Energy Scams

Fake refund emails 

Following our pieces looking to help keep you safe from scams and phishing, below is a short form guide explaining how to keep yourself safe from email scams and what to look out for when receiving unexpected emails of this type. 

2020 saw hundreds of scam emails offering refunds of up to £400 from the likes of British Gas. These emails provided a link to access your account that instead collect your data in order to gain access to your account and mine details like your card information and regular payment dates. 

The following year, British Gas warned customers that they are aware of such scam emails, and offered information to report this in the hope stop more customers from finding themselves in this difficult position. 

We're aware there is a fake email going around telling our customers they’ve overpaid and are entitled to more than £400 in refunds. If you’ve received this or another suspect phishing email from us, you can send it as an attachment to phishing@centrica.com and we’ll investigate. pic.twitter.com/FOSFV4unvP

— British Gas (@BritishGas) September 18, 2019

Edinburghlive reported that these fake refund emails on behalf of British Gas specifically have been dating back to 2016, and over a number of years, have the potential to have cost customers millions. They are known to claim that you will only be contacted by your provider via the scam email you have received in order to isolate you from the true provider and give the scammer faster access to your information, due to being able to acknowledge each question or email you may send to those acting as your provider for clarity.  

Many phishing contacts claim that without immediate payment (often within 24 hours to 2 days), the client may lose the rights to claim their money back, or alternatively be billed for a remaining small charge on their account. Truthfully, it is not likely that in the case of an overpayment, you will lose the rights to your money, and instead, this will either be carried on to your next bill, or you will be contacted in a number of different ways, such as by post or a direct call from the supplier. You will never lose the rights to your money as a consumer and most contacts claiming this is likely not to have your best interest at heart. 

Which.com shared a false DVLA email in an attempt to help customers recognise spam, that even threatened home visits to the recipient of these emails. This is unlikely to happen in a real-life scenario if you are not being met by a debt repayment company.  

How can I tell if these emails are fake?

Firstly, checking the email this information was sent from. If it was not one that you recognise and not one that you can find online under the company name, it is likely that you have fallen victim to a phishing email. 

Secondly, if it’s too good to be true, it probably is. You have likely heard this phrase across scam TV shows and other media, and have done so for a reason. If you are being offered free money or incredible discounts on your bills, for example, check with your provider to ensure that this is coming from a trusted source. 

Third, most phishing emails start with lines that are designed to make it feel more personal but fail to follow the company itself usual draft email. For example, starting with “Hello” and your name is not something you tend to see in a real email from your supplier. 

Forth, any genuine emails from your supplier should contain your energy account number; if you are not able to find this in your email, it is likely that the recipient is not your provider as they do not have access to that information. 

Lastly, you will never be asked to confirm, update or provide personal details without requesting such changes yourself, unless you believe there is active reason to, for example, recently alerting your provider of a move. 

• You can learn to identify phishing websites built to harvest your information in a number of ways, such as: 
  Checking the URL: You should look for a padlock symbol in the address bar, and check that the address you are using begins with https://“ or “shttp://“. This indicates that the website has been encrypted and secured with an SSL certificate. Without this, any data passed on to the site is not fully secure and could often be intercepted by criminals or third parties. Be aware, though, that this is not foolproof. Over the previous years there have been a number of false sites using an SSL certificate, and so we would not recommend using the padlock symbol as proof of security alone. Instead, look for a handful of signs that your details are safe, including; 

• Check that the spelling of the web address is correct – A simple brain trick shows that we often quickly skim what our brains believe we are about to read, so if your link says “britishgass.com”, we may not notice the extra s right away, and assume safety in the link that we have been sent. This is seen at www.yah00.org, or similar where fraudsters replace letters with numbers or other aspects such as replacing .com with .uk, in order to make it look as close as possible to the real thing. Creating an “official” looking site is the first step to committing the crime. 
• Check who owns the website; All domains must be registered with a website owner on the likes of WHOIS and other sites. The free site should provide contact details of the owner, which you can then compare to your utility provider online. If these details vary, it is likely you are on the receiving end of a scam. Websites are usually suspicious if they have been active for less than a year of if you think you’re on the website of a leading brand, that their website is registered to an individual in another country. Keeping these details to hand for reports is another way to ensure that others do not have to deal with the same problems you may. 

