of Spam: Analyzing New Techniques and Trends

The Evolving Face of Spam: Analyzing New Techniques and Trends

In the ever-expanding digital landscape, the battle against spam continues to intensify. While advancements in internet security have made significant strides in mitigating this menace, spammers are adapting their techniques and exploiting emerging trends to stay one step ahead. This article delves into the evolving face of spam, highlighting the new techniques and trends being employed by cybercriminals to infiltrate our inboxes and compromise online security.

Artificial Intelligence and Machine Learning-Powered Spam:

One of the most significant developments in spam techniques involves the use of artificial intelligence (AI) and machine learning (ML). Spammers have harnessed these technologies to create more sophisticated and convincing messages. By leveraging AI and ML algorithms, they can generate spam emails that mimic the writing style and language of legitimate senders. This makes it increasingly challenging for users and even spam filters to differentiate between genuine emails and malicious spam.

Social Engineering and Phishing Attacks:

Social Engineering and Phishing Attacks

Social engineering has long been a favored technique for cybercriminals, and it continues to evolve as they exploit human vulnerabilities. Phishing attacks, a subset of social engineering, have become alarmingly sophisticated. Attackers now employ carefully crafted emails and messages that appear to be from reputable sources, tricking unsuspecting users into revealing sensitive information or clicking on malicious links. These attacks often employ psychological tactics to invoke a sense of urgency or fear, compelling users to act without considering the consequences.

Mobile and Text Message Spam:

As mobile devices become ubiquitous, spammers are capitalizing on this trend by targeting users through text messages. Mobile spam has witnessed a surge in recent years, with SMS-based scams and unsolicited messages becoming prevalent. From fake prize notifications to fraudulent banking alerts, spammers are exploiting the immediacy and personal nature of text messaging to deceive users. Moreover, the rise of mobile applications has opened new avenues for spam, with malicious apps disguising themselves as legitimate services, leading to unwanted advertisements or compromising personal data.

Image-Based Spam:

Traditionally, spam emails relied heavily on textual content to convey their malicious intent. However, a new trend has emerged where spam messages contain embedded images. These images bypass text-based filters and aim to trick users into interacting with them. Image-based spam often includes clickable elements or hidden URLs that redirect users to malicious websites or initiate downloads. By evading conventional filters, this technique poses a significant challenge to email security solutions.


Spam remains an ongoing threat in the digital realm, and cybercriminals continuously adapt their techniques to exploit emerging trends and technologies. The evolving face of spam encompasses AI-powered messages that mimic genuine communication, sophisticated social engineering and phishing attacks, mobile and text message spam, and image-based spam that circumvents traditional filters. As individuals, it is crucial to stay vigilant and exercise caution while interacting with online content. Additionally, organizations must invest in robust security measures and regularly update their defenses to combat the ever-changing landscape of spam. By staying informed and adopting proactive security practices, we can collectively work towards a safer and more secure digital ecosystem.

Avoid sending spam

Avoid sending spam

If you send or have someone else send your marketing emails or messages, you need to know about spam laws.

How to comply

If you plan to send marketing messages or emails, you must first have consent from the person who will receive them. Even if someone else is sending out your marketing messages for you, you must still have consent from each person who will receive your messages.

After you get consent, you must ensure your message:

  • Identifies you as the sender
  • Contains your contact details
  • Makes it easy to unsubscribe

Get consent

There are two types of consent:

  1. Express
  2. Inferred

Express consent

A person who gives express consent knows and accepts that they will receive marketing emails or messages from you. This is best practice when it comes to consent.

People can give express consent by one of the following:

  • Filling in a form
  • Ticking a box on a website
  • Over the phone
  • Face to face

You cannot send an electronic message to ask for consent, because this is a marketing message. Keep a record when a person gives express consent, including who gave the consent, when and how.

It’s up to you to prove that you have a person’s consent.

Inferred consent

In some circumstances, you may infer that you have consent to send marketing messages if the recipient has knowingly and directly given their address and it is reasonable to believe they would expect to receive marketing from your business.

This is usually when a person has a provable, ongoing relationship with your business, and the marketing is directly related to that relationship.

For example, if someone has subscribed to a service, has an account or is a member, and the marketing is directly relevant to the relationship – such as a person’s savings bank telling them about another savings account with higher interest. It would not cover the bank trying to sell them insurance products.

It does not cover sending messages after someone has just bought something from your business.

Inferred consent is not as reliable as getting someone’s express consent.

Know your responsibilities for email lists

Take care when you buy or use a marketing list. You are still responsible for making sure you have consent for any addresses you use.

