The UK had 45,367 cases of impersonation scams in 2022 costing a total of £177.6m, according to the trade body UK Finance’s figures. Impersonation scams happen when a criminal contacts you pretending to be a trusted organisation such as a bank, the police, a delivery or utility company, or even a friend or family member. The scams can start with a call, text, email or direct message with an ‘urgent’ request for money, or personal and financial information.
Research from the police and industry Take Five campaign (suggesting that you ‘take five’ to see through such scams) found that only 51 per cent of people always check if a request for money or personal information is legitimate before responding. A survey also found that of those that had been approached, one in five (21 per cent) of people who had responded to communications from a range of organisations (including delivery companies, banks, online retailers, energy companies and the police) said that they later believed to be fraudulent.
The research (OnePoll interviewed 2,000 UK adults in an online survey in February) found that younger adults are particularly at risk. Just 38 per cent in the 18 to 34 year age group say that they always check a request for their money or information is genuine – the lowest of any age group. This age group was also the most likely (39 per cent) to believe that they had been contacted by a criminal after they had responded to an initial request for information from what they thought was a trusted organisation.
Katy Worobec, Managing Director of Economic Crime at UK Finance said: “We receive genuine communication from trusted organisations on a daily basis, meaning it’s not always easy for us to spot when an approach for information is in fact from a criminal. Anyone can be caught out by a scam in the heat of the moment and criminals are constantly adapting their tactics to appear legitimate. It has never been more important to take steps to check for genuine communication and follow the advice of the Take Five to Stop Fraud campaign and to stop, challenge and protect.”
About the Take Five to Stop Fraud campaign: visit https://www.takefive-stopfraud.org.uk/.
Comment
Carl Wearn, head of threat intelligence analysis and future ops at the cyber firm Mimecast, suggested that the £177.6 million is almost certainly an under-reporting. “In some cases individuals or organisations will not have realised they have even been scammed. As an example of the potential significance of under-reporting, BCS [British Crime Survey] data is widely believed to represent merely the tip of the iceberg on UK crime data as a whole, and likely representing only around 10% of the actual crime figure. A significant hurdle here may well be a misconception or perception on behalf of any victim that no monies are retrievable and so no report is made, it can be perceived as a waste of time.
“We constantly see cybercriminals targeting people using current events to trick them into sharing their personal and financial information. Recently, we have seen criminals use events such as the cost-of-living crisis and rising energy bills as an opportunity to impersonate government departments and energy providers. These criminals are then able to steal the personal information of victims, which can be used in other criminal activity or sold on the dark web.
“These threats are continuing to increase, and Mimecast’s 2022 State of Email Security Report found that 90% of organizations experienced an impersonation attack over the previous 12 months. Businesses must do more to protect themselves from these attacks by implementing a security framework that protects their most vulnerable attack vector: the intersection of business communications, people, and data. This approach is the most effective way to navigate the modern threat landscape. In addition, it’s critical to implement Domain-based Message Authentication Reporting and Conformance (DMARC) for all email services. DMARC is an email authentication, policy, and reporting protocol that layers on two protocols already widely used by organizations: SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail). If a particular email fails both protocols, DMARC helps receiving mail servers determine whether to accept, block, or quarantine the message. By leveraging DMARC, organizations can set policies that help prevent spoofed emails from reaching employees, customers, and supply chain partners.
“From a consumer perspective, people have to be extra vigilant and take steps such as never clicking links in emails and navigating to the website in question from your browser if in any doubt. People must be aware of these scams and stay alert to ensure they are not duped. Email phishing campaigns will continue to be prominent, so we should always be wary of unsolicited and too-good-to-be-true emails.”