How can I protect myself?

If you are concerned that an email you have received may be genuine, a good way to ensure that you are right is to avoid links sent to you in the email itself, and instead log into your account from the supplier’s website as you always would. Here, any notifications or alerts should show on your account naturally. If they are not available to see, you have nothing to worry about. Any urgent information should come as a pop up when you first log in or will be highlighted on your account in one way or another so you should not miss it when you do access your details. 

• Visit NCSC’s top topics for staying secure online.  
• Learn about securing your deceives. 
• Research how to deal with suspicious messages and emails. 

If you have been a victim to phishing emails, contact your supplier to change your details immediately and lock any further opportunity for scammers to withdraw money from your account or change your details. You may also forward any British Gas specific emails to phishing@centrica.com so that they are able to investigate it further. 

Alternatively, you may report suspected phishing to the National Cyber Security Centre Through their Suspicious Email Reporting Centre (SERS) at report@phishing.gov.uk. Although the NCSC is not able to inform you of the outcome of each review, it can confirm that it investigates each individual report.  

If you have been a victim of cybercrimes in England, Wales or Northern Ireland, you should report this to Action Fraud at www.action fraud.police.uk or by calling 0300 123 2040. In Scotland, you can simply contact the police by calling 101. 

Secure sites checklist	Genuine email checklist
SSL certificates can be seen as a lock at the top of your website address	Your account number is added as part of the email
Website address is spelled correctly	You are addressed by name, not under “Dear Customer” or “Sir/Madam”.
You do not have to login to gain access to all parts of the website	There are no urgent warnings, claiming you will lose out if you do not respond within a number of days
The website link you are using was found organically; you are not following an email or text link	No claims that this is the only way your supplier will contact you
The website is registered to the company you expect, for example, “British Gas PLC” and is located in the correct country.	You are not being offered unbelievable deals or refunds that you were not expecting
Trusted payment methods are being used; credit cards, paypal or online transactions. NEVER A BANK TRANSFER.	You are not being asked for details that you have already given your provider in a secure environment, for example, on signing your contact.

A 2020 phishing benchmark report claims that 19.8% of employees click phishing email links, and an updated statistics report by tessian.com told us that in 2020, 75% of organisations around the world experienced some form of phishing attack in the previous year; another 35% experienced spear phishing and 65% faced BEC attacks. This, though, does not mean that each attack was successful. In the United States, 74% of phishing attacks on business organisations are successful.

Here at Energy Solutions, we want to give you the best information to avoid all types of scams and phishing, in order to keep you safe, whether on behalf of your utilities or your business.

So first, what is Phishing?

Phishing is the term used to describe a type of social strategy co-opted by scammers with the intention of stealing information and user data from businesses or customers, including login credentials and credit card details. Often, these scammers are falsely claiming to be the company you are already in contact with, and may reach you through a variety of emails, texts or phone calls.

Oil and gas companies, producers, nuclear power companies and electrical grid operations are among the most targeted groups of such attacks. These attacks have strategies through phishing emails that are found at the weakest point of security in many of these organizations security: their own staff.

Why do people do it?

Agari reported the annual cost of cyber attacks at 17.84million per utility company in 2018, a 17% jump from the previous year. At best, an energy company may see an average loss to rise to 13.77million dollars, though this nowhere close to the total damage that could be done by such attacks — Government and cyber security company investigations have shown that the state sponsored attackers have spent years phishing for nuclear reactor technology, login credentials for power plant control engineers, and a menu of other highly sensitive data. Not only could gaining this information risk the organizations themselves, but homes and businesses within the communities that they serve.

Unfortunately this is more than just fear, as we already know that phishers have successfully bypassed security protocol in the past, and that a 2017 report even found that a group of threat actors had succeeded in accessing UK and European Energy companies, gaining “hands on access to power grid operations”,  said Wired. This meant that they had the ability to shut down the lights that these power organizations operated. We do not know why they didn’t do this, but analysts claim concern that these attackers are waiting for the right moment to exploit their power, whether for amusement or in the time of international turmoil.