Identify yourself as the sender

In your message, you must:

  • Accurately identify your name or business name
  • Include correct contact details for you or your business

If someone else sends messages on your behalf, the message must still identify you as the business that authorised the message. Use the correct legal name of your business, or your name.

This information must remain correct for at least 30 days after you send the message.

Make it easy to unsubscribe

You need to make it easy for people to unsubscribe from your electronic mailing lists. Every commercial message must contain an ‘unsubscribe’ option that:

  • Presents unsubscribe instructions clearly
  • Honours a request to unsubscribe within 5 working days
  • Does not require the payment of a fee
  • Does not cost more than the usual amount for using the address (such as a standard text charge)
  • Is functional for at least 30 days after you sent the message
  • Does not require the person to give extra personal information or log in to, or create, an account to unsubscribe from marketing messages.

Tip: Remember that if you are using an alphanumeric message header in SMS, these are generally not capable of receiving return messages.

Unsubscribe examples that are clearly worded


To stop receiving messages from us, simply reply to this email with ‘unsubscribe’ in the subject line.
If you no longer wish to receive these messages, please click the ‘unsubscribe’ button below.


Reply STOP
Unsub: (1800-number)

Other actions that may break the spam rules

You cannot:

  • Use or supply a list that has been created with address-harvesting software
  • Use or supply address-harvesting software

It is also against the spam rules to:

  • Help, guide or work with another person to break the spam rules
  • Encourage another person to break the spam rules
  • Be directly or indirectly, knowingly concerned with breaking the spam rules

If a business breaks the rules, law enforcer can take enforcement action.

Ask for or provide information

If you or someone else breaks the spam rules, you can tell us. If you do break the spam rules, telling us may help to fix the issue quickly. We review all cases individually, but it may be resolved without further action.

We value all information because it helps identify trends and spot serious or ongoing issues.

tips to avoid travel and booking scams

Tips and Tricks to Help You Avoid Travel and Booking Scams in 2023

A new year brings more opportunities to make vacation plans and travel.

Jan. 10 is National Shop for Travel Day, an event founded by the Travel Technology Association to celebrate technological innovations that have reshaped the way we plan, book and pay for our vacations.

The internet offers plenty of ways to help you plan the perfect trip, as well as book accommodation and flights while the post-holiday blues settle in, whether you’re considering a short citybreak, a tropical cruise or a trip to Disneyland.

However, the technological advancements that can create an effortless booking and travel experience also enable scammers to defraud travelers of tens of millions of dollars each year.

Here’s what you can do to avoid scams while planning your 2023 vacation itinerary:

  • Be wary of ‘free vacation’ giveaways – A freebie vacation? I don’t think so. If you haven’t entered a contest or official giveaway to win a vacation somewhere, any email, text or phone call telling you that you’re going on an all-expense paid trip for which you only need to pay processing fees or a small tax, is a SCAM.
  • Use caution when booking vacation homes and other accommodations–make sure that the deal or rental dwelling exists before committing any payments. Only use trustworthy platforms to search for accommodation, flights and tours.
  • Steer clear of offers that sound too good to be true – Check for inconsistencies and grammar mistakes, and read the fine print before making any payments.
  • Never pay in cryptocurrency, wire transfer or gift cards for your vacation packages, resorts or cruises – this is the first sign of a scam. Use a credit card or PayPal so you can dispute any fraudulent charges.
  • Carefully read the cancellation and refund policies for your bookings. If the travel company or individual refuses to give you this information, walk away from the deal.
  • Research any new travel companies, platforms or offers online. Look up any phone numbers or contact information and make sure that the property exists before booking.
  • Ensure that your loyalty member accounts for flights and other travel platforms are secure with unique passwords and 2FA where possible.
  • Use a security solution that blocks phishing and other malicious attempts while you search for the best travel deals. This will ensure that you don’t land on a phony website that will try to steal your information and money. A security solution will also block malicious links or attachments from compromising your device and data.


Elon Musk

Crypto spam bots go quiet as Musk guarantees towards prosecute scammers

Some individuals in the crypto Twitter area are actually currently stating a decrease in the variety of fraud bots after Elon Musk’s newest modifications towards the social networks system.

Elon Musk’s newest barrage in his battle versus crypto spam bots on Twitter shows up towards have actually created a genuine effect, along with the crypto neighborhood stating a large decrease in the variety of bots reacting to their messages.

In a Dec. 11 message, the Twitter CEO hinted that “bots remain in for a shock tomorrow” as well as later on discussed that they’ve discovered a handful of individuals responsible for a a great deal of bot/troll profiles as well as the system will certainly be actually shutting down IP addresses of “understood poor stars.”

He after that subsequented through discussing that while scammers may attempt various other techniques towards prevent the IP deal with obstruct, Twitter will certainly be actually “shutting all of them down as quickly as they appear.”

