Skip to content Skip to footer

Advice Column: Avoiding online scams

Top tips to avoid online scams


Online scams are schemes to con you out of your money using your computer and the internet, either through fake websites or emails. Although there are many ways scammers can get into your computer to steal your money and identity, there are ways you can protect yourself.

What you can do to protect yourself

To protect your identity and cash from online scammers:

  • only allow someone to remotely access your computer if they are from a trusted source, such as your internet service provider
  • create passwords which are long, unique and use a mix of random numbers and lower and upper case letters. The longer the password the harder it is to guess. A ten digit password is better than an eight digit one. Make sure you change passwords regularly and don’t share them
  • use antivirus softwareand keep it up to date. This will check for malicious computer programmes and monitor files before they are opened. Up-to-date software is important to protect against the most recent viruses. If you buy software online make sure it is from a genuine supplier
  • understand what software you are installing on your computer or phone and make sure you are using a secure site when you buy software, tablet or smart phone.  A secure site will have a web address beginning with httpsnot http
  • make sure you leave your firewallis switched on. A firewall is a security shield that stops scammers getting into your computer. Operating systems such as Windows come with built in firewall settings. They can monitor and warn you of unexpected access to your computer
  • make sure you regularly install updatesto your operating system. Windows is an example of an operating system
  • install the latest version of your web browser, for example Internet Explorer, which will have the latest security features
  • don’t open suspicious or unknown emails, email attachments, texts or pop up messages. For example an email with an unusually worded subject heading
  • no genuine online company will contact you to ask for your log-in details, such as your password or user id. You should only need to provide this information when you are logging onto a service such as online banking
  • before entering payment card details on a website, make sure the link is secure.


Phishing is a way scammers try to steal your identity and gain access to user names and passwords, to then steal money.

Phishing usually takes place through spam emails sent to millions of addresses. These emails look like they come from a genuine companies, usually a bank or credit card company, and they ask for details of your account.

The company claims you need to update or confirm your account details by clicking on a link. The link then takes you to a bogus website where your details can be used by criminals.

Your bank will never ask you to confirm your user name or password by clicking on a link in an email and visiting a website.

How can I spot a spam email?

You can often tell a spam email because:

  • the sender’s email or web address is different to the genuine organisation’s addresses
  • the email is sent from a completely different address or a free web mail address
  • the email does not use your proper name, but uses a non-specific greeting such as ‘dear customer’
  • the email threatens that unless you act immediately your account may be closed
  • you’re asked for personal information, such as your username, password or bank details
  • the email contains spelling and grammatical errors
  • you weren’t expecting to get an email from the company that appears to have sent it
  • the entire text of the email is contained within an image rather than text format
  • the image contains a link to a bogus website

How can I spot a phishing website?

You may be able to tell a website isn’t genuine because:

  • the website’s address is slightly different to the genuine company’s
  • there are spelling and grammatical errors on the page
  • the site isn’t secure. A genuinely secure web address where you’re being asked to send sensitive personal information should always start: https://. Websites that start http://aren’t as secure.
  • the padlock for secure sites isn’t in the website browser, at the top or bottom of the page.

Making sure you have a secure link

You can make sure you have a secure link in three ways:

  • check there’s a padlock symbol in the browser window frame, which appears when you attempt to log in or register. Be sure the padlock is not on the page itself – if it is this will probably indicate a fraudulent site. If you’re not sure whether a site is genuine, click on the padlock and check the security certificate, which tells you if the site is authentic.

Only valid certificates issued by approved authorities are trustworthy.  If you’re still unsure, check if the name on the certificate matches the name of the company behind the website.

  • check the web address begins with ‘https://’. The ‘s’ stands for ‘secure’
  • if you’re using the latest version of your browser, the address bar or the name of the site owner will turn green.

If you receive a possible scam email

If you have opened a scam email:

  • don’t reply to the email
  • don’t click on any links in the email or open any attachments
  • if you have already clicked on a link and opened a website, don’t give any personal information out.

Other useful information

Reporting a problem to Trading Standards

Trading Standards deal with complex consumer problems and potential criminal activities.

If you want to report a problem to Trading Standards, you should contact the Citizens Advice consumer service, who share information reported to them with Trading Standards.

Copyright Citizens Advice. For the most up-to-date advice, please visit our Citizens Advice public site.