Part 2 of our plain-English series on fraud and how to protect yourself. Part 1 is at news.atozofcyber.co.uk
Last week we covered how scams work psychologically — the techniques that make all of us, regardless of intelligence or experience, vulnerable under the right conditions. This week is practical. These are the specific scams most active in the UK right now, how each one works step by step, and the single most important thing to know about each one.
The HMRC scam
HMRC — His Majesty's Revenue and Customs — is one of the most impersonated organisations in the UK. In the twelve months to April 2025, HMRC received nearly 200,000 reports of suspicious contact from members of the public claiming to be from the tax authority.
The scam comes in two main flavours. The first is the tax refund: a text, email, or call claiming you are owed a refund of £485 (or some similarly specific-sounding amount) and asking you to click a link or call a number to claim it. The link leads to a convincing fake HMRC website that harvests your bank details.
The second is the tax debt: a call or voicemail claiming you owe money to HMRC and threatening immediate arrest, court action, or bailiffs if you do not pay now. The urgency is intense, the language official, and the caller may already know your name and approximate location.
What HMRC will never do: call you out of the blue threatening arrest; demand payment by gift card, voucher, or cryptocurrency; ask for your bank details over the phone; or send you a refund via a text message link.
If you receive any contact claiming to be from HMRC that asks you to act immediately, hang up or delete it and contact HMRC directly at gov.uk/contact-hmrc or 0300 200 3300.
The parcel delivery scam
This is the highest-volume scam in the UK by message count. Criminals send texts or emails impersonating Royal Mail, Evri, DPD, DHL, or Amazon claiming there is a problem with your delivery — a missed delivery fee, a customs charge, an address confirmation needed. The message contains a link to a convincing fake courier website asking for a small payment, usually £1–3, and your card details.
The card details are the point. The £1.99 fee is irrelevant. Once your card details have been entered on the fake site, they are harvested for use in much larger fraudulent transactions.
The scam works because almost everyone in the UK is expecting a parcel at almost any given time. The message does not need to know you specifically — it just needs to reach enough people that a significant proportion happen to be expecting a delivery when it arrives.
What legitimate couriers will never do: request payment via a link in a text message; threaten to return your parcel within 48 hours of a single delivery attempt; ask for your full bank card details to redeliver. If you are unsure about a delivery message, go directly to the courier's official website by typing the address yourself — never click the link in the message.
The bank impersonation scam
Your phone rings. The caller says they are from your bank's fraud team and that suspicious transactions have been detected on your account. They may already know your name, your sort code, and the last four digits of your card — information obtained from previous data breaches. They sound professional, calm, and concerned.
They then tell you that your account has been compromised and that to protect your money you need to move it to a "safe account" they will set up for you. Or they ask you to confirm a transaction by reading out the one-time passcode that has just been sent to your phone.
There is no safe account. The account they describe is controlled by the fraudster. The one-time passcode, as we covered in our February article on MFA, should never be read out to anyone for any reason.
This is called an Authorised Push Payment scam — you are tricked into voluntarily transferring your own money to a criminal. APP fraud losses in the UK reached £459 million in the first half of 2025 alone.
What your bank will never do: ask you to move your money to a safe account; ask you to read out a one-time passcode; ask you to transfer money as a fraud prevention measure.
If you receive a call like this, hang up. Wait five minutes — criminals sometimes stay on the line to intercept your callback. Then call your bank on the number printed on the back of your card.
Important new protection: since October 2024, the Payment Systems Regulator requires banks to reimburse victims of APP fraud up to £85,000 within five business days, provided the victim met a basic standard of care. If you have been a victim of this type of scam, contact your bank immediately and reference APP fraud reimbursement.
The "Hi Mum" and family emergency scam
A WhatsApp message arrives from an unknown number. "Hi Mum, it's me. I've lost my phone and I'm using a friend's. I'm in a bit of trouble and need some money urgently. Can you help?"
The message exploits the one thing that bypasses almost every rational safeguard: parental instinct. The fear that your child is in danger short-circuits careful thinking faster than almost any other trigger.