Shibetoshi Nakamoto, the pseudonym of Billy Markus, co-creator of meme coin Dogecoin, informed Musk in a Dec. 11 message, “I created an examination message as well as rather than viewing fifty bot responds I just viewed one a lot development, extremely buzz.”

Various other individuals likewise mosted likely to examination Musk’s newest modifications. PlanB, a Bitcoin expert as well as investor, published a graph towards view the number of bots will respond. During the time of composing, no reactions coming from bots possessed appeared in the remarks.

Ethereum founder Vitalik Buterin likewise kept in mind that while “Twitter *seems* to become partially much a lot better towards utilize recently,” he could not inform if certainly there certainly possessed been actually a decrease in bots because of Musk.

twitter elon musk

“No concept ways to different apart things Elon performed vs crypto-winter vs my mind picturing modifications that may not be really certainly there certainly,” he stated.

Some have actually stated that the bot reactions still appear on messages, however are actually extremely rapidly eliminated due to the system.

Associated: ‘Twitter will certainly perform great deals of stupid things’ in the happening months: Elon Musk

Twitter spam as well as fraud bots have actually been actually a afflict on the system as well as were actually viewed through Musk as among his leading concerns for Twitter after taking the reins in Oct.

In his newest message, Musk likewise hinted that the system will certainly be actually intending towards get lawsuit versus scammers on Twitter later on, however really did not deal any type of extra information.

“Twitter will certainly likewise be actually transferring to prosecute scammers anywhere on Planet,” he stated.


Crucial Facilities Companies Targeted Through Ransomware Gangs

Year of 2019 was actually an especially poor year for ransomware assaults, as well as while certainly there certainly was actually a decrease in using ransomware in 2020, assaults enhanced dramatically in 2021, along with the education and learning industry as well as federal authorities companies one of the absolute most assaulted industries, although no market industry is actually unsusceptible to assaults.

There’s expanding issue around the enhance in assaults on crucial facilities companies, which are actually an appealing aim at for ransomware gangs. Inning accordance with the information coming from the Government Bureau of Examination (FBI), the Cybersecurity as well as Facilities Safety and safety Company (CISA), as well as the Nationwide Safety and safety Company (NSA), 14 of the 16 crucial facilities industries in the Unified Conditions stated ransomware assaults in 2021, consisting of the protection commercial foundation, emergency situation solutions, health care, meals as well as farming, infotech, as well as federal authorities centers. Cybersecurity companies in the Unified Empire as well as Australia have actually likewise stated crucial facilities has actually been actually targeted.

Crucial Facilities Companies Cautioned Around AvosLocker Ransomware Assaults

Today, a cautioning has actually been actually provided due to the Government Bureau of Examination (FBI), the U.S. Division of the Treasury, as well as the U.S. Treasury Monetary Criminal offenses Administration System (FinCEN) around ransomware assaults utilizing AvosLocker ransomware.

AvosLocker wased initially determined as a risk in behind time June 2021 as well as in spite of being actually a fairly brand-brand new risk, positions a considerable danger. Assaults utilizing the ransomware enhanced in the last fifty percent of 2021, along with spikes in assaults happening in Nov as well as December. Variations of AvosLocker ransomware have actually currently been actually industrialized towards assault Linux in addition to Home windows bodies.

As is actually currently typical, the assailants participate in dual extortion as well as need resettlement for the secrets towards decrypt data as well as to avoid the launch of taken information. The gang runs an information leakage webinternet web site where an example of taken information is actually submitted as well as created available towards the general public. The gang states it after that offers the taken information towards cybercriminals if resettlement isn’t created. AvosLocker is among a handful of ransomware procedures that likewise creates exposure to sufferers through telephone towards motivate all of them towards pay out the ransom money. The gang is actually understood towards problem risks of Dispersed Rejection of Solution (DDoS) towards additional stress sufferers right in to paying out the ransom money.

AvosLocker is actually a ransomware-as-a-service procedure where affiliates are actually hired towards carry out assaults for a portion of any type of ransom money resettlements they produce. As a result, the assault vectors utilized in assaults depend upon the skillsets of the affiliates. Typical susceptabilities are actually understood to become made use of towards increase preliminary accessibility towards systems, consisting of susceptabilities connected with Proxy Covering as well as unpatched susceptabilities in on-premises Microsoft Trade Web hosting servers. Nevertheless, over recent year, spam e-mail projects have actually been actually a main assault vector.

E-mail Filtering System Important for Protecting Versus Ransomware Assaults

Spam e-mail is actually a typical assault vector utilized through ransomware gangs. Spam e-mail projects work as well as offer inexpensive accessibility towards sufferer systems. Phishing as well as spam projects either utilize harmful accessories or even installed hyperlinks in e-mails, together with social design methods towards persuade point individuals towards available the accessories or even click on the web links.

