The modern scam playbook: the most common online fraud tactics and how to reduce risk

The numbers tell a grim story. In 2024, fraudsters stole £1.17 billion from UK victims, with over 2 million confirmed cases of fraud reported in just the first half of 2025. Fraud now accounts for an estimated 41% of all crime in England and Wales, yet only 14% of cases are reported to police.

The threat is evolving faster than awareness campaigns can counter it. While banks prevented £1.45 billion in unauthorised fraud through security systems, criminals are adapting, pivoting from one method to another as defences improve. The result: every minute in the UK sees £2,300 stolen through confirmed fraud.

Here's what you need to know about the most prevalent scams, the scripts criminals use, and how to protect yourself.

Purchase scams: the volume leader

The threat: Purchase scams remain the most common fraud type, accounting for 72% of all authorised push payment (APP) fraud cases in the first half of 2025. Victims pay upfront for goods or services that never arrive, often after seeing adverts on social media platforms.

The script: Fraudsters create convincing online shops or social media listings for high-demand items at attractive prices. They may use stolen images, fake reviews, and professional-looking websites. Some hijack social media accounts to advertise fake tickets or products to the victim's friends and contacts.

Red flags:

• Prices significantly below market rate
• Seller insists on bank transfer rather than secure payment methods
• New or recently created social media accounts
• Pressure to pay quickly before item "sells out"
• No verifiable business address or contact details
• Seller becomes evasive when asked questions

What to do: Pay by credit card for purchases between £100 and £30,000 to gain Section 75 protection. For debit cards, request a chargeback within 120 days. Payment providers like PayPal offer buyer protection schemes. UK Finance data shows payment service providers refunded about 75% of purchase scam losses in 2024.

Investment scams: the biggest individual losses

The threat: Investment fraud accounted for £144.4 million stolen in 2024, a 34% increase from 2023. In the first half of 2025, losses jumped to £97.7 million, up 55% from the same period in 2024. Average losses per victim: £15,000.

The script: Criminals promise guaranteed high returns through cryptocurrency, foreign exchange, or other complex-sounding investments. They create fake trading platforms showing fictitious profits. Victims are encouraged to invest more, then face demands for "tax payments" or "fees" to access their money. The platforms eventually disappear.

Red flags:

• Promises of guaranteed or unusually high returns
• Pressure to invest quickly or miss out
• Unsolicited contact via social media, dating apps, or cold calls
• Requests to download specific apps or software
• Difficulty withdrawing funds or accessing your "investment"
• Demands for additional payments to release your money

What to do: Check the Financial Conduct Authority register before investing. Legitimate investment firms don't cold call. If someone contacts you out of the blue about an investment opportunity, it's almost certainly a scam.

Romance scams: the emotional devastation

The threat: Romance fraud caused nearly 3,000 cases and losses of more than £20 million in the first half of 2025, with losses increasing by 35% compared to 2024. Average loss: £6,500 per victim.

The script: Fraudsters create fake profiles on dating sites or social media, often using stolen photos of attractive people. They build emotional connections over weeks or months, then fabricate emergencies requiring money: medical bills, business problems, travel costs to "finally meet you," or customs fees for gifts they've supposedly sent.

Red flags:

• Professes love very quickly
• Refuses video calls or always has excuses why they can't meet
• Claims to be overseas, often in military, oil industry, or working abroad
• Stories become increasingly dramatic
• Asks for money, gift cards, or cryptocurrency
• Isolates you from friends and family who express concern

What to do: Never send money to someone you haven't met in person. Do a reverse image search of their photos. Be wary of anyone who moves the conversation off the dating platform quickly. If you've been targeted, report to Action Fraud and contact your bank immediately.

Invoice and payment redirection fraud: targeting businesses

The threat: Invoice fraud involves criminals intercepting business communications and changing payment details so money goes to fraudsters instead of legitimate suppliers. Between January and June 2015, 749 UK businesses reported falling victim, and the problem has grown more sophisticated since.

The script: Fraudsters hack email accounts or send convincing fake invoices. They may impersonate suppliers, solicitors, or even company executives. A common variant: an email on an existing thread claiming the supplier's bank details have changed. Another: a "CEO" urgently requesting payment to a new account.

Red flags:

• Unexpected changes to payment details
• Requests for urgent payment outside normal procedures
• Slight changes in email addresses (e.g., .co.uk instead of .com)
• Poor spelling or grammar in supposedly professional communications
• Pressure to pay immediately
• Requests to keep the payment confidential

What to do: Always verify payment detail changes by calling the supplier on a trusted number (not one provided in the suspicious email). Implement a payment approval process requiring multiple checks. Action Fraud recommends reconciling all invoices against purchase orders before payment.

Fake delivery texts: the quick strike

The threat: Fake parcel delivery texts have become one of the most widespread scams, tricking thousands into handing over bank details or personal information.

The script: You receive a text claiming to be from Royal Mail, DPD, Evri, or another courier, stating a parcel couldn't be delivered and asking you to click a link to reschedule or pay a small "redelivery fee." The link leads to a fake website designed to steal your card details or install malware.

Red flags:

• Unexpected delivery notifications when you haven't ordered anything
• Requests for payment to release a parcel
• Links to websites with slightly misspelled URLs
• Urgent language pressuring immediate action
• Requests for excessive personal information

What to do: Don't click links in unexpected texts. Go directly to the courier's official website or app to check delivery status. Legitimate couriers rarely ask for payment via text message links. Forward suspicious texts to 7726 (it's free) so your provider can investigate.

