New FCA Update: Fake FCA emails, websites, letters and calls - Find out about some of the common ways scammers may contact you claiming to be from the FCA.
New FCA Update: Screen Sharing
Advice from the Financial Conduct Authority (FCA)
The FCA is advising anyone considering an investment opportunity to check the Warning List of firms, a list of firms and individuals that the FCA know are operating without their authorisation, and not to deal with a firm that is not authorised by the FCA. The specific details of a firm, such as the telephone number and website address can be verified on the FCA Register. The FCA also warns consumers to use the phone number on the FCA Register to make contact with an FCA authorised firm so as to be sure they are dealing with the real firm.
For further information on investment scams and how to spot the warning signs, please scroll down to the section headed ‘Other examples of scams’.
Protect your personal information and identity
Fraudulent activity across the banking and financial services industry is on the increase. Criminals are contacting individuals in a variety of different ways, often claiming to be from trusted organisations such as the government, HM Revenue and Customs (HMRC) or a bank. Regardless of how they make contact, their aim is to deceive people into disclosing personal security information. In some cases this has led to the victims losing considerable sums of money.
Please be extra cautious when receiving any kind of contact, including texts, emails or calls requesting money, asking for personal details or to click on a link, and never disclose confidential information.
At Handelsbanken Wealth & Asset Management Limited, we will never ask you for confidential online banking information. If you have any concerns, please contact your Client Director or the Client Support team immediately.
Top tips to protect yourself online
- Never disclose your security details with others
- Use strong passwords/PINs
- Do not use the same password/PIN for more than one account
- Never write your passwords down
- Only save passwords on private devices
- Keep firewalls and anti-virus software up to date on all devices
- Limit the amount of personal information you provide on social media
- Make sure you have strong security settings on social media
- Only accept online friend requests from people you know
- Don’t do online banking on public wifi
Source: Your Money Matters (Young Money)
A credential stuffing attack is a cyber-attack method that exploits an individual’s tendency to use the same credentials (e.g. username/email address and password combination) across multiple online accounts. The attacks are automated and often large scale, using stolen credentials (e.g. that are leaked by data breaches and made available on the ‘dark web’), to unlawfully access users’ accounts on unrelated websites.
Successful credential stuffing attacks may result in financial loss, as attackers may, for example, make purchases using the compromised account or transfer funds to their own account. Such attacks may also be used to cause intangible harm such as reputational damage by spreading sensitive personal information, disinformation or making false statements about an individual whilst using their compromised account.
The ‘reuse’ of passwords may increase the chances of successful credential stuffing attacks and may be the means through which an attack on an organisation can occur, even when high levels of cyber security have been implemented.
Concerns surrounding password security have increased as the effects of the Covid-19 pandemic resulted in overnight changes to our working and personal life and an unprecedented shift towards online services. In the United Kingdom alone, 27% of the population created at least four new password protected accounts and 6% reported to have opened more than ten new accounts in the last 12 months. Further, a global survey also found that individuals created 15 new accounts on average during the Covid-19 pandemic (equating to billions of new accounts created around the world), and 44% of said individuals reported that they do not plan to delete or deactivate these new accounts. In addition, it was reported that more than half of the millennials surveyed would rather place an order using an app or website as opposed to calling or visiting a location in person.
- Credential stuffing attacks rely on an individual's tendancy to reuse the same log-in credentials (i.e. username and password) across multiple accounts.
- Passwords should not be reused in respect of multiple accounts. A strong unique password should be created for each online account, app and service.
- Do not use short passwords.
- Users should not use predictable passwords, such as those based on personal information e.g. a birthday or a pet's name.
- Users should consider using the 'three random words' technique to help create memorable and strong passwords.
- Consider using a 'password manager' to assist in securely storing and using separate passwords.
- Multi-factor authentication should be used where possible.
- If an online account has been compromised, the account holder should change the password immediately along with that for any other accounts protected by the same or similar password.
- Users should routinely check account information for unusual activity or unauthorised transactions, in particular if an account has been compromised or is suspected to have been compromised.
- The relevant financial institution should be contacted if there is a card or other financial information linked to an account that has been compromised or is suspected to have been compromised.
- Users should contact the relevant organisation if an account had been locked by an attacker.
- Devices should be updated and patched regularly to ensure the latest security software has been installed.
Social engineering is the use of deception to trick people into performing actions or divulging confidential/ personal information for the purpose of data gathering, fraud or systems access. This tactic used by fraudsters is very effective as it manipulates the natural human instinct to trust. Victims are contacted by fraudsters through various channels and duped into releasing information or taking actions which assist the criminals in perpetrating fraud.
Vishing (telephone calls): Fraudsters cold call you at home or on your mobile pretending to be from a trusted organisation – like your bank, the police, a utility provider or a computer company. They may already have some of your details that they will use to convince you that they are genuine.
Smishing (Text message / SMS scams): Fraudsters obtain personal details of a victim by SMS text messages. They usually claim to be from your bank or a company that you have an account or subscription with (eg Netflix, Apple, Paypal). The communication may involve a problem with a recent purchase, suspicious activity on your account, or the need to verify account details, and will either contain a link or a number to call.