The main protection versus these assaults is actually e-mail filterings system. E-mail filterings system check all of incoming e-mails as well as accessories as well as avoid harmful notifications coming from being actually provided towards inboxes. Because cyber stars are actually continuously altering their lures, social design techniques, as well as techniques towards bypass e-mail safety and safety services, it is actually important towards have actually an e-mail safety and safety service in position that can easily react to altering strategies.

E-mail safety and safety services that utilize expert system as well as artificial intelligence towards determine as well as obstruct risks outperform services that depend on anti-virus motors as well as blacklists of understood harmful IP addresses.

Do Not Overlook Safety and Safety Understanding Educating for The Labor Force

It is actually likewise essential towards offer safety and safety understanding educating towards all of participants of the labor force coming from the CEO down. The FBI as well as the U.S. Treasury Division suggested in the most recent notify towards “Concentrate on cyber safety and safety understanding as well as educating,” as well as “Routinely offer individuals along with educating on info safety and safety concepts as well as methods in addition to general arising cybersecurity dangers as well as susceptabilities (i.e., ransomware as well as phishing frauds).”

Phone Scams

Nearly 45 million received scam calls in three months

Almost 45 million people in the UK were targeted by scam text messages or phone calls over the summer, according to telecoms regulator Ofcom.

About half reported getting a scam call or text at least once a week.

A survey of 2,000 adults in September found that almost a million people had been misled by a message or a call which they received.

Text scams are most common among 16 to 34-year-olds, with two-thirds receiving one between June and August.

The elderly are more often targeted using their landlines, with 61% of those over 75 receiving a scam phone call, but all ages are at risk.

UK residents who believe they have been targeted, or are the victim of a scam, can report a text message by forwarding it to 7726 – the numbers on the keypad that have the letters for spam on them.

However, Ofcom found that 79% of mobile phone users were unaware of that service.

Scam calls should be reported to Action Fraud.

Lindsey Fussell, Ofcom’s networks and communications group director, urged the public not to reply to messages which do not seem quite right.

“Criminals who defraud people using phone and text scams can cause huge distress and financial harm to their victims, and their tactics are becoming increasingly sophisticated,” she said.

“Stay alert to any unsolicited contact. Put the phone down if you have any suspicion that it is a scam call, and don’t click on any links in text messages you’re unsure about.”

Why phone scams are so difficult to tackle

Many of us now refuse to answer telephone calls from an unknown number, for fear that it could be a scam.

And we dread receiving a text message, purportedly from our bank or a delivery firm, again due to concerns that it might be from fraudsters.

A recent report suggests that we are right to be cautious. In the 12 months to March 2021, phone call and text message fraud across England, Wales and Northern Ireland was up 83% from the previous year, according to consumer group Which?.

Which? analysed data from Action Fraud, the UK’s national reporting centre for fraud and cyber crime, and says this was the biggest rise across all types of fraudulent attacks.

It adds that the jump was fuelled by more people getting things delivered during the pandemic, which led to a corresponding huge rise in fake parcel delivery text notifications.

In these “smishing” attacks, fraudsters send a person a message, seemingly from a legitimate number, to claim that a small payment is needed before a package can be delivered. Then when you click on the link they try to steal your banking details.

Telecom firms and authorities faces difficulties

But how exactly are the fraudsters able to do this, and why is it so difficult for telecoms firms and authorities to tackle the problem?

Matthew Gribben, a cyber security expert, says that criminals are able to make it look like their phone call or text is coming from the real telephone number of a bank or delivery firm, due to continuing vulnerabilities in the UK (and other countries’) telephone network systems.

“There’s no way for the current UK phone network to guarantee 100% that the presentation number it is being told is the actual originating number – it has to take your word for it,” says Mr Gribben, who is a former consultant to GCHQ, the UK government intelligence agency.

Protocol’s problem

The core of the problem is a telephone identification protocol called SS7, which dates back to 1975. It is a little complicated, but bear with us.

SS7 tells the telephone network what number a user is calling or texting from, known as the “presentation number”. This is crucial so that calls can be connected from one to another. The problem is that fraudsters can steal a presentation number, and then link it to their own number.

The issue affects both landlines and mobile phones, with SS7 still central to the 2G and 3G parts of mobile phone networks that continue to carry our voice calls and text messages – even if you have a 5G-enabled handset.

One theory is that the vulnerabilities of SS7 cannot be fixed because the telecoms firms need to give national security agencies access to their networks, but Mr Gribben says GCHQ (Britain’s intelligence agency) can monitor communications without using SS7 loopholes.

