Every major scam category, every red flag, and the exact recovery steps if you've been caught
Published 6 May 2026 · ScamSupport research · ~18 minute read
If you live in the UK, fraud is now the most-reported crime category. Investment fraud alone cost UK victims £879.8 million in 2025 — equivalent to £1,675 lost every minute, according to City of London Police. UK Finance's Annual Fraud Report 2025 confirms £1.1 billion in losses across 2024, with over £600 million stolen in the first half of 2025, but the true figure is two to three times higher because the majority of incidents go unreported. Most people don't realise how much they've already brushed up against the criminal economy — the fake delivery text last week, the "your tax refund is ready" email, the unexpected WhatsApp from someone using your son's name. Each of those is a sliver of a campaign that costs other people their savings.
This guide is designed to be the single page you (or your parents, your colleagues, your friends) can come back to whenever a suspicious message arrives. It covers the ten major scam categories operating in the UK in 2026, what gives each of them away, channel-specific patterns for email and SMS and WhatsApp and Telegram, the universal red flags that work across categories, and an exact recovery playbook if money has already left your account. It's long because the topic is genuinely big, but every section is short enough to skim.
If a message has just arrived and you're trying to decide whether to act on it, jump to The Universal Red Flags. Those four signals catch around 90% of all phishing campaigns, and you can run them through your head in under thirty seconds.
If money has already left your account, jump to The Recovery Playbook. The first hour matters enormously and most of what you can do has to be done by you, not by anyone else.
If you want to understand a specific scam category in depth, the table immediately below has direct links to the relevant sub-guide on this site for each one.
Almost every scam circulating in the UK is a variation on one of ten themes. We've ordered them roughly by reported volume.
| Category | Typical lure | Risk |
|---|---|---|
| Phishing — guide | Email pretending to be a bank, HMRC, or major brand asking you to verify or re-confirm something | High |
| Imposter / impersonation — bank guide | A caller or message claims to be your bank's fraud team, the police, HMRC, Microsoft, or a courier | High |
| Delivery / parcel — Royal Mail, DVLA | "Your parcel needs a small fee", "Your DVLA payment failed", "Re-arrange delivery here" | Medium-high |
| Romance — guide | Months of online relationship, then an "emergency" requiring money | High — financially and emotionally |
| Investment / crypto — investment, crypto | "Guaranteed returns", celebrity-endorsed platform, WhatsApp investment group | Very high |
| Marketplace / shopping | Facebook Marketplace, eBay, Vinted listings far below market price; off-platform payment | Medium-high |
| Job offer — guide | "Work from home", "no experience needed", "easy task earnings on Telegram" | High |
| Tech support / malware — Microsoft | Pop-up warning of a virus, cold-call from "Microsoft", fake antivirus install prompt | High |
| Government / utility — HMRC, council tax, TV licence | Tax refund, council tax rebate, TV Licence renewal, energy bill rebate | High |
| Sextortion / blackmail | Email claiming to have webcam footage; demands cryptocurrency payment | Mostly bluff — lower financial risk if you don't pay |
Each row above links to a focused guide on this site. The remainder of this article covers the patterns that cut across all categories — the warning signs, channel specifics, and recovery steps that apply regardless of which scam you're facing.
Across every category in the table above, four signals appear in roughly 90% of scam messages. If a message has any one of these, treat it as suspect until you've verified through the company's normal channel. If it has two or more, it's a scam.
"Within 24 hours", "before midnight tonight", "final warning", "immediate action required". Real organisations don't pressure you in their first contact — they have escalation procedures that take weeks. The deadline doesn't have to be plausible to work; it just has to compress your decision window enough to short-circuit your scepticism. The HMRC won't fine you tomorrow for not responding to an email today. Your bank won't close your account this evening because a message you received this morning needs urgent confirmation. The cost of pausing for ten minutes to verify is always lower than the cost of acting fast on a fake.
