In 2023 alone, UK businesses lost £83.3 million to authorised push payment (APP) fraud, which is when a victim is duped into sending money to a fraudster. Whether it’s clever phishing emails, AI-powered deepfakes, or sham insurance policies, scammers' tactics are constantly evolving.
While ensuring your business has the required card payment security measures is one of the best ways to protect you and your customers from fraud, prevention also means being clued up on how scammers are tricking people out of their hard-earned cash.
To help you stay one step ahead, here are some of the latest scams circulating in 2024. We break down how to spot them and, most importantly, how to protect your business and your customers from falling victim.
1. Crypto romance scams
Romance scams have been around for a while, but the rise of cryptocurrency has given fraudsters a new way to exploit their victims. Known as crypto romance scams or CryptoRom scams, these crimes typically involve a scammer building a relationship with the victim online, gaining their trust, and eventually convincing them to invest in a fake cryptocurrency opportunity.
Since cryptocurrency is untraceable, it’s nearly impossible to track the owner or identity of a crypto wallet, so fraudsters can trick victims out of their money without getting caught.
CryptoRom scams are a type of authorised push payment (APP) fraud, and according to UK Finance, romance scams reached staggering levels in 2024, with a 14% increase in cases compared to 2023 and total losses of £36.5 million.
The signs:
- A fast-moving relationship – Some fraudsters can spend months building up a relationship to foster a sense of trust. However, not all will be patient and the biggest sign that someone may have ulterior motives is if the relationship is accelerating quickly.
- A refusal to meet in person – Scammers will reside all over the world and can target victims anyway. If they consistently rebuff efforts or give excuses to meet in person or via a video call, it could be a sign that they may not be who they claim to be.
- Constant talk of financial troubles – In many CryptoRom scams, finances or mentions of financial issues can be mentioned early on in the relationship. This could indicate that scammers are laying the foundations for making money.
- Pressuring for crypto investments – The most obvious sign is if victims are asked directly for money or investment.
How to try and avoid this scam:
- Background checks – Search on social media for profiles for evidence that the person is real; if the profile was made recently or lacks information, it could be a red flag that it doesn’t belong to a legitimate person.
- Take note of the language used – Given the rise in AI tools, many scammers use artificial intelligence to scam victims en masse. Unnatural wording and generic conversations without personal or unique qualities are signs that someone may be using AI to fuel a crypto romance scam.
- Never share financial details – No matter how genuine someone may seem, never share financial information or make investments on behalf of someone you've never met in person.
2. QR code scams
Tableside service via QR codes became a staple of the customer experience during the COVID-19 pandemic, allowing people to order food, pay bills, or access information with a simple scan.
But as this technology became more widespread, scammers have found ways to exploit it.
‘Quishing’ — a phishing attack using QR codes — is on the rise, accounting for 11% of phishing emails. Fraudsters are creating fake QR codes that direct users to malicious websites. These scams often target places where QR code technology is used for convenience, such as restaurants or car parks, tricking people into providing their personal and financial details.
To make matters worse, over half (53%) of UK consumers have trouble spotting a malicious QR code.
The signs:
- Inconsistent branding on QR codes – If the branding on a QR code doesn't match the branding of a business or appears amateurish, it can be a big red flag. Well-established companies typically maintain consistent branding across all platforms.
- Suspicious elements on the code – If some visible anomalies or elements seem out of place — like stickers placed on top or evident alterations in the pattern — it could indicate that the code has been tampered with. Legitimate QR codes should have a clean, unobstructed design without any unusual additions.
- Codes in unusual or random places – Think about the location and context of where a QR code is placed. It could be an unauthorised scam attempt if it randomly appears somewhere that doesn't seem logical, like an obscure corner of a room or slapped on a public space without any explanation. Real QR codes from businesses will be strategically placed to help the user.
How to try and avoid this scam:
- Check for Secure Socket Layer (SSL) certification – The website that a QR code directs a user to should always be SSL certified. You can spot a secure, SSL-certified site if the web address starts with “https://” and there is a padlock icon next to the URL.
- Look for two-factor authentication – Also known as 3D Secure Authentication (3DS), two-factor authentication is a key security feature when making online payments. Secure sites that use 3DS will have a Visa Secure, MasterCard SecureCode, or American Express SafeKey logo on them.