Phishing (Email scams): Fraudsters send bogus emails to victims with the intention of tricking people into doing ‘the wrong things’ such as clicking a link which will infect your computer/device, extracting data or instructing a course of action to perpetrate a fraud. Phishing can be conducted via a text message, social media, or by phone, but the term ‘phishing’ is mainly used to describe attacks that arrive by email.
If you think the email is fake don’t reply or release any information – a reply tells the fraudster that the email address is live and you are there.
Other examples of scams
Hoax official scams: Hoax official scams happen when victims are contacted by bogus individuals who claim to be officials such as police officers, HMRC or bank fraud professionals. The scammers usually contact victims by phone but can also send false documentation via phone or post to make their claims appear more legitimate. The scams are aimed at convincing victims to part with their cash by using scare-tactics. Bogus HMRC calls insist victims must make immediate payments to avoid heavy taxes or legal action. Bogus police calls pressurise victims to withdraw high volumes of cash to be either collected by courier or placed into a safe account to support a top secret investigation into bank corruption. And fake fraud calls claiming to be from banks rush victims into releasing personal information and bank credentials by stating that this information is required to stop live fraudulent transactions debiting the victims accounts.
Investment scams: Investments scams happen when fraudsters convince people to part with their money and invest in fictitious opportunities by providing untrue and misleading information. Fraudsters will often target people via cold calls or emails, and claim to be offering low risk investments which can provide quick and high returns, but if the return sounds too good to be true it probably is! Fraudsters will be persistent and will go to great lengths to scam people by producing convincing paperwork and impressive websites, all to help legitimise the investment. Investment scams can be devastating for victims, with recent reports from the FCA stating that victims lose an average of 22 years of pension savings.
Spot the warning signs:
- Unexpected contact– traditionally scammers cold-call but contact can also come from online sources e.g. email or social media, post, word of mouth or even in person at a seminar or exhibition.
- Time pressure – they might offer you a bonus or discount if you invest before a set date or say the opportunity is only available for a short period.
- Social proof – they may share fake reviews and claim other customers have invested or want in on the deal.
- Unrealistic returns – fraudsters often promise tempting returns that sound too good to be true, such as much better interest rates than elsewhere.
- False authority - using convincing literature and websites, claiming to be regulated, speaking with authority on investment products.
- Flattery – building a friendship with you to lull you into a false sense of security.
Customers should always do their research:
- Is the company FCA regulated?
- Do they appear on the FCA warning list?
- Are they impersonating a legitimate investment company?
- Seek impartial advice
See the FCA website below on how to stay Scamsmart - www.fca.org.uk/scamsmart
Stay Safe – Stay Secure
General rules to protect yourself and others:
- Never provide your full PINs or passwords online – you could be reacting to fake requests generated by malware.
- Never verbally provide your full PIN or password or any system access /challenge codes over the telephone - beware of imposters making vishing calls.
- Never provide access / challenge codes to third parties, even if they claim to be from your Bank or the police. Your log-in credentials are for you and you alone - don’t let a hoax caller rush you into releasing them by using social engineering tactics.
- Don’t be rushed into making a decision. It is sounds too good to be true it probably is.
- Only purchase goods and services from legitimate retailers and take a moment to think before parting with money or personal information.
- Don’t assume everyone is genuine. It’s okay to reject, refuse or ignore any requests. Only criminals will try to rush or panic you.
- If someone claims to represent a charity, ask them for ID. Be suspicious of requests for money up front. If someone attempts to pressurise you into accepting a service they are unlikely to be genuine. Check with family and friends before accepting offers of help if you are unsure.
- For advice on scams call Citizens Advice Consumer Helpline on 0808 223 11 33
- To report a scam call Action Fraud on 0300 123 2040
- Contact your bank if you think you have been scammed.
Remember that fraud can happen at any time and catch you off-guard so ensure you are always vigilant. If you do see something that doesn’t look right and think you may have been defrauded, don’t delay, it is far better to be safe than sorry.
Measures taken at Handelsbanken Wealth & Asset Management Limited
to ensure your accounts stay safe
Should we receive an email or telephone call from a customer or third party to discuss any account(s) or provide any instructions, we always undertake the necessary verification checks. This may include asking you to confirm your full name, date of birth, address, type of accounts that you hold with us etc.
If an email sets out an instruction, such as a withdrawal request, or some change to a customer’s data, then we would always contact the individual on a telephone number that we already hold on file to confirm this instruction. We will never change a customer’s address, banks details or authority instructions without speaking with the customer beforehand.
Get Safe Online is the UK’s leading source of information and advice on online safety and security, for the public and small businesses. It is a not-for-profit, public/private sector partnership backed by a number of government departments, law enforcement agencies and leading organisations in internet security, banking and retail.
For more information and expert, easy-to-follow, impartial advice on safeguarding yourself, your family, finances, devices and workplace, visit www.getsafeonline.org.
If you think you have been a victim of fraud, report it to Action Fraud at www.actionfraud.police.uk or by calling 0300 123 2040.
If you are in Scotland, contact Police Scotland on 101.