Impersonation scams: police, banks, and officials

The threat: Impersonation fraud, where criminals pose as police, bank officials, or other authorities, saw losses and cases drop to series lows in the first half of 2025, with cases falling 16% and losses down 14%. This decline is attributed to education campaigns, but the scam remains dangerous.

The script: A caller claims to be from your bank's fraud department, the police, or a government agency. They say your account has been compromised or you're under investigation. They ask you to move money to a "safe account," provide security details, or hand over your bank card to a courier. Some use spoofing technology to make the caller ID appear genuine.

Red flags:

• Unexpected calls about account security or investigations
• Requests to move money to "safe accounts"
• Pressure to act immediately
• Requests for PINs, passwords, or full card numbers
• Instructions to lie to bank staff about why you're withdrawing money
• Courier arriving to collect your bank card

What to do: Hang up. Your bank and the police will never ask you to move money, reveal your PIN, or hand over your card. Call your bank back on the number on the back of your card. If someone claims to be police, call 101 to verify. Wait at least five minutes before calling, as fraudsters can keep the line open.

Tech support scams: the fake fix

The threat: Criminals contact victims claiming to be from Microsoft, Apple, or internet service providers, warning of computer problems or security breaches.

The script: You receive a call, email, or pop-up warning that your computer is infected with a virus or your internet connection has been compromised. The "technician" offers to fix the problem remotely. Once they gain access to your computer, they either install malware, steal information, or show you fake error messages to justify charging hundreds of pounds for unnecessary "repairs."

Red flags:

• Unsolicited contact about computer problems
• Pop-ups that won't close warning of viruses
• Requests for remote access to your computer
• High-pressure tactics and scare tactics
• Demands for payment via bank transfer or gift cards

What to do: Hang up or close the pop-up. Microsoft, Apple, and ISPs don't make unsolicited calls about your computer. If you've already given access, disconnect from the internet, run antivirus software, and change your passwords from a different device. Contact your bank if you've made a payment.

The online enabler: social media's role

The data is stark: 70% of APP fraud cases in 2024 started online, with social media platforms playing a central role. UK Finance reports that 66% of APP fraud cases in the first half of 2025 began on online platforms, while 17% originated through telecommunications networks.

The National Crime Agency notes that criminals continue to adopt generative AI to enhance fraud sophistication, using deepfake videos and voice cloning for CEO frauds. In February 2024, AI-generated deepfakes of company employees at a virtual meeting tricked a finance worker into transferring £20 million.

If you think you've been scammed: a step-by-step response plan

Immediate actions (within minutes):

1. Stop all contact with the suspected scammer immediately. Don't make any further payments.
2. Contact your bank by calling the number on the back of your card or visiting a branch. Do this immediately, even if it's outside business hours. Many banks have 24-hour fraud lines. Tell them you believe you've been scammed. They may be able to freeze the transaction or recover funds.
3. If you've shared passwords or PINs, change them immediately, starting with your email and online banking.
4. If you've installed software or given remote access to your computer, disconnect from the internet and run antivirus software.

Within 24 hours:

5. Report to Action Fraud at www.actionfraud.police.uk or call 0300 123 2040. In Scotland, report to Police Scotland on 101. You'll receive a crime reference number, which you'll need for insurance claims and bank disputes.
6. Check your credit report for any suspicious activity. You can access free reports from Experian, Equifax, and TransUnion.
7. Report the scam to the relevant platform. Forward suspicious emails to report@phishing.gov.uk. Report suspicious texts to 7726. Report fake social media accounts and adverts to the platform.

Within one week:

8. Document everything: Save all emails, texts, screenshots, transaction records, and notes about phone conversations. This evidence is crucial for police investigations and reimbursement claims.
9. If your bank refuses a refund, don't give up. Since October 2024, mandatory reimbursement rules for APP fraud mean you may be entitled to get your money back. The Payment Systems Regulator reported that 88% of in-scope APP fraud losses were reimbursed. If your bank refuses, escalate to the Financial Ombudsman Service.
10. Seek support: Fraud causes significant psychological harm. Government surveys found that 86% of victims felt anger, 73% reported stress, and 63% reported anxiety. Contact Victim Support (0808 16 89 111) or Age UK (0800 678 1602) if you're over 60.

Ongoing:

11. Monitor your accounts closely for several months. Set up transaction alerts with your bank.
12. Be alert for follow-up scams: Fraudsters may contact you again, posing as recovery services or law enforcement, claiming they can get your money back for a fee. This is another scam.

The prevention gap

While UK Finance reports that banks prevented £1.45 billion in unauthorised fraud in 2024, the financial services sector cannot fight fraud alone. The industry has invested heavily in fraud prevention technology, real-time data sharing, and customer education campaigns like Take Five.

Yet the majority of fraud originates outside the banking system. With enforcement of the Online Safety Act's provisions on paid fraudulent advertising delayed until 2027, a significant regulatory gap persists between financial services and technology sectors.

Related reading

• AI in the workplace: What to automate, what to keep human, and how to avoid mistakes
• Thales launches AI Security Fabric

The government's upcoming Fraud Strategy must address this imbalance. Until then, the best defence remains awareness, scepticism, and the willingness to stop and think before making any payment or sharing information.

The bottom line: If something feels wrong, it probably is. Legitimate organisations don't pressure you for immediate payment, ask for your PIN, or contact you out of the blue with urgent demands. When in doubt, stop, verify independently, and seek advice.