3. Football and concert ticket scams
High-demand events like Premier League matches have sometimes felt like the Wild West, rife with ticket touts and scammers who seize the opportunity to make a quick profit by selling fake tickets.
In the 2022/23 season, football ticket scams increased by 68%, with victims losing an average of £410 to ticket scammers, according to Lloyds Bank. Concert ticket scams are also on the rise, especially for sold-out shows and popular concerts for big names like Taylor Swift and Oasis. Taylor Swift sold an estimated 4.35 million tickets across her 60-date tour, however, new data revealed that the artist’s world tour accounted for 20% of fake ticket scams in 2024.
Nefarious ticket touts take advantage of the fact that official tickets for many sporting events sell out extremely quickly, with fans turning to third-party resale websites to secure tickets instead. Fraudsters typically post counterfeit tickets on social media or unofficial resale sites, charging inflated prices for tickets that don’t exist or won’t get you through the door.
The signs:
- Too-good-to-be-true deals — Tickets being sold for a fraction of the original price, especially for sold-out or VIP events, are likely a scam.
- Sellers who refuse to meet in person — Many scammers avoid face-to-face transactions, especially if they’re based abroad, making it easier to evade detection.
- Tickets from unofficial sources — Over 90% of football ticket scams occur on Twitter, Facebook, or Instagram, so always be wary of social media platforms and unaffiliated resale sites.
How to try and avoid this scam:
- Stick to official sources – The only way to be sure that tickets are legitimate is by purchasing from the official club website or accredited ticketing partners. This is often the team, venue, or organisation running the event.
- Never send money via bank transfer to unknown sources – Many scammers request ticket payment by bank or wire transfer, or through a peer-to-peer (P2P) app like PayPal. These methods are designed to send money to people you know, like family and friends. They are not intended to be used for eCommerce transactions and do not have protection in place to recover lost funds from fraud.
- Never share sensitive information – Unsecure payment gateways do not ask for four-digit card PINs or online banking information, including passwords. Never share these with anyone.
4. AI scams
As AI technology evolves at a rapid pace, scammers are taking full advantage of it. In particular, there are two methods that fraudsters are using to trick people out of their cash:
Voice cloning scams
Scammers take video or sound clips from a person’s social media account and use them to create a voice clone, which they then send to the victim’s family and friends to impersonate them.
Family members or friends will be urged to take immediate action, like transferring funds to a 'safe' account, due to a fabricated emergency. As the voice clip belongs to someone the victim knows, scammers can call parents pretending to be their children and asking for emergency money.
Shockingly, nearly half (46%) of people aren’t even aware that this type of scam is possible, and one in 12 people said they’d send any money requested, even if they suspected the call was odd.
Deepfake video scams
With deepfake video scams, fraudsters use AI to create realistic but fake videos that impersonate real people, often well-known figures like celebrities or business leaders.
These fake videos are then used to promote fraudulent schemes, convince victims to send money or steal sensitive information. Deepfake videos can be incredibly realistic, making it difficult for victims to realise they're being tricked.
According to data by MoneySavingExpert, Martin Lewis is one of the most targeted celebrities thanks to his trusted status in the finance industry. Scammers have used his name and image to steal over £20 million in the past two years alone.
The signs:
- Unexpected calls demanding urgent financial actions — Unexpected calls where the speaker is pressuring for an immediate transfer of money is a significant red flag for an AI voice cloning scam. Incoherent speech and overly repetitive or consistent background noise that could’ve been artificially added in post-production could also be a reason for concern.
- Unsolicited endorsements from high-profile individuals — If you see a celebrity promoting an investment or opportunity that seems too good to be true, it probably is.
- Unfamiliar sources — These scams often appear as ads on social media or through email, claiming that a well-known figure supports the scheme.
- Requests for immediate action — Scammers often push for quick decisions, urging you to invest or provide personal details without hesitation.
- Request for money via cryptocurrency – Cryptocurrency is often the payment method of choice for many criminals as it’s impossible to trace the identity of who the money is being sent to. Any requests for funds via common digital currencies, like Bitcoin or Ethereum, should be treated as highly suspicious.
How to try and avoid this scam:
- Verify endorsements — Always cross-check any supposed endorsement directly through official websites or sources before making any decisions.