The problem, he says, is that SS7 is still used in telecoms networks globally. And it needs to be replaced rather than patched up.

“SS7 was developed assuming there would always be legitimate activity [and] goodwill around the use of it,” explains Katia Gonzalez, head of fraud prevention and security at BICS, a Brussels-based telecoms firm that connects and protects mobile phone networks.

personal information stolen

“There’s too much legacy technology [reliant upon it] that we can’t move away from – we’re going to have these SS7 2G/3G networks for at least another 10 years.”

Jon France, head of industry security at the GSMA, the trade organisation that represents mobile network providers around the world, says that “a lot of these problems will disappear” after 5G networks have been fully rolled out. This will mean that SS7 – and 2G and 3G – can be totally replaced.

Ms Gonzalez agrees: “It took some time to understand these flaws, and how they were exploited. Now with 5G there will be security from [the centre] of it.”

However, Mr Gribben cautions that even when SS7 is replaced by something “entirely brand new and sparkling, there will still be other vulnerabilities [that fraudsters can exploit]”.

The GSMA says that telecoms firms are putting “a large amount of effort and investment” into tackling scams.

For its part, BICS is using artificial intelligence systems to try to detect and block incoming fraudulent calls and texts.

Ms Gonzalez adds the only way to prevent text message scams is to enable telecoms firms to use AI to scan texts for links to fake websites before they are sent. Yet privacy regulators are unlikely to ever agree to that.

So instead BICS is calling for “greater collaboration between telecoms firms and governments, better relations between countries, and more effort from the companies on sharing information on the latest vulnerabilities”.

When it comes to fraudulent telephone calls, there has been a big increase in so-called “robo-calling” – automated voice calls in recent years.

Call authentication systems do exist that can help stop them, and the UK’s telecommunications regulator Ofcom says it is consulting with the telecoms industry to see what can be implemented, and how soon.

“These criminal scams are becoming more sophisticated and tackling them requires efforts from a range of bodies,” says an Ofcom spokesman.

“We’re working closely with the police, industry and organisations such as NCSC [the National Cyber Security Centre] – which is responsible for cyber-security standards in the UK – to help tackle the problem.”

New protocols developed

An international standards body, the US-based Internet Engineering Task Force (IETF) has also developed new protocols to prevent robo-calling.

In a nod to James Bond, the system is called “Stir and Shaken”. US authorities have ordered mobile operators to implement the protocols by the end of 2021, but Ofcom says UK providers can’t do so until networks are sufficiently upgraded, by 2025.

As phone and text scams are not going away anytime soon, Amanda Finch, chief executive of professional body, Chartered Institute of Information Security, says: “There’s always more that telecoms firms could do”.

“But, security is a continually moving target… basically everyone has to be vigilant,” she adds.

Meanwhile, Robert Blumofe, chief technology officer of cloud security firm Akamai, says: “I don’t think there’s a world anytime soon where we can train people not to be fooled, so the solution has to include a way to block the response the text messages are trying to elicit.”

Online casino scam

These online casino emails never pay what they promise

Spammers are abusing affiliate programs to promote online casinos, such as Raging Bull Casino, Sports and Casino, Ducky Luck, and Royal Ace Casino, with misleading emails.

Many of the larger online casinos utilize an affiliate program that allows other websites or influencers to promote their products and earn a commission for anyone who signs up for an account.

To refer users, the affiliates will create specially crafted URLs that contain an affiliates ID or drops a cookie that allows the casino to give them credit when a referral registers a new account.

This week, BleepingComputer was told about an online spam campaign conducted by affiliates of online casinos that are bombarding users with misleading emails stating they won the ‘Grand Prize,’ that a large cash payout is ready, or that the recipient needs to confirm their account.

After being told about the campaign, we took a look at the spam folder for one of our emails accounts and saw that we too are heavily targeted with this spam campaign, as shown below.

List of spam emails

While Gmail has done an excellent job marking these types of emails as spam, other free email services may not do as good of a job, and the spam could make it into the general mailbox.

For example, below are two affiliate spam emails for Raging Bull Casino and Royal Ace Casino. You can see that they promise a payout of $3,500 or a betting strategy will be shared after confirming their online account.

Royal Ace phishing

When clicking on the links, the user is redirected through another site that drops an affiliate cookie and then redirects them to the casino.

As you can see below, the redirection to Raging Bull Casino includes the affiliate ID (affid) in the URL so that the affiliate can get credit for the signup.

Raging Bull Affiliate

As you can imagine, when you sign up for the account expecting a nice payout waiting for you, there is no payout waiting for you. Instead, the only one making money is the affiliate who sent you the email.

