https://metro.co.uk/wp-content/uploads/2019/11/PRC_102206146.jpg?quality=90&strip=all

What to do if you fell victim to the fake John Lewis £100 voucher scam

29 Nov 2019, 12:16 by Jasper Hamill

Yesterday, we revealed that a highly convincing scam promising £100 of John Lewis vouchers was doing the rounds on WhatsApp.

Dozens of people contacted us to tell us they had fallen victim to the fraud.

The scam is spread using an email which invites people to click on a link to get free vouchers.

This link leads to a very convincing website which asks visitors to hand over their address – putting them at risk of fraud and identify theft – and send the message to their other WhatsApp contacts.

We spoke to cybersecurity experts to ask for advice on what to do if you were tricked into handing over your address.

The first thing to do is change your WhatsApp password so that no-one can access your account. It’s not yet known whether the fake John Lewis page is boobytrapped with viruses, but you should keep an eye out for unexpected activity on your device just in case.

Advertisement Advertisement

If you’re really concerned, you could try deleting WhatsApp and reinstalling it. This will also ensure you have the very latest version of the app, which features all the security updates released to address problems as they arise.

The main risk you face if you handed over your address is fraud or identity theft, but there are steps you can take to protect yourself.

https://i0.wp.com/metro.co.uk/wp-content/uploads/2019/11/PRI_102205265-e1574952235675.jpg?quality=90&strip=all&zoom=1&resize=768%2C1190&ssl=1 — A screenshot from the website set up to scam people and steal their personal information (Image: Metro)

How to spot a scam

If you receive a message containing a web address, make sure you double-check it’s real before clicking on it. The names of fake sites are made to look very convincing.

If you visit a webpage, look out for spelling mistakes, bad grammar or anything else which suggests it is not a genuine site.

When a website asks you to hand over personal information, it could be a scam. If this includes bank details, then it’s probably designed to fleece you.

Check the contact details for a company. If they are vague, it could be a front for scammers.

If you feel as if you are being ‘hurried’ into making a decision, it may be a scam. Take a deep breath and think.

Does an offer look too good to be true? Then it probably is. Avoid it.

If you’re asked to hand over passwords for your account with any website, then you could be dealing with fraudsters.

Kelli Fielding, managing director of consumer markets at TransUnion in the UK, told Metro: ‘If you think you have fallen victim to a cyberscam, you must make sure you immediately check your credit report.

Advertisement Advertisement

‘Regularly checking your credit report can help you monitor for ID fraud, as if someone tries to use your identity in a scam, this might be one of the first places you spot it.’

You can do this by filing a fraud alert with TransUnion or the websites Experian and Equifax.

This will tell money lenders that you’re at risk of fraud and they will take extra steps to make sure applications for loans, credit cards or other financial services are genuine before proceeding.

To use TransUnion to monitor your credit report regularly, you can also sign up to one of the following free online services: Credit Karma, MoneySuperMarket, or TotallyMoney.

If you’re concerned, you should also contact your bank.

Robert Capps, vice president at NuData Security, a Mastercard company, added: ‘To combat financial scams, consumers should always report dubious emails to their banking providers.

‘No legitimate organisation will ask for security or banking details, so consumers need to be suspicious of any emails that request this information. Meanwhile, there are steps that consumers can take to help secure themselves.’

He also told consumers to shop with well-known companies online or use safer payment systems such as PayPal, Apple Pay, or Android Pay, to avoid providing your payment details directly to an unknown merchant.

If a website asks for personal information, make sure you know exactly who you are dealing with.

Adam Brown, manager of security solutions at Synopsys, said: ‘The best practice is to be very careful of anything that you click or tap.

‘Check the address of the link that you are about to click and that it goes to a reputable or known address only.

How to protect yourself against scams

John Graham Cumming, chief technology officer of the security firm Cloudflare, offered the following tips:

Encrypt your web traffic on your phone: There are several apps – both free and paid–that you can download that encrypt the traffic leaving your phone to prevent anyone from snooping on you. One example is 1.1.1.1 with Warp.
Protect your wifi at home: In addition to protecting your phone web traffic, you should also make sure your home internet connection is secure. You can do this by using a third-party DNS resolver to enhance your online security and performance.
Check your bank account: from card skimmers to data breaches, hackers are looking for ways to steal credit card information for their own gain. The best way to ensure your financial information hasn’t been compromised is to check your transactions frequently to ensure you recognize all of the activity.
Know a phishing scheme when you see it: Phishing is a type of scam where criminals send an email that appears to be from a legitimate company and ask you to provide information such as passwords or your social security number. You should always make sure you know the email address it’s coming from and if you aren’t sure, call the company to ask if they would have sent that email.

Scammers work hard to make sure the fake websites they build look convincing. So, for instance, the John Lewis fake address featured the words JohnLewis.com in the address but then had several other words afterwards which led to a dodgy fake site.

‘In a web address the last part (of the part with the dots and before the slashes) is the ultimate destination of the traffic, so be very clear about where you are and the information you are willing to divulge,’ Brown added.

‘For example “logging in” to a spoof site like that leaves the attackers with your credentials, even just accessing such a site can result in unwanted control of your browser or attempts to install malicious apps.

‘Do not install apps from unknown locations or apps with dubious producers and of course, remember that if it’s too good to be true it more than likely is.’

The John Lewis voucher scam was particularly tempting because it comes near Christmas, when millions of Brits will be flocking to the shops.

Cybercrooks also tend to focus their attention around major shopping days.

Dr Max Eiza, lecturer in computing at the University of Central Lancashire said: ‘Big shopping events such as Black Friday and Cyber Monday bring a lot of people online, so it’s a prime opportunity for scammers to take advantage of unsuspecting shoppers.

“Retailers rarely use messaging apps, so consumers should be especially wary if asked to provide their WhatsApp details to access any offers. If you receive any messages that claim to be from a retailer, that you’re even a little suspicious of, it’s safest to simply ignore and block the sender.

“It’s also worth checking the retailer’s official website and social media. If the offer is not available or advertised there, you can be assured that the message you’ve received is a scam.’