- Stay cautious with investments — Never rush into an investment because of celebrity backing, especially if it’s unsolicited or presented via email or social media ads.
- Question authenticity — AI technology has made it easier than ever to fake voices and videos, so stay critical of any message asking for financial details or personal information.
5. DVLA and parking ticket scams
Fraudsters are increasingly impersonating the Driver and Vehicle Licensing Agency (DVLA), Driver and Vehicle Standards Agency (DVSA), and local councils. They use fake parking tickets and other methods to trick people into paying money or sharing personal details.
These scams often come in the form of text messages or emails claiming that the victim owes unpaid vehicle tax or parking fines, with links directing them to fraudulent websites that steal payment information.
The illegitimate messages often pressure victims into clicking on the included links with threats that they might be banned from driving, have to pay more, or be taken to court if they don’t make a payment.
The signs:
- Unexpected messages about unpaid fines — Unexpected text messages about any form of financial payment or action should always be considered suspicious.
- Spelling and grammar mistakes in the text — Scammers often use broken English or grammatical mistakes in their texts, which is a giveaway that a message or email isn’t legitimate.
How to try and avoid this scam:
- Verify the source – The DVLA or DVSA will never contact you via text about refunds or payment requests. If in doubt, always use the gov.uk website to seek more information about a suspected scam.
- Never click on links in unsolicited messages – Since the DVLA and DVSA will never request payment details over text or email, links in these messages will likely lead to fraudulent websites.
- Keep personal documents private – The DVLA has previously warned against sharing details or images of V5C log books online as they can be used for identity theft.
6. Ghost broking scams
Another tactic fraudsters are using more often is ghost broking scams, specifically targeting small businesses looking for cheaper insurance options.
Scammers, known as ‘ghost brokers’, sell what seems to be a legitimate insurance policy at a cut-price rate. However, the insurance policy is forged, cancelled, or non-existent, leaving businesses without coverage when they need it most.
Ghost broking scams are often carried out via social media, online ads, or even word-of-mouth. Research has found that one in five adults between the age of 18-24 has shopped for an insurance deal on social media, and, shockingly, only one in ten adults in the UK have heard of the term ‘ghost broking’.
The signs:
- Too-good-to-be-true policies — Offers of unusually cheap insurance policies can raise suspicion, especially if they are significantly lower than the market rate.
- Unfamiliar sources — Policies bought through unofficial channels, such as social media platforms or independent brokers with no verifiable online presence, may indicate a risk.
- No paper trail — A lack of proper documentation or refusal to provide full terms and conditions before purchase could suggest that the policy isn’t legitimate.
How to try and avoid this scam:
- Verify the broker — Verify the authenticity of any broker or insurance provider through official channels, such as checking their registration with the Financial Conduct Authority (FCA).
- Exercise caution — Being cautious about persistent insurance offers, particularly when advertised at unusually low prices, may help avoid fraudulent policies.
7. Pension fraud scams
Pension fraud is another concern, especially with fraudsters targeting people looking for early access to their pension or promising unusually high returns. These scams typically involve criminals posing as financial advisors or investment experts, persuading victims to transfer their pension savings into fraudulent schemes.
13% of UK adults fell for these scams in 2023, and with the State Pension rate set to increase at the start of each tax year in April, the first quarter of the year could be an ideal breeding ground for scammers taking advantage of people looking to secure their retirement plans.
Fraudsters often contact potential victims through unexpected phone calls, emails, or even
The signs:
- Promises of early pension access — Pension schemes in the UK generally do not allow early access unless in exceptional circumstances. Unsolicited offers that claim to do so can be suspicious.
- Guaranteed high returns with little to no risk — Legitimate investment opportunities typically come with some level of risk. Offers that guarantee returns far above the market rate without any mention of risk may indicate a scam.
- Pressure to act quickly — Scammers usually try to pressure their victims, urging quick decisions to avoid missing out on the ‘opportunity’, which can be a red flag.
How to try and avoid this scam:
- Verify the source — Checking whether the financial advisor or company offering the pension scheme is registered with a recognised authority could help avoid fraud. The Financial Conduct Authority (FCA) register can help you verify these details.
- Never rush into any decisions — Taking time to fully assess all pension-related offers without feeling pressured into quick decisions can potentially prevent future financial loss.
