Fake refund emails
Following our pieces looking to help keep you safe from scams and phishing, below is a short form guide explaining how to keep yourself safe from email scams and what to look out for when receiving unexpected emails of this type.
2020 saw hundreds of scam emails offering refunds of up to £400 from the likes of British Gas. These emails provided a link to access your account that instead collect your data in order to gain access to your account and mine details like your card information and regular payment dates.
The following year, British Gas warned customers that they are aware of such scam emails, and offered information to report this in the hope stop more customers from finding themselves in this difficult position.
Edinburghlive reported that these fake refund emails on behalf of British Gas specifically have been dating back to 2016, and over a number of years, have the potential to have cost customers millions. They are known to claim that you will only be contacted by your provider via the scam email you have received in order to isolate you from the true provider and give the scammer faster access to your information, due to being able to acknowledge each question or email you may send to those acting as your provider for clarity.
Many phishing contacts claim that without immediate payment (often within 24 hours to 2 days), the client may lose the rights to claim their money back, or alternatively be billed for a remaining small charge on their account. Truthfully, it is not likely that in the case of an overpayment, you will lose the rights to your money, and instead, this will either be carried on to your next bill, or you will be contacted in a number of different ways, such as by post or a direct call from the supplier. You will never lose the rights to your money as a consumer and most contacts claiming this is likely not to have your best interest at heart.
Which.com shared a false DVLA email in an attempt to help customers recognise spam, that even threatened home visits to the recipient of these emails. This is unlikely to happen in a real-life scenario if you are not being met by a debt repayment company.
How can I tell if these emails are fake?
Firstly, checking the email this information was sent from. If it was not one that you recognise and not one that you can find online under the company name, it is likely that you have fallen victim to a phishing email.
Secondly, if it’s too good to be true, it probably is. You have likely heard this phrase across scam TV shows and other media, and have done so for a reason. If you are being offered free money or incredible discounts on your bills, for example, check with your provider to ensure that this is coming from a trusted source.
Third, most phishing emails start with lines that are designed to make it feel more personal but fail to follow the company itself usual draft email. For example, starting with “Hello” and your name is not something you tend to see in a real email from your supplier.
Forth, any genuine emails from your supplier should contain your energy account number; if you are not able to find this in your email, it is likely that the recipient is not your provider as they do not have access to that information.
Lastly, you will never be asked to confirm, update or provide personal details without requesting such changes yourself, unless you believe there is active reason to, for example, recently alerting your provider of a move.
- You can learn to identify phishing websites built to harvest your information in a number of ways, such as:
Checking the URL: You should look for a padlock symbol in the address bar, and check that the address you are using begins with https://“ or “shttp://“. This indicates that the website has been encrypted and secured with an SSL certificate. Without this, any data passed on to the site is not fully secure and could often be intercepted by criminals or third parties. Be aware, though, that this is not foolproof. Over the previous years there have been a number of false sites using an SSL certificate, and so we would not recommend using the padlock symbol as proof of security alone. Instead, look for a handful of signs that your details are safe, including;
- Check that the spelling of the web address is correct – A simple brain trick shows that we often quickly skim what our brains believe we are about to read, so if your link says “britishgass.com”, we may not notice the extra s right away, and assume safety in the link that we have been sent. This is seen at www.yah00.org, or similar where fraudsters replace letters with numbers or other aspects such as replacing .com with .uk, in order to make it look as close as possible to the real thing. Creating an “official” looking site is the first step to committing the crime.
- Check who owns the website; All domains must be registered with a website owner on the likes of WHOIS and other sites. The free site should provide contact details of the owner, which you can then compare to your utility provider online. If these details vary, it is likely you are on the receiving end of a scam. Websites are usually suspicious if they have been active for less than a year of if you think you’re on the website of a leading brand, that their website is registered to an individual in another country. Keeping these details to hand for reports is another way to ensure that others do not have to deal with the same problems you may.
How can I protect myself?
If you are concerned that an email you have received may be genuine, a good way to ensure that you are right is to avoid links sent to you in the email itself, and instead log into your account from the supplier’s website as you always would. Here, any notifications or alerts should show on your account naturally. If they are not available to see, you have nothing to worry about. Any urgent information should come as a pop up when you first log in or will be highlighted on your account in one way or another so you should not miss it when you do access your details.
- Visit NCSC’s top topics for staying secure online.
- Learn about securing your deceives.
- Research how to deal with suspicious messages and emails.
If you have been a victim to phishing emails, contact your supplier to change your details immediately and lock any further opportunity for scammers to withdraw money from your account or change your details. You may also forward any British Gas specific emails to firstname.lastname@example.org so that they are able to investigate it further.
Alternatively, you may report suspected phishing to the National Cyber Security Centre Through their Suspicious Email Reporting Centre (SERS) at email@example.com. Although the NCSC is not able to inform you of the outcome of each review, it can confirm that it investigates each individual report.
If you have been a victim of cybercrimes in England, Wales or Northern Ireland, you should report this to Action Fraud at www.action fraud.police.uk or by calling 0300 123 2040. In Scotland, you can simply contact the police by calling 101.
|Secure sites checklist||Genuine email checklist|
|SSL certificates can be seen as a lock at the top of your website address||Your account number is added as part of the email|
|Website address is spelled correctly||You are addressed by name, not under “Dear Customer” or “Sir/Madam”.|
|You do not have to login to gain access to all parts of the website||There are no urgent warnings, claiming you will lose out if you do not respond within a number of days|
|The website link you are using was found organically; you are not following an email or text link||No claims that this is the only way your supplier will contact you|
|The website is registered to the company you expect, for example, “British Gas PLC” and is located in the correct country.||You are not being offered unbelievable deals or refunds that you were not expecting|
|Trusted payment methods are being used; credit cards, paypal or online transactions. NEVER A BANK TRANSFER.||You are not being asked for details that you have already given your provider in a secure environment, for example, on signing your contact.|