BleepingComputer has reached out to the online casinos listed in the article and their affiliate managers, if available, but did not receive a response.

If you receive these types of emails, simply mark them as spam so that your email provider’s spam filters will be trained to recognize them in the future.

How to report online scams

How to report online attempts to steal your money

With scams spiking during lockdown, here are some of the ones to know about – and how to get support

Fresh warnings have been issued over a new scam that claims payment is required for a package to be delivered.

The latest con involves the victim receiving a text message from “Royal Mail”, claiming that a parcel is ready for delivery, but that an additional fee of £1.99 or £2.99 is required.

A link is shared for the recipient to click through and pay the alleged fee, only to be directed to a copycat website operated by fraudsters.

One victim revealed on social media in a tweet that went viral that such a con had left her “scammed out of every penny I had” after fraudsters telephoned her pretending to be her bank and asking her to move money around.

The Chartered Trading Standards Institute (CTSI) and Royal Mail have both warned that such messages are fraudulent, with the CTSI adding that such scams have surged over the past year.

“This delivery scam is yet another example of fraudsters attempting to make money out of the unsuspecting public,” said Katherine Hart from the CTSI.

“Due to the lockdowns, many millions of people rely on product deliveries, so scammers have focused their efforts on this theme.

“If you have any suspicions, contact Royal Mail to verify before you click any links or share details,” she added.

A spokesperson for Royal Mail said the service would only ever ask for payment by email or text message if a parcel had been sent to them from overseas and a customs payment was due.

“In such cases, we would also leave a grey card telling customers that there’s a Fee to Pay before we can release the item.”

But what other scams exist and what should you look out for? Here’s everything you need to know.

National Insurance

Action Fraud, the UK’s national reporting centre for fraud and cybercrime, is warning the public about a National Insurance scam after it received over 34,000 more calls last month compared with February 2020.

Victims have reported receiving an automated telephone call telling them their “National Insurance number has been compromised” and that they must “press one on their handset to be connected to the caller” in order to resolve the issue.

Once connected to the “caller”, victims are pressured into giving over their personal details in order to receive a new National Insurance number. In reality, they’ve been connected to a criminal who can now use their personal details to commit fraud.

Pauline Smith, head of Action Fraud, said: “We are asking the public to remain vigilant and be cautious of any automated calls they receive mentioning their National Insurance number becoming compromised.

“It’s important to remember if you’re contacted out the blue by someone asking for your personal or financial details, this could be a scam.

“Even confirming personal details, such as your email address, date of birth or mother’s maiden name, can be used by criminals to commit fraud. If you have any doubts about what is being asked of you, hang up the phone. No legitimate organisation will rush or pressure you.”

HMRC (tax scams)

With the end of the tax year approaching, scams relating to tax payments, bills and rebates are on the rise. Her Majesty’s Revenue & Customs (HMRC) received over 900,000 reports of HMRC scams in 2020, with more than half of these offering fake tax rebates.

Common scams include messages claiming you are owed a tax rebate, that you’ve missed an important deadline, or warning that you have an outstanding fee to pay. Scams exploiting the Covid-19 pandemic have also been reported, with people receiving texts stating that they are owed a “goodwill payment” due to the coronavirus. Others demand a £250 payment after individuals are accused of “breaching lockdown restrictions”.

HMRC has said that it will never send notifications by email about tax rebates or refunds and advise recipients not to open any attachments, click any links or share any personal or payment information. It adds that if you are unsure about the legitimacy of a message you receive by email, text message, WhatsApp, social media or telephone, you can forward the details to the National Cyber Security Council at

Genuine emails from HMRC should all end in ‘’ only. Any additional words, letters or numbers following this are likely to be fraudulent. Don’t click links contained in emails or messages claiming to be from HMRC – log in to your account, email or telephone them directly to be certain it’s safe.

You can also see examples of HMRC scams by following this government link.

Investment fraud


Investment fraud occurs when you receive a cold call from someone claiming to offer you an opportunity to invest in a scheme, service or product that is actually worthless or doesn’t even exist. It’s also known as share sale fraud, hedge fund fraud, land banking fraud or bond fraud. The majority of investment frauds are run out of offices known as boiler rooms. Victims may also be offered “special discounts”, “insider info” or “exclusive” stock tips.

Boiler room operations often contact victims out of the blue and pressure them into making rushed decisions with no time to consider the nature of the investment. Callers often sound extremely knowledgeable and professional, and may produce polished-looking websites, certificates or brochures to “prove” their authenticity.

As well as never providing bank account details or sensitive information, never accept investment offers on the spot from cold callers. Instead, look at the Financial Conduct Authority’s ScamSmart warning list which acts as a barrier between unscrupulous scammers and you.