8. Gmail phishing scams
Nearly one in three email users use Gmail, which gives scammers a huge pool of potential victims for Gmail phishing scams. These scams occur when fraudsters send a notification prompting users to approve a Gmail account recovery or password reset attempt. The scam relies on tricking the victim into thinking their account is compromised so that they click a malicious link that redirects them to a fake login portal. Here, they’re asked to enter their credentials, which the scammer then steals.
In a newer twist, scammers are also targeting an estimated 1.5 billion Google Calendar users by trying ‘calendar phishing’, which refers to sending fake calendar invites that contain malicious links. These scams can be really dangerous if users have auto-add features enabled in their calendar apps, making it easier for the invite to slip by unnoticed.
The signs:
- Recovery requests that you haven’t triggered — If a notification appears asking you to approve an account recovery that wasn’t initiated, it could indicate a phishing attempt.
- Unfamiliar calendar invites — Calendar invites from unknown sources that include links, especially for meetings or events you never signed up for, might be fraudulent.
- Urgency in the message — Phishing attempts often use urgency, making it seem like immediate action is required to protect your account.
How to try and avoid this scam:
- Carefully assess recovery requests — Checking any account recovery notifications carefully, particularly reviewing who sent the email without clicking on links in the notification, could help prevent falling for this scam.
- Disable auto-add features in calendar apps — Disabling auto-add and reviewing any unexpected invitations may reduce the risk of falling for calendar phishing attempts.
9. Amazon Prime and other subscription scams
The European Commission has revealed that around 10% of EU consumers have been lured into signing up for an unwanted subscription before. Known as subscription scams or traps, scammers trick victims into signing up for cheap products or services sold by unfamiliar or misleading businesses — sometimes locking them into repeated payments without a clear way of halting them.
On the topic of unwanted e-commerce scams, online retail giant Amazon has been the centre of several fraudulent tactics over the last few years. Scammers have been sending illegitimate messages about customers' Prime Memberships or warning that their account is at risk of suspension or closure.
Victims are asked to ‘update’ their payment information, leading them to a fraudulent link that captures their details or prompts them to pay to reinstate their membership. In 2023, Amazon was the most commonly impersonated eCommerce brand in phishing attacks.
The signs:
- Unwanted recurring payments — Payments appearing on bank statements for unfamiliar services could be linked to subscription traps that are hard to cancel.
- Free trial offers with hidden charges — More often than not, deals that seem too good to be true usually are. Any offers that promise free trials could lure you to sign up for an unwanted subscription.
- Communication asking for personal details – Unexpected emails or text messages stating something’s amiss with your Amazon account or membership should be approached with caution. It’s worth noting that the safest way to check on your account status is by logging on through the official Amazon website or app to check the Message Centre or by contacting Amazon’s official customer service helpline or live chat.
How to try and avoid this scam:
- Keep on top of your outgoing expenses — Regular reviews of bank statements to detect any unexpected or recurring charges can help flag potential subscription traps.
- Never complete payment outside of the official Amazon website – Amazon will only ever ask for payment via its official website.
- Do not disclose personal details by any other channels of communication – Amazon only requests personal data in the member account section of its official website.
- Avoid clicking suspicious links – Never follow any links in suspicious emails or texts. Scammers can create fraudulent websites with an uncanny likeness to the official Amazon website, which they will try to direct victims to. If unsure whether you’re on the legitimate Amazon website, close your browser window and visit the website directly.
10. Brushing scams
Brushing scams involve sending unsolicited items to individuals and then writing fake reviews in their name to boost a seller's ratings. They’re conducted by fraudulent e-commerce websites and get their name from victims who ‘brush’ aside suspicion.
Victims could be targeted by brushing scams if a merchant has access to their personal details, enabling them to send a product to the victim’s home address. Once there is proof of delivery, the merchant can craft fake reviews to increase their ratings and sales figures artificially.
This scam highlights potential data breaches, suggesting that the seller has unauthorised access to personal details.
The signs:
- Packages from e-commerce platforms you didn't order – The biggest giveaway of this scam is receiving a package that you didn’t order.
- Finding reviews written 'by you' that you didn't write – Once receiving an unsolicited package, spotting reviews written in your name confirms that your personal details have likely been used in a brushing scam.
How to try and avoid this scam:
- Change your passwords – Carry out good password hygiene by regularly changing your passwords to something that scammers won’t be able to guess.
