Christmas Buyers Beware - Tonight

Adam Shaw on the Christmas set, where shoppers were tricked into revealing their security details while shopping. Credit: ITV / Tonight

Christmas is just around the corner, and as the shopping frenzy gets underway, there’s a risk that we might let our guard down.

Online fraud during the festive period has increased by 24% in the last three years, with victims losing nearly eleven and a half million pounds.

Techniques used by fraudsters are now more sophisticated than ever. Tonight tested just how convincing fake emails and texts can be. We invited six members of the public to join us in a studio to take part in a Christmas online shopping challenge. Our unsuspecting shoppers set about looking for the best festive deals on the internet, unaware that we had a team of security experts next door, sending them a variety of fake emails and texts. They simulated the sort of messages that fraudsters send to thousands of people, in a technique known as ‘phishing’. For example, imitating existing companies and retailers, encouraging people to click on links, and input personal information.

During the challenge, all six of the shoppers clicked on a website link in a fake email, believing it to be genuine. Clicking on a link sent by a fraudster can result in a virus being downloaded onto your device, or it can take you to a convincing fake website where you may enter personal login details. Four out of the six shoppers also submitted personal data, unwittingly giving away some of their existing account passwords for online retailers. If this had been a real phishing attack, a criminal would have access to their online account, and they could try to get access to other accounts that use the same, or a similar, password. Giving away personal information can also increase risk of identity theft, and being targeted by future scams, in which the fraudster can use the information to convince the victim that they are legitimate.

Adam French from 'Which?' warns about common techniques scammers will use to get your data. Credit: ITV / Tonight

“Scammers will get hold of a lot of phone numbers. This could be off the back of data leaks for example, and then they will just target everyone with the same message The more people they can get in touch with, the more likely it is they'll find someone they can defraud. It's so important you verify everything independently yourself. You cannot trust any contact out of the blue.”

Adam French, Consumer Editor for 'Which?'.

Jim King from Surrey received a text which appeared in a chain of existing text messages from his bank. The message warned him that they had detected unusual activity on his account, and requested him to call him on a number provided in the text. The text had been sent by a fraudster using who then impersonated his bank on the phone. They obtained security details and stole £12,857 from his account.

Julie and Simon have majorly suffered at the hands of online scammers. Credit: ITV / Tonight

Julie and Simon from Portsmouth decided fulfil a long held dream to buy a motorhome. They found exactly what they were looking for on Ebay, contacted the seller, and confirmed purchase of the item for £8,500. They received an email seemingly from Paypal, with details of how to make the payment safely and securely. The email instructed them to transfer the money to Paypal where it would be held until they had viewed and approved the vehicle. Julie went to the bank with the email invoice to make the payment. But the email had been a fake, and the bank details on the invoice were for the personal account of a fraudster who stole the £8,500.

Almost one hundred and fifty million pounds has been lost to this type of fraud in the first half of this year. It is known as ‘Authorised Push Payment’. Only around a fifth of people get their money back, with many banks currently refusing to refund victims because they have authorised the transfer of money themselves.


  • Be aware that fraudsters can use ‘number spoofing’ to send you a call or text that appears to be from a trusted company such as a bank, or HMRC. Texts can even appear in a chain of existing messages in your phone. Avoid calling any numbers sent to you in this type of text. If in doubt, contact the company separately to check if it is genuine.

  • Do not download documents or click links in unexpected or suspicious emails. They could contain malware. Phishing emails may also have a sense of urgency, contain links or attachments and have spelling errors.

  • Watch out for fake websites. Double check the domain to see if it looks right. To be on the safe side, avoid entering personal information on a website that doesn’t have ‘https://’ at the start of the address. The S stands for secure and indicates that the website uses encryption to transfer data, protecting it from hackers.

  • Never access sensitive data and avoid entering personal credentials whilst on public wifi. Check the network name before connecting and confirm it is secure with the vendor. Do not ask your device to remember or auto-connect to public networks.

  • Don’t pay for goods or services by bank transfer unless you know and trust the person. Unlike credit or debit card transactions, payments via bank transfer offer you no protection if you become a victim of fraud.

  • Look after your personal information by keeping tight privacy settings on your online social media accounts. Regularly review your security and privacy settings.

  • Be wary of counterfeit products, especially cosmetics, toys, and electrical items which can put your health at risk. If the price looks too good to be true then it probably is. Stick to retailers that you have heard of. It is a warning sign if the packaging has no importer or manufacturer details, and/or no address. If you think you have bought a counterfeit item, keep the evidence and contact Trading Standards.

  • If you have been a victim of a scam, contact Action Fraud to report it. They can provide advice and can also put you in touch with victim support.

You can test how savvy you are at spotting a phishing scam on this online resource provided by The Security Company (International) Limited:

Useful Links