The scammer will typically claim to need money for an emergency — a broken phone, a missed flight, a medical bill — and ask for an urgent bank transfer. They will have excuses for why they cannot video call. They will be warm, grateful, and plausible.
The protection is simple: before doing anything, call your child on their usual number. If the message is genuine, they will answer or call you back. If the number is unreachable, try another family member. Do not transfer money based on a WhatsApp message alone, however convincing.
The purchase scam
A car for sale at a price that seems very good. A concert ticket for a sold-out show. A rental property at a competitive rate. A designer item at a discount. The listing looks genuine, the seller seems responsive, and the price is attractive without being implausible.
You are asked to pay by bank transfer — not by card, not through the platform's payment system, but directly into an account. The item does not exist. The seller disappears.
Purchase scams are the most reported type of fraud in the UK by volume, accounting for 39% of all cases in the year to January 2026.
The protection: always pay through the platform's own payment system where one exists. Pay by credit card where possible — Section 75 of the Consumer Credit Act gives you protection on purchases between £100 and £30,000. Never transfer money directly to someone you have not met in person for something you have not seen. If a seller insists on bank transfer only, walk away.
The QR code scam
This one is newer and growing. A QR code on a parking meter, a restaurant table, or a public poster has been replaced — or placed over the original — with one controlled by a scammer. You scan it expecting to pay for parking or see a menu and are taken to a convincing fake page that harvests your payment details.
This is sometimes called quishing — QR phishing. It works because QR codes are now familiar and trusted, and because the URL they take you to is not visible before you scan.
The protection: before entering any payment details after scanning a QR code, check the URL carefully. Look for subtle misspellings — "royalrnail" instead of "royalmail" — or unusual domain endings. If you are paying for parking, check the physical meter for signs of tampering — a stuck-on QR code over the original is a warning sign.
What does this mean for me?
Save 159 in your phone now. This is the Stop Scams UK number — it connects you directly to your bank's fraud team and works with most major UK banks. Dialling it from the phone you received the suspicious call on means you know you are genuinely calling your bank, not a scammer who has stayed on the line.
Pay by card wherever possible. Bank transfers offer very little protection once money has left your account. Credit cards offer the most. Where you must use bank transfer, use the confirmation of payee check — your bank will tell you if the account name does not match the intended recipient.
Treat every unsolicited contact as unverified. A call, text, or email you did not initiate should be treated as unverified regardless of how it looks or what it knows about you. Verify through a channel you control — the official website, the number on the back of your card — not through a link or number the message provides.
Report it even if you did not lose money. Report Fraud (which replaced Action Fraud in December 2025) can be reached at reportfraud.police.uk or 0300 123 2040, 24 hours a day. Reports that do not result in an investigation still build the national intelligence picture that helps prevent future fraud.
🧠 The Human Factor
| Technology involved | SMS, email, phone calls, WhatsApp, QR codes, fake websites, and increasingly AI-assisted voice and text impersonation of trusted brands and institutions |
| Root cause | Every scam in this article relies on impersonation of something trusted — a bank, a courier, a tax authority, a family member — combined with urgency that prevents careful verification |
| What was at risk | Bank account contents, card details, personal credentials — and in purchase scams, money transferred for goods that do not exist |
| Prevention | Save 159; call back on official numbers; pay by card; never transfer money to a "safe account"; verify family emergencies with a direct call before doing anything |
Next in the series: Romance and friendship scams — the long game.
References and sources
- NCSC: AI phishing warning 2026 — ncsc.gov.uk
- Payment Systems Regulator: APP fraud reimbursement rules (from October 2024) — psr.org.uk
- UK Finance: APP fraud statistics H1 2025 — ukfinance.org.uk
- Report Fraud (replaced Action Fraud December 2025) — reportfraud.police.uk or 0300 123 2040
- CallerCheck: Parcel delivery scam guide (updated March 2026) — callercheck.co.uk
- Beacon IT: UK Cyber Crime Statistics 2026 — beaconit.co.uk
- Stop Scams UK (dial 159) — stopscamsuk.org.uk
- HMRC: Report suspicious contact — gov.uk/contact-hmrc