Public reminded to ‘mullet over’ when it comes to suspicious emails ahead of National Fish and Chip Day

• A tool launched by the City of London Police and National Cyber Security Centre (NCSC) in April 2020, which helps members of the public easily report suspicious emails, has received more than 1.7 million reports of phishing
• Since its launch, reports show that fake emails from TV Licensing, HMRC and GOV.UK were the most common
• Remember: your bank, or other official organisations, will never ask you to share personal or financial information over the phone, or via text or email

A multi-agency campaigns group led by the City of London Police as the national lead force for fraud and cyber crime, that includes government and industry, is warning people to look out for phishing messages during an awareness campaign culminating on National Fish and Chip Day (Friday 4 September).

As part of the campaign, officers from the national Cyber Protect Network, also led by the City of London Police, will be taking part in a live twitter chat hosted by the Global Cyber Alliance at 9.30am on Friday 4 September and hosting a webinar for the public at 10.30am, covering topics such as how to protect yourself online and how to spot to a scam email.

Earlier this year, the National Cyber Security Centre (NCSC) and the City of London Police fast-tracked their plans to launch the new Suspicious Email Reporting Service (SERS), which allows the public to report suspicious emails to an automated system that scans emails malicious links. The pioneering tool was launched at the end of April 2020 and has since received more than 1.7 million reports of phishing. The NCSC’s automated programme will immediately test the validity of any websites in reported emails and any websites found to be malicious will be removed immediately. This has resulted in 6,501 scams being identified and 15,805 malicious websites being removed. Since its launch, reports show that fake emails from TV Licensing, HMRC and GOV.UK were the most common.

Phishing messages contain an urgent call to action, encouraging the recipient to visit a website that criminals use for stealing valuable data such as usernames and passwords, financial details, and other personal information like date of birth or address. This information can then be used by criminals to commit offences such as identity theft or fraud which can lead to victims losing their money.

In one example earlier this year, a concerned family member of an elderly victim reported to Action Fraud that they had lost almost £20,000 after they received a phishing email from a criminal purporting to be from TV Licensing.

T/ Commander Clinton Blackburn, National Police Coordinator for Economic Crime at the City of London Police, said:

“Phishing messages provide a gateway for criminals. If you provide personal details in response to these messages, you can end up inadvertently giving them access to some of your important accounts, like your email or online banking, leaving them free to commit fraud and take your money.

“If you receive a message claiming to be from a well-known organisation, always check directly with that organisation to see if it is legitimate, ‘mullet over’, and if something feels wrong then it’s right to question it. Banks, government agencies or other organisations will never will never ask you to share personal or financial information over the phone, or via text or email.”

What is phishing?

Phishing emails or texts (often called ‘smishing’) contain an urgent call to action, encouraging the recipient to visit a website that criminals use for stealing valuable data such as usernames and passwords, financial details, and other personal information like date of birth or address. This information can then be used by criminals to commit offences such as identity theft or fraud. Phishing messages aren’t just limited to emails or texts. Criminals will also use phone calls and social media for phishing messages.

Phishing communications often use urgent language to trick recipients into making a quick decision and not inspecting the email, text or message closely. Criminals have become far better at making fake emails look like real communications from respected organisations. Criminals will use correct spelling and grammar, real logos from a company’s official website and sometimes even personalise the emails with the recipient’s personal information, such as their name.

UK public bodies are at a higher risk of exploitation, especially by criminals orchestrating low-cost, mass spam phishing campaigns, because these organisations’ logos and branding are often very recognisable, trusted and easily accessible, so criminals can use them in their phishing communications, to make their message seem legitimate.

Protection advice and how to report

• Your bank, or other official organisations, will never ask you to share personal or financial information over the phone, or via text or email. If you need to check that it’s a genuine message, call them directly.
• If you have provided personal or financial details as a result of a phishing message, or lost money because of a scam, you should report it to Action Fraud at http://www.actionfraud.police.uk or by calling 0300 123 2040. If you live in Scotland, you should report to Police Scotland directly by calling 101.
• You can report suspicious emails you have received but not acted upon, by forwarding the original message to [email protected].
• You can report suspicious texts you have received but not acted upon, by forwarding the original message to 7726, which spells SPAM on your keypad.
• Forward suspicious emails claiming to be from HMRC to [email protected] and texts to 60599.  
• For further information on how to protect yourself from cyber crime, visit http://www.actionfraud.police.uk/mulletover.

Sarah Lyons, NCSC Deputy Director for Economy and Society Engagement, said:

“Many cyber criminals are opportunists who impersonate trusted brands and individuals to try and trick the public.

“Whilst we should all try to be alert to phishing scams, unfortunately these messages are becoming very hard to spot – and nobody should feel bad if they can’t identify them all.

“We encourage everyone to continue reporting anything that doesn’t look right to the Suspicious Email Reporting Service. By doing this, you’re potentially helping stop someone else from falling victim to a cyber criminal.”

Mike Fell, Head of Cyber Operations at HMRC, said:

“Criminals are taking advantage of the package of measures announced by the Government to support people and businesses affected by coronavirus.

“Scammers text, email or phone taxpayers offering spurious financial support or tax refunds. If someone texts, emails or calls claiming to be from HMRC, saying that you can claim financial help or are owed a tax refund, and asks for credit card or bank details, it might be a scam. Check GOV.UK for information on how to recognise genuine HMRC contact.”

A spokesperson for TV Licensing, said:

“In common with other large organisations, TV Licensing has seen fraudsters sending scam emails posing as genuine TV Licensing communications.

“If you are ever unsure about an email you’ve received from TV Licensing, we encourage you to stop, check and ask before giving away any personal information. You can also visit our website for helpful information and advice on how to spot scams at tvl.co.uk/scam.”