Skip navigation
Content HubGuidesA beginners guide to phishing and online fraud
Guides
Fraud advice
Small business tips
All
Copy link

A beginners guide to phishing and online fraud

Written by: Mettle editorial
6 min read
What is phishing? 
How to recognise a phishing scam 
What are account takeover scams
Take five to protect yourself from fraud 
How to report a scam
How to create a strong password
Why you need multi-factor authentication (MFA)
If Mettle ever needs to contact you

Fraudsters are always finding new and creative ways to get at your hard-earned money. Being vigilant online is increasingly important. This guide offers some tips on how to spot a scam, report it, and keep your data safe online.

What is phishing? 

These days, we’re used to receiving regular fraudulent messages from poor Aunt Petunia in the US or the prince of a faraway land. We understand how these typo-riddled emails attempt to draw us in with big promises and ask for money to deliver on them. 

But phishing attacks have become a lot more sophisticated than that, and they aren’t always easy to spot. 

So what is phishing? It’s when attackers attempt to trick you into doing 'the wrong thing'. This could be clicking on a bad link that will download malware, or directing you to a dodgy website. However, threats against you and your business aren’t always this obvious to spot. These are carefully planned and often appear innocent at first, but soon after, the losses can add up. Which we can see from the 2022 UK fraud stats, where fraudsters stole £1.2bn, earning the UK the title of ‘fraud capital of the world’.

Phishing falls under the umbrella of ‘social engineering’. This is the practice of manipulating and exploiting people to gain access to your systems, information or money. It could involve your typical phishing emails, phone calls from someone claiming to be your bank or even a message on social media from a ‘friend’ in need. 

But the term 'phishing' is mainly used to describe attacks that arrive by email. This is because phishing emails can reach millions of users directly, and hide amongst the huge number of benign emails that busy users receive. Attacks can install malware (such as ransomware), sabotage systems, or steal intellectual property and money.

Phishing emails can hit an organisation of any size. You might get caught up in a mass campaign (where the attacker is just looking to collect some new passwords or make some easy money), or it could be the first step in a targeted attack against your company, where the aim could be something much more specific, like the theft of sensitive data. In a targeted campaign, the attacker may use information about you or your company to make their messages even more persuasive and realistic. This is usually referred to as spear phishing.

How to recognise a phishing scam 

Phishing scams normally trick you by playing on your emotions or creating a story to get you to click on a link or share your information. They do this by pretending to be your bank, doctor, the government or anyone with authority to create urgency and legitimacy with their claims. 

The fraudsters could:

  • Claim they’re from your bank and have noticed some suspicious activity or log-in attempts, asking you to decline transactions and to add new (fraudlent) payees instead

  • Claim there’s a problem with your account or your payment information 

  • Say you need to confirm some personal or financial information 

  • Ask for your security information, like recovery codes or pin numbers

  • Want you to click on a link to make a payment 

What are account takeover scams

According to Action Fraud, account takeover is when a scammer gets hold of your login credentials to your online bank account to steal your money or information. They normally get your details through phishing scams or if there has been a data breach where your details were leaked.  

Experian explains that there are multiple things fraudsters can do once they get your banking information, such as: 

  • Order a new card from your bank or credit card provider to make purchases with

  • Access and redeem your account credits or rewards points for their own benefit

  • Make a payment to a fraudulent company from your bank account

  • Open a new bank account in your name

If you ever notice any unusual transactions on your account, contact your bank immediately. At Mettle you can reach out to us through the in-app chat (see the If Mettle ever needs to contact you section for more information).

Take five to protect yourself from fraud 

Fraudsters are good at putting you under pressure so that you don’t have time to think. To help you in situations like this, UK Finance has launched its ‘Take Five to Stop Fraud’ campaign to help you spot scams and keep yourself and your hard-earned money safe. 