Sadly, boiler room operations tend to target people aged 65 and older, so it’s important to talk to older family members and vulnerable people to help them spot bogus callers.


Action Fraud received over 400 reports in just one week from people reporting fake emails purporting to be from Netflix. The emails state that the recipient needs to “finish signing up” by clicking the link provided before they can use the online streaming service. Doing so, however, takes victims to phishing websites that steal your Netflix login, personal and financial information.

Netflix says that it will never ask you to enter personal information in a text or email. This includes credit or debit card numbers, bank account details and Netflix passwords. If you think your account has been compromised, Netflix advises you to contact it directly using the details on this page.

Romance fraud

Romance fraud occurs when a person you’ve met through an online dating website or app uses a fake profile to build a relationship and gain your trust before asking you for money or information to steal your identity.

Tell-tale signs include asking you lots of personal questions but disclosing very little about themselves; and exploiting your trust by inventing a reason to ask for your financial assistance, such as money to pay for a flight to visit you, or money for medical treatment for them or a family member. “Perfect” profile pictures can also be a giveaway and may have been stolen from a model or actor. Using the reverse image search tool on Google can help you find the original source of photos.

To avoid getting caught out by romance fraud, avoid revealing too many personal details when dating online, such as your date of birth or home address, which may result in your identity being stolen. Never send or receive money or share your bank details to someone you’ve met online, no matter how convincing their story is. And, if you’re online dating, choose a reputable site or app and use their messaging service, rather than switching to social media or texting, where messages can be deleted more easily.

According to Action Fraud, women are twice as likely to fall victim to romance fraud and investment fraud twice as men.

Paul Davis, retail fraud prevention director at Lloyds Bank, said: “Scammers do this for a living – they’re in it for the long game and will often spend a lot of time building up a ‘relationship’ and trust – they can invent convincing stories, waiting for the right moment to start tricking people into sending them money.

“If you’ve struck up a conversation or begun a relationship solely online and the discussion moves on to sending money, that’s the time to stop.”

Fraud recovery

As if being scammed once isn’t bad enough, data from the National Fraud Intelligence Bureau (NFIB) found that over £373 million was lost by repeat victims of fraud in the 2019/20 financial year, with the average victim losing £21,121. However, when someone reported at least one investment fraud, this figure jumped a staggering 300 per cent to £84,604.

A fraud recovery scam is when criminals contact victims pretending to be from their bank, a law enforcement agency, solicitors or “specialist recovery firm” claiming to be able to help them get their money back or compensation. Incredibly, this is often the same criminal targeting the victim again, or the victim’s personal details may have been sold on the dark web to other fraudsters. Scammers will usually ask for a fee for this “service” and may ask victims for their bank account details so they can “deposit” the recovered funds.

Mark Steward, executive director of enforcement and market oversight at the Financial Conduct Authority said: “Consumers should always be wary of cold calls and promises to recover funds lost to a scam, as these are often signs of an attempted recovery fraud taking place. If you’re under pressure to make a quick decision or a payment, there’s a very good chance you’re talking to a scammer.

“Be ScamSmart and check the FCA Register to make sure that the firm you are dealing with is authorised to perform the service they are providing for you, and use the contact details on the FCA Register.”

TV Licensing

While this particular scam was first identified by the NFIB in September 2018, scam emails purporting to be from TV Licensing resurfaced again in October 2020. Victims receive an email which states that there is a problem with their Direct Debit that needs addressing in order for them to continue watching TV legally at home.

Victims are then urged to click a link, which directs them to an authentic-looking website that prompts them to enter their home address and bank details, which are duly stolen by scammers.

TV Licensing say that in emails, it will include your name and part of your postcode, compared with scam emails which often just use your email address or “Dear customer”. All legitimate emails from TV Licensing come from (or If you think you’ve been a victim of a TV license scam, contact Action Fraud or email the government’s fraud service at

What can I do if I think I’ve been a victim of fraud?

If you think you’ve been a victim of fraud, you can contact Action Fraud for help and advice. You can also forward details of suspect scammer to the National Cyber Security Centre.

Oren Etzioni: Fighting Spam with Spam

Oren Etzioni: Fighting Spam with Spam

Even though I’m a Professor of computer science, I have failed to protect myself from the daily nuisance of unsolicited and unwanted commercial e-mail known as “spam”. It’s time to fight back. Last week, a consumer association called for new legislation to combat spam, but the legal process is cumbersome and ineffectual in this case.

Although more than ten states have enacted anti-spam laws, courts in at least two states have ruled that the laws are unconstitutional. Furthermore, spam is a global phenomenon, and much of the spam we receive originates outside the United States.

I say let’s fight spam with spam!