In some cases, hackers across the world may look for information to give them the upper hand in any future disputes between countries. This is a perfect example for what we know of hackers linked to Russia and Iran.

In 2018, an Aon report explains the concerns following an attack on a hydroelectric dam contractor. Ten days following the stealing of employee information and gaining access to the dams control network, it is known that attackers had the ability to open the dams floodgates all at once, which would cause catastrophic flooding.

On a more personal level, scammers may look to retain information such as usernames and passwords to the likes of your bank account or national identity information, to take money from you or clone your identity through the likes of a drivers license or ID.

How do scammers do it?

Scammers often use well-timed emails messages that appear to be sent by a known, trusted source. Older email gateways still used by some business organizations such as SEGs and first generation advanced threat protection (ATP) products are not designed to filter out these advanced email attacks, and as a result, employees are left to make the decision as to how they will react to an email that they may not understand as dangerous. After all, this may be seen as coming from a source that they have ongoing contact with.

Phishers do their homework; they know what types of emails you are expected to get and when. For example, your monthly gas statement comes to your email on the third month of every year, or your phone bill may come to you on the first Monday of each month. By using Google to find names, locations and basic information, it is easy for a phishing expert to gather information about what is important to you, for example, whether you have children or have recently moved home, whether you have recently been considering the options for pet insurance. You will then receive an email about something that they are aware directly interests you, and may even offer a near impossible low price. Surprisingly, this is because it is.

It is also common for those contacting you to pretend to be a senior authority at the business contacting you, making the interaction seem more personal and often more urgent. If an email is signed on behalf of a CEO or familiar name, you are more likely to be encouraged to follow links and hand over your information.

The reported cases of phishing are as high as they are for a reason, and may even lead to you losing access to your own personal information that has been stolen. For example, if your banks login details were recently changed by the attacker, is it going to be a lot more difficult for you to cancel the account, and the transactions going into it.

They work on not only trickery and carelessness, but also curiosity via offering information you do not know, for example, breaking news about the company you work for or flashy headlines about celebrities recent gossip, if this is something you often view on other sites.

How can I protect myself from Phishing?

Use up to date programmes at all times — Modern email security solutions consider the danger of an incoming email based on the past behaviour of the sender and a host of other signals to identify whether or not the messages you receive are authentic and trustworthy.

EDF Energy released this video to focus on a number of ways one may be able to avoid phishing, such as verifying the communication is genuine before you reply; this can be done by accessing a companies website to consider what emails addresses will be used to contact you, alongside looking through your correspondence with them in the past.

If you are still unsure, call your business provider directly and ask them about it. You can also ask colleagues if they received similar emails, and what they did.

Urgency is a common trope within phishing emails, encouraging you to give over your information immediately with threat of the result; what if you do not receive this months wage? Or your electricity is cut off for a week? Spear phishers often use tight deadlines to distract you from the flaws that may be in the message and make your response feel urgent. In most cases, you should always have the opportunity to receive more than one email about a problem in order to deal with it in the best way possible.

Lastly, report it. If you are at all concerned about an email you have received, there are a number of entities in place to do the work for you. You can report anything suspicious to Action Fraud, the National Fraud and Cyber Crime reporting centre by calling on 0300 123 2040, or submitting the form on their website.

EDF Energy also encourage looking into the Take Five and Cyber Aware campaigns, who offer more practical advice on their websites.

Although contacting your utility providers should be easy, it can also be all too easy for third parties to contact you, especially claiming to do so on behalf of your provider. Unfortunately, there are a variety of ways in which third parties may be able to gather enough of your details to act as though they are your utility provider; whether this is with the goal to harvest information from you, take your bank details or other payments, scams have disaster out effects on ourselves and our households. 

In this piece, we look to talk you through the most common scams and give you support in how to avoid risking your money and your safety by making sure that those contacting you are honest, reputable and focused on your wellbeing. 

The first step towards this is through recognising common techniques used by scammers, for example,  

The “rate too good to be true” scam 

As the title may show, this is a situation in which a party may contact you to offer an unbelievable rate for your utilities, whether through a colossal discount or straight forward switching scheme that your current supplier couldn’t possibly match. 