- Report unexpected items – Notify the platform if you receive items you didn't order. Often, it’s individual merchants on selling platforms, like Amazon or Etsy, that are carrying out fraudulent activities rather than the entire platform. Reporting the activity prompt means that the website can investigate further.
11. Parcel delivery scams
Online shopping sales made up one-quarter of all retail sales in the UK in 2024, and this is set to surge around busy periods like Black Friday and Christmas. This means that parcel delivery scams could become even more common.
They’re characterised by victims receiving a false text message or email claiming that a parcel delivery has been missed or is being held due to an unpaid fee. Victims are then prompted to click a link that leads to a fake website, where they’re asked to provide personal and payment details.
Scammers often impersonate well-known delivery services, such as Royal Mail, Evri, or other third-party couriers, making the messages seem legitimate. In 2023, almost half of people in the UK had been targeted with a parcel delivery scam.
The signs:
- Unexpected delivery notifications — Receiving a message about a delivery that wasn’t expected or no prior notification was given could indicate a scam.
- Requests for payment of a small fee — Scammers often claim that a package is being held until a small payment is made, typically under £5, to entice victims to act quickly without suspicion.
- Links directing to unfamiliar websites — Clicking through to a website that doesn’t look like the official site of the delivery service could be a sign of a phishing attempt.
How to try and avoid this scam:
- Review sender information — Checking the sender details and reviewing the website URL carefully before clicking on any links may help avoid falling for fake parcel notifications.
- Track deliveries via the business’s official website — Verifying the status of any deliveries through official channels, rather than responding directly to unsolicited messages, can help reduce the risk of being scammed.
12. Landline 'vishing' scams
As 80% of elderly people continue to rely on landline phones to stay in touch, vishing (voice phishing) scams have surged in popularity. These scams involve fraudsters calling victims, pretending to be from legitimate organisations like banks, utility companies, or even HMRC and attempting to trick them into revealing personal information or transferring money (particularly around tax deadlines).
With more than half of landline calls in the UK now being made by scammers, this type of fraud remains a significant threat. Scammers often create a sense of urgency, claiming that there is an issue with taxes, payments, or even accounts being frozen, pushing victims to act quickly without verification.
The signs:
- Unexpected phone calls from organisations — Calls claiming to be from trusted organisations such as banks, HMRC, or even government bodies, especially around deadlines like the self-assessment tax period, could be suspicious.
- Requests for personal or financial details — Fraudsters may ask for sensitive information, such as bank account details or PIN numbers, to ‘resolve’ a made-up issue.
- Pressure to act immediately — Calls that create a sense of urgency, encouraging victims to act quickly to avoid legal trouble or financial loss, are often a hallmark of vishing scams.
How to try and avoid this scam:
- Never share sensitive information over the phone — If you didn’t initiate the phone call, avoid providing any sensitive information over the phone.
- Verify the caller — Taking the time to pause, hang up, and call the organisation's official number could reduce the risk of falling for these scams.
13. Boiler Room investment scams
Boiler room scams are where fraudsters pose as legitimate stockbrokers or investment firms, cold-calling victims to sell them worthless or non-existent shares. These scammers use high-pressure tactics, often calling from what appears to be a professional-sounding office (the ‘boiler room’), and convincing victims to invest in what they claim are guaranteed high-return opportunities. However, once the money is transferred, the victims are left with worthless stocks or no shares at all.
takepayments data found that 16-24-year olds’ financial priority is to save for future investments, suggesting that the younger generation is keen to make their money go further — but this could put them at risk of sketchy investment offers posed by boiler room scams.
How to try and avoid this scam:
- Verify the broker’s credentials — The FCA’s register lets you verify certified businesses that are regulated by the FCA, which can help you understand whether the offer is real or fake.
- Be cautious — Being suspicious of unsolicited calls about investments, especially those offering immediate and substantial returns, may help avoid falling victim to these scams.
Become PCI compliant today
There are also steps that businesses, both big and small, can take to help customers stay safe and protected when making online transactions.
If you accept card payments, being Payment Card Industry Data Security Standard (PCI DSS) compliant can minimise the chances of fraud by data breaches.
We can help you become PCI DSS compliant today, or get in touch with us at 0808 274 2017 to learn more about how we can help.
John Clark
Product Manager