They advise: 

Stop – Take a moment to stop and think before giving out your personal information or payment details

Challenge – Could it be fake? It’s okay to reject, refuse or ignore any requests you think seem suspicious 

Protect – If you believe you’ve been targeted by scammers, report it to Action Fraud on 0300 123 2040 or at actionfraud.police.uk. If you’re in Scotland, please report it to Police Scotland directly by calling 101.

How to report a scam

If you think you’ve come across a fraudulent email scam, you can report it to the National Cyber Security Centre (NCSC) by forwarding it to report@phishing.gov.uk. The NCSC recommends you forward on as many scam emails as you come across. Since January 2023, they have removed 209k scam URLs.

If you’ve received a suspicious text message, you can forward it to 7726. Your provider will then be able to investigate the text message. 

If you’ve been hacked or lost money because of a phishing scam, you must report it to Action Fraud. In England, Wales and Northern Ireland you can report this via the Action Fraud website or by calling 0300 123 2040. If you’re in Scotland, you need to report it to Police Scotland by calling 101.

How to create a strong password

Spotting phishing attacks and online scams is one thing, but protecting yourself and your information against attacks is another. 

For starters, let’s look at passwords and how to set a strong one. The first rule of setting a password is that it should be unguessable. By unguessable, that also means by people who know things about you. 

It’s pretty easy for a stranger to work out your birthday, perhaps how many children you have or your pet's name. All this information is normally shared across social media, and so, makes passwords related to those easier to guess.

The problem with using random numbers and letters – which, as you guessed, are more unguessable – is that they are also more difficult to remember. When it comes to a strong, unguessable password, one way to do it is to pick three or four unconnected words and a number. 

When it comes to remembering it, there is a technique for that too. The easiest way is to think of a few items, objects, or feelings, and then work that into a little story. So you might, for example, think of your:

  • Favourite book

  • Favourite band

  • A town you drove through recently, and 

  • An emotion

Then, put those words into your password with a number or special character, for added security. For example: 

HarryPotterL0ndonH@ppy1

Why you need multi-factor authentication (MFA)

But passwords alone aren’t always enough to protect your information. Having an added layer of security, like multi-factor authentication – or two factor authentication (2FA) – is also important. 

We’re all familiar with websites such as Amazon, Facebook, and Twitter that require you to create an account and protect access to it with a unique user ID (usually your email address) and a password. MFA takes that one step further. Having a strong password is great. Having a second layer of defence is even better.

So even if the attacker knows your password, they won’t be able to access your account without that second factor of authentication. It’s an extra line of defence for you. There are different types of MFA, like:

  • SMS or email one-time codes

  • Authenticator apps such as Google authenticator

  • Physical security keys such as YubiKeys

  • Biometric authentication such as TouchID, FaceID, etc.

The NCSC recommends that you set up MFA on your 'important' accounts. These are your high-value accounts such as your banking apps, that if hacked, could cause a lot of damage. Your email should also be included. If a cybercriminal can get into your email, they could use it to reset passwords and access to other accounts.

If Mettle ever needs to contact you

Here at Mettle, we want to ensure that all of our customers know what we’ll do if we ever need to contact you. And most importantly, the information we’ll never ask you to provide. 

We’ve outlined the different ways we’ll contact you and the information we ask for in this article. If you get contacted in a different way or asked to provide any additional or different information, then it’s most probably a scam.

If this happens, or if you’re unsure it’s really us contacting you, you should hang up and call us back using the number on the back of your Mettle card.

Sound good? Apply now

Mettle is free and easy to open. Available on iOS and Android.

Open account
mettle wallpaper communication
Mettle editorial
linkedIn logo

At Mettle, our aim is to give everyone the financial confidence to work for themselves, and that’s no different with our content. We want to give small business owners, freelancers and sole traders the tips, tricks and industry updates they need to run their businesses. 

You might also like

3 min read
How to keep yourself safe from scammers

5 min read
Why two-step verification is important for your side hustle

3 min read
Small business guide to cyber security | Step 1: Backing up your data