Spammers rely on most of us to quietly delete their unwanted e-mail and go about our daily business. They hope to lure the few who are potentially interested in their dubious propositions (“URGENT AND CONFIDENTIAL BUSINESS PROPOSAL”…”Watch Monika live”). What would happen if many of us responded to each spammed message? Unlike viruses, whose authors can hide in the shadows of the Internet, each piece of spam has to have a simple trail for recipients to follow so that the spammer can ultimately make money. Faced with hundreds of thousands of responses, the spammer would have to employ substantial resources to find genuinely responsive individuals — the cost of successful spamming would shoot up and its frequency would naturally drop. Of course, responding to spam requires more effort than merely deleting it, but fighting back is also more satisfying. More important, if doing so will result in a chilling effect on spam, the effort will pay off over time.

Spammers will inevitably cower behind walls of automation. However, anti-spammers could find a receptive ear at their payment processor be it Visa or Paypal. Also, we could contact a spammer’s ISP. Web sites could spring up that would direct anti-spammers to the appropriate contact points. In the rare cases where there is no person to contact, anti-spam activists could mount a legitimate grass roots “denial of spam” attack on spammer web sites, flooding them with requests which would grind them to a halt.

One might question whether anti-spam forces could muster large enough numbers of volunteers. But remember that the Internet community is huge, and none of us get a free pass from spam. To bolster the effort, we could build anti-spam amplifiers that take each bona-fide individual request and turn it into ten or even one hundred requests directed at the spammer. We would need safe guards to prevent the abuse of such amplifiers, but the small “volume” of the amplifier ensures that only a large group of individuals could have any real impact. This sort of approach may need further refinement, but it has a satisfying symmetry to it — any spammer can count on a powerful torrent of counter-spam directed right back.

The effort to fight spam is also justified by its growing cost.

The most immediate cost of spam is the momentary irritation of identifying and deleting it; multiplied by literally billions of e-mail readers, this cost is substantial. Spam also results in a financial burden to the companies that operate the Internet infrastructure.

Hotmail estimates that it receives over a billion spam messages per day, and that number is growing rapidly. Finally, spam has an intangible cost that arises from its negative impact on electronic discourse. For instance, people obscure their e-mail addresses, or refrain from posting their address in public forums to try and avoid spiders that collect e-mail addresses as grist for spam-spewing mills.

There are some measures already in place to fight spam. America Online, for example, enables users to elect to only receive e-mail from designated, pre-approved e-mail addresses. If you’ve tried sending a legitimate message to such a user, then you’re aware of how annoying this measure can be. Moreover, users are forced to continually update such lists and inevitably fail to receive important messages. A cottage industry has sprung up of companies attempting to filter e-mail and prevent spam from reaching its target. However, filters run the risk of inadvertently blocking desirable e-mail. As a result, the filters are conservative in blocking messages and often let spam through. Spammers have also become increasingly adept at creating spam that masquerades as ordinary e-mail.

One of the more promising technical proposals for blocking spam is the use of mini Turing tests. Turing tests are puzzles that are intended to discriminate people from programs. Such schemes work as follows. Whenever I receive an e-mail message from an unknown recipient, my mailer automatically sends a message back politely requesting that the sender solve a simple puzzle to demonstrate that they are a person and not a spam machine. The original e-mail is transmitted to me only if the sender does indeed reply with a solution to the puzzle. In that case, the sender’s e-mail is placed on a list of approved senders so that the sender does not have to solve a puzzle every time they send a message. Nevertheless, this process is awkward, potentially insulting to the sender, and far from fool proof.

The limitations of blocking and filtering approaches have led experts to consider a range of economic remedies. Such remedies focus on the fact that the cost of sending e-mail is close to zero. Increasing that cost, by paying the recipient of a message or by introducing a post office of some sort into the Internet, would clearly “can” much of the spam we receive. The downside of such remedies is that they take a free service and attempt to charge for it. History shows that such attempts meet overwhelming resistance from people. My colleague Fernando Pereira has suggested that each Internet Service Provider (ISP) ought to compensate other ISPs for the spam that they send. Thus, if a Korean ISP sends Hotmail more spam than it receives from Hotmail (a spam surplus) then it would have to pay Hotmail, or Hotmail would refuse to receive e-mail from that ISP. This innovative proposal would incent ISPs to better police their accounts and cut down on spam, but would require multi-lateral agreements that may be difficult to achieve and enforce.

Yesterday, I created a new e-mail account, and within twenty four hours I received over twenty five pieces of spam. The Internet is drowning in spam, and it stinks! Virtually all of us simply hit the delete button on our key board. Let’s distribute software that automatically converts that single key stroke to a clear response to the spammers — stop spamming or taste your own medicine.

By Oren Etzioni