It is common that, following your acceptance of these offers, the rate will change almost immediately. Why? Well, although you may be told that this is due to a change in the market, it is in fact that these (usually unprofessional looking) websites were built to scam you. This can often happen following searches for “cheapest electricity rates” or using “are you paying too much?” links with little substance behind their pricing pages. 

The “Security Deposit” scam 

The Security Deposit scam usually requires an individual being contacted by someone claiming to work on behalf of their bank;  they will explain that a switch between suppliers has been unsuccessful, and therefore they are required to pay a large amount of money in the name of a “security deposit” that will then be passed onto the supplier. 

The scammer will usually claim this to be urgent, and will do all they can to keep you on the phone with them, possibly even claiming that your electricity or gas will be cut to your property if you do not provide the payment. Of course, this is untrue; Although some energy suppliers will ask a business for a security deposit if they are deemed to be high risk, for example, someone with a very low credit score or a start-up business, this request will always be made by the supplier as your contract is being discussed, and should never come at random after this.  

The request for a security deposit will always come from the supplier, to be paid to the supplier. Although your broker may be a messenger in this case, know that they will not be the one receiving payment. 

The “Utilities Registration Service” scam 

We have also heard reports of customers receiving calls from an official sounding source claiming that they are the “utilities registration service”, “metering registration service”, or something similar. The problem being that these bodies do not exist.  

Victims are often told that there is an issue with their energy supply and that they must immediately switch supplier, to then recommend a body for them to switch to. Whether or not this body exists, it is unlikely that both your energy supply is in danger, and that the suggested company would ever receive your contacted payment. These are simple cold calls with the goal of taking your information and using them to the benefit of the scammer. 

The “Editing Suite” Scam 

You may be aware that business energy contracts tend to be largely based around verbal contracts which are recorded for safety. A reputable TPI or supplier should record an entire call (with your knowledge) which will include full verbal acceptance of the contract, alongside details about it. By doing this, the supplier can refer back to ensure that they are aware exactly what you agreed to, what you were told, and what your expectations are as their customer.  

The problem here is that a number of parties look to edit call recordings, creating a false narrative and changing vital details that you believe to be a part of your contract. Some are even known to have deployed editing suites to fuse together affirmative responses to questions a business was never asked. 

While it is not easy to stop someone looking to commit fraud, you have a legal right to both request a copy of all recordings and be aware you they are being recorded each time. This is why many businesses have this information as part of an automated passover service before you speak to customer service teams. Telling a fraudster that you demand access to this recording before making any verbal (or otherwise) contract should slow the process and give you time to check in with your provider on the details. 

How can I prevent phishing and scams? 

Being aware of potential threats and why people may target you is the first step to protecting yourself and your business against fraud,  but there are a number of other ways that you can ensure you are speaking to who you wants to be, such as… 

• Visits to your property, or phone call identification. 

In any scenario, a provider should visit your business property occasionally to do a number of tasks from checking meter readings to collecting outstanding payments and doing maintenance. They will always have staff ID and branded uniforms, especially those from Morrison Data Services (MDS) who read meters on behalf of big companies such as EDF Energy. If you feel as though you are unsure and would like to check the identity of a worker with MDS, you can call them on 0191 201 3791. If the partner company is not MDS, you can call EDF directly to verify the information on 0333 200 5100. 

EDF also provide a password for you that the visitor is expected to provide before entering your property to ensure that they are who to claim to be. 

• Know where to reach out to for advice and guidance.

The Take Five and Cyber Aware campaigns have practical advice on their website, whilst suspicious activity can be reported to Action Fraud. The Centre for Protection on National Infrastructure also posted this useful video on phishing and spear phishing. 