The sender's friendly name says "PayPal" but the actual address is a Gmail account, a misspelt lookalike domain, or a long string ending in something irrelevant. On a phone screen, only the friendly name shows by default — you have to tap to reveal the real address. Always look at the right-hand side of the @ sign. That's the only part the attacker can't fake without owning the domain. service@paypal.com.update-id-2026.click is not PayPal. service@paypal-secure-account.help is not PayPal. Even paypaI.com with a capital I instead of a lowercase l is not PayPal — the homograph trick depends on you not noticing.
"Click here to verify", "log in via this link", "download the attached statement". Genuine companies tell you to log in through their app or by typing the URL yourself, never through an embedded link. The reason is that they know any link they put in an email could be impersonated; tools like ScamSupport exist precisely because so many people don't follow this rule. If your bank really needs you to do something, you'll see it the next time you open the bank's app or visit the site by typing it into the address bar. The two-second cost of a fresh tab eliminates an entire category of attack.
Your bank already has your address, your full name, and your account number. If a "bank" email or call asks you to confirm those details, the only thing it can be doing is collecting that data for the first time — i.e. it's not your bank. HMRC already knows your tax position; they don't need you to "verify your details" through a link. Royal Mail already has the parcel; they don't need a small fee re-paid via a third-party page. Whenever someone asks for information they should already have, the relationship is fake.
If a message clears all four of those, it's probably real. If it fails any one, treat it as suspect. The four-point check is portable across every channel and every category in the table.
Beyond the universal flags, each channel has its own characteristic tells.
Scam emails in 2026 are visually polished — logos, footers, even unsubscribe links can be perfect copies of the real thing. The four giveaways are the sender domain (always check), the link target (hover or long-press to see where it actually goes), the personalisation (real emails address you by your account name, not "Dear Customer"), and the request (real companies don't ask you to verify card details by email). The phishing email guide on this site walks through eight specific signals with examples.
UK smishing volume tripled between 2023 and 2026. The dominant patterns are parcel delivery ("a small fee is needed for re-delivery"), bank fraud alerts ("we noticed a suspicious transaction, click here"), and HMRC ("your tax refund of £267.32 is ready"). The defence is the same as for email: never act on a link in a text. Open your bank's app, the courier's official tracking site (typed into your browser), or your HMRC personal tax account directly. Forward suspicious texts to 7726 — that's the free reporting number that all UK mobile networks share.
The phone call is where the most damaging UK scams happen. The pattern: a caller claims to be from your bank's fraud team, says there's a suspicious transaction, and asks you to "move your money to a safe account" while it's investigated. The "safe account" is the criminal's. Genuine banks never ask you to transfer money to a different account, full stop. If a caller asks for that, hang up immediately and ring the bank back on the number printed on your card — from a different phone if you can, because some scams keep the line open even after you hang up.
WhatsApp's encryption means platform-side filtering can't see the content of messages. The dominant scams are the "Hi Mum / Hi Dad" message ("I've broken my phone, this is my new number, can you help me with a payment"), verification-code theft ("I sent your code to your phone by mistake, can you forward it"), and bank or delivery alerts forwarded as if they came from your contacts. Two protections: enable WhatsApp's two-step verification (Settings → Account → Two-step verification), and never share a code that arrives by SMS with anyone — codes are designed to prove you are you, not to be relayed.
Telegram is heavily used for crypto scams, fake job ("complete simple tasks for £200 a day") schemes, and marketplace fraud. The marketplace pattern is particularly nasty: a seller in a public group offers something at a too-good-to-be-true price, pushes you to settle the deal off-platform via private DM, refuses any escrow protection, and asks for an irreversible payment method (bank transfer or crypto). The protection is procedural: don't trade on Telegram unless an escrow system controls the asset release. If someone offers "Telegram escrow" via a bot or admin account, that's almost always the scam.
If money has already left your account or you've shared credentials with a fake page, the next 30 minutes are the most important. Most of the recovery options depend on speed.