Some simple tips to avoid scams; 

1. Don’t respond to cold calls from your supplier, or others that are unable to give you personal details that prove to them who they are.  
2. Don’t give out your bank details or your personal details: In most cases, a body you are contracted with should already have this information in a secure location. 
3. Check email addresses or phone numbers contacting you: Most businesses have one ongoing email used for contacting clients, for example consumeraffairs@ofgem.gov.uk – Ask yourself if the details you have now are the same as those you may have received confirmation emails or account updates from previously. 
4. Check letters for branding: Businesses should always send letters with a header attached. 
5. If in doubt, shout: If you are in any doubt, then call Citizens Advice on 0808 223 1133or online. 
6. If you are being offered a rate that is too good to be true, pause and consider whether or not it is likely to be a scam. You can always hang up and contact the supplier yourself to check whether the rate given is possible for you. 
7. Check the market yourself; do your research before signing contracts with any broker by checking in on recent market trends and rises or falls in prices that could impact bulk buying the product. 
8. Check for any letters or emails of notification on changes to your account; if you have not received these, it is likely you are the victim of phishing, but  
9. Consider whether you have been provided with security questions. While you may occasionally receive a phone call from your provider to discuss your account, they should always verify themselves through a variety of questions that have been set previously. This means that you should recognise them. You should never be asked for your passwords or bank details, and you will never be expected to make an upfront payment to sign up to a special tariff or contract. 
10. Don’t open attachments until you know it is reliable. 
11. Use reputable sources to ensure that the information you are being given is accurate and up to date. 

Mis-selling of energy is a big problem. It is hard to believe that rogue ‘energy brokers’ are a serious threat to the UK economy, sounding more like the plot of a low-budget spy thriller than anything else. It is somewhat shocking then that these rogue brokers have conned small businesses from an estimated £2 billion through unscrupulous means. Source There are three main techniques to look out for to identify rogue traders.

Mis-selling

It may be surprising to know that energy brokers aren’t actually legally obligated to offer the best deal to customers. This leaves rogue energy brokers free to pass-off contracts that provide themselves with the most money as the ‘best’ for the customer. This can be through contracts that offer high broker’s commission, or unsuitably long contracts.

Lack of transparency

Energy brokers will sometimes not clearly present their contractual fees and charges to customers – do you know how much rogue brokers will profit from your monthly energy bills? Most people don’t. They are also not obligated to scour the market for the best provider and can present a select few as the only options. Often these are the ones that offer the largest margins for the broker.

Misrepresentation

Another common tactic used by rogue brokers is to falsely identify themselves so that customers believe they are operating on the behalf of a supplier. This is a good way of exerting pressure onto businesses to change contracts that suit rogue brokers.

To a lot of people, this is new information – which makes it even more shocking how widespread this issue is. Of the 3,000 energy brokers operating within the UK less than 10% have registered to be self-regulated. This leaves the other 90% free to do as they please. Every business is fair-game for these rogue energy brokers – who have targeted care homes, churches, and charities in the past. Real-world examples of energy broker malpractice include Stranton Social Club in Hartlepool who paid a whopping 41% of their total energy bill to their broker in hidden commission fees. source This figure is not uncommon, with businesses often paying up to 50% of their total energy bill in commission.

Ofgem has been aware of this issue for years. They put forward plans aimed at protecting small-businesses from this malpractice as early as 2014. These plans have since been dropped after finding inconclusive evidence of malpractice. Recently the energy market has become saturated with new entrants all wanting a slice of the un-regulated profit pie.

However, it’s not all doom and gloom. In 2020 Ofgem returned with increased vigour announcing new suggestions on how to improve the energy retail market. With the introduction of smart metering, increased support for customers, and faster more reliable switching it is hoped that there will be a real impact in tackling rogue energy brokers. This includes a new two-week cooling-off period for any businesses with a new energy supplier, giving them the freedom to reconsider the terms of the contract. Also, a new dispute resolution service for any unhappy customers will mediate discussions between energy brokers and dissatisfied customers. source These measures should hopefully redistribute the unequal power dynamic between rogue brokers and customers.

If you are worried you may fall victim to malpractice the most important thing to do is to complete your own research – this should give a good idea of how much providers actual charge for energy provision which should also make it easier to identify if and when there are hidden costs within a contract. Be vigilant for high-pressure sales pitches as often this is a good sign that you are being pushed a contract that is beneficial for the broker.

Energy Solutions never cold call customers and never spam.

Contact Energy Solutions and get your energy under control