Since October 2024, UK banks are required by the Payment Systems Regulator to refund victims of authorised push payment (APP) scams in most cases, up to a maximum of £85,000 per claim. The system isn't automatic — you have to claim — but the burden of proof has shifted significantly toward the banks. When you contact your bank's fraud line, ask them explicitly about the APP scam reimbursement process. If they refuse the claim at first, ask for the decision in writing and then escalate to the Financial Ombudsman Service, which can review the case independently and order the bank to pay. There's no fee to use the Ombudsman.
Within days of being scammed, victims often receive a follow-up "we can recover your funds" message via email, social media, or even a Telegram DM. These are almost always the same criminal group, hoping for a second payment. No legitimate recovery service charges an upfront fee. If anyone — a "Bitcoin recovery agency", an "ex-FBI investigator", a lawyer who messaged you out of the blue — asks for money before they help you, walk away. Recovery, where it's possible at all, is done by your bank, the Ombudsman, and the police, not by anyone who slid into your DMs.
Three habits, set up once, defeat the majority of the campaign space:
A password manager that auto-fills only on real domains. 1Password, Bitwarden, and Apple/Google's built-in managers all share one critical behaviour: they refuse to fill credentials on a lookalike domain. The phishing site that visually copies your bank? Your password manager won't suggest the password, because the domain doesn't match. That mismatch is your warning. Once you have a manager set up, credential-phishing essentially stops working on you.
Multi-factor authentication on the high-value accounts. Your email account is the most important single thing to protect — it's the master key for password resets. Bank accounts and any account holding payment methods are next. App-based MFA (Authy, Google Authenticator) is much safer than SMS-based codes; hardware keys (YubiKey, Google Titan) are the gold standard for the most paranoid. Set MFA up on a quiet Sunday afternoon and you've shut down a category of attack permanently.
The "type the URL" reflex. Whenever a message says "click here to verify", train yourself to instead open a fresh browser tab and type the company's URL directly. The cost is two seconds. The benefit is that you've sidestepped the entire infrastructure trick. Once this becomes automatic, you stop being the kind of target that modern phishing campaigns convert.
No. FICO's ScamSupport is a B2B fraud-prevention API used by banks, and so is the GSMA / Telefónica ScamSupport product line. Our ScamSupport is a free consumer tool that runs in your browser to help individuals check whether a message is a scam. The names overlap because "scam signal" is a natural description, but the products are unrelated.
They're the same trick on different channels. Phishing is email-based, smishing is SMS, and vishing is voice (phone calls). The psychology and red flags are identical — manufactured urgency, false authority, off-platform action, mismatched-relationship request — only the medium changes.
Yes — both the US Federal Trade Commission and the UK's national fraud reporting service (Action Fraud, now Report Fraud) put imposter scams (someone pretending to be a bank, government agency, courier, or major brand) at the top of their reports for the past several years. The category is broad because it covers any message that claims to come from someone trusted. The defence is also broad: the universal red flags above catch the vast majority.
No. Replying confirms your address or number is live and active, which makes you a higher-value target for the next campaign. Just delete or report. If you genuinely need to find out whether a message is real, ignore the message itself and contact the supposed sender through their normal channel (their app, their website typed in directly, the phone number on the back of your card).
A VPN protects your network traffic from being intercepted, which is genuinely useful on public Wi-Fi or in countries with state-level monitoring — but it doesn't protect you from scams in your inbox. Scam protection is a content problem, not a network problem. The right combination is a password manager + MFA + a content-checking tool like ScamSupport. A VPN is a useful addition for general online security but not a substitute for the basics.
The single most effective intervention is a 30-minute sit-down where you install a password manager on their phone, turn on MFA for their email and bank, and walk through the "type the URL, never click the link" rule with two or three real examples. The conversation is awkward; the financial cost of skipping it is far worse. People who have been scammed once are statistically more likely to be scammed again, because their details are now on lists that get re-targeted. Setting up the basics protects them long after the conversation ends.