Common scams

We're aware of fraudsters sending a phishing email to our customers. The email may advise that you’ve been chosen to receive a Marks and Spencer treat, such as an afternoon tea letterbox hamper, or other M&S gift cards or loyalty points.

These emails will guide you into a self-service form where you will be asked to enter personal details and then your M&S card number, CVC and expiry date.

Remember:

• We would never contact you via email and ask for your card number, expiry date or CVC.
• If you receive an offer that seems too good to be true, it usually is. Contact the retailer to see if the email is genuine, before clicking on any links, or completing any forms which capture your card numbers.
• Genuine emails will always contain full terms and conditions for the offer or prize draw. You will find these in the footer of the email.

If you think you have been a victim of a scam, act quickly. You should call your bank who can take action to protect your account and block your cards. Always call using a trusted number.

If you believe you may have provided your M&S Bank card details to a fraudster, please contact us.

Phishing emails will look like they're from a legitimate authority or organisation, or perhaps a retailer you've bought something from in the past.

Typically, they’ll:

• Encourage you to click on a website link.
• Contain spelling and grammar errors.
• Urge you to take action quickly and threaten to close your account if you don't respond.
• Pretend that you're owed money.
• Ask you to share confidential information, such as your online banking details, passwords, account numbers or PINs.

Include instructions on how to reply or verify your account - like completing a form attached to the email.

If you receive a suspicious email:

• Don't click on any links.
• Don't open any attachments.
• Don't reply.

If you're not sure, contact the organisation using a phone number you know is genuine, or visit their website.

If you've received an email from M&S Bank and you think it might be a scam:

• Forward it to us at phishing@mandsbank.com.
• Delete the scam email and empty the recycle bin on your device.

Criminals use text messaging as a channel to impersonate organisations you trust including your bank, the police or other government organisations.

Text messages sent by criminals can be very convincing, and fraudsters are known to spoof genuine M&S Bank text messages, in order to obtain your trust.

These messages can look and feel like genuine bank alerts and may inform you that there has been fraud on your account. Criminals will pressure you to act quickly by calling a phone number or clicking a link. In some cases, a call from the fraudster may even follow the scam text message.

If you receive a text message out of the blue, remember:

• We will only send you a one-time passcode if you have initiated an action on your account, such as a transaction, mobile device login or registration. Any messages received out of the blue could be a fraudster trying to use your card or an impersonation attempt.
• Our staff will never ask you to provide your one-time passcodes or digital banking login details, never provide this information to anybody, even if they claim to be from the bank or police.
• Look out for any spelling mistakes, poor grammar, and incorrectly capitalised letters, these are often the signs of fraudulent text message scams.
• Be wary of any links in text messages. Only visit our website if the link is from a trusted source.

Phone scams or vishing, are when a fraudster calls pretending to be your bank or another trusted organisation. They can even make their call appear to come from a number you know and trust. This is known as Phone Number Spoofing.

They can sound very convincing and may already know some of your personal information, such as your account number or address. If you feel uncomfortable, or sense something is wrong, don’t be afraid to end the call. You can always call the organisation on a number that you know, such as the number on the back of your credit card. Fraudsters can keep the line open and even spoof a dial tone, so try to use a different phone, or wait at least 15 seconds before making your call. You could also call a friend or relative first, to make sure a fraudster isn’t listening in when you do make the call.

Typical examples of vishing are:

• Your bank or credit card provider’ advise you that your account is at risk and you need to move your money to another account to keep it safe.
• Your bank or credit card provider’ needs your help to investigate a fraud.
• Your internet or mobile provider calls you to fix a problem you haven’t reported.
• ‘HMRC’ threaten jail unless unpaid taxes are paid immediately.
• Your bank, the police or another government organisation contact you and ask you to withdraw cash to help them with an ongoing investigation. They could also ask you to provide your physical card or PIN and offer to visit your property to collect it.

Fraud can happen at any place and any time and the fraudsters often look, sound and act like the bank, police or even your internet provider. A bank can already transfer funds at your request and would never ask for your passwords, PIN, any One Time Passcodes or secure key codes.

Fraudsters may contact you pretending to be your bank or another trusted organisation. They can even make their call appear to come from a number you know and trust. This is known as Phone Number Spoofing.

They can sound very convincing and may already know some of your personal information, such as your account number, personal details or recent transactions.

Once they've gained your trust, the scammer may ask you to install a remote access programme such as 'AnyDesk' onto your phone or computer so that they can take control of your device. They may tell you that there is a serious problem with your M&S Credit Card or account and ask you to act with some urgency.

M&S Bank will never ask you to download remote access software to view or take over your device such as 'AnyDesk' or a similar type of software by another name.

Once the software is installed onto your device the fraudster can take control in any way they like. This could involve stealing login credentials, gaining access to your other bank accounts and credit cards and moving your money out of your control.

If you receive a call out of the blue claiming to be from M&S Bank and you are asked to download software which allows the caller to take control of your device or computer, hang up and call us immediately on 0345 900 0900 (this number can be checked against the number on the back of your card).

Criminals are circulating a scam on social media sites which promotes the reclaiming of direct debits on accounts in order to quickly make money.

Victims of this scam are asked to provide their bank account details to criminals acting as a Third Party on their behalf. The scammer will then contact the bank, advising to cancel one or more existing Direct Debit payments and claim back already paid money, taking a fee for their "service".

Unfortunately, any money refunded is still owed by the victim and will likely be reclaimed by the company in a future Direct Debit payment. Resulting in the victim losing out on the money paid as a 'fee' to the criminal.

Remember, never disclose your security details such as a PINs, Passwords or Bank Details, only a fraudster would ask for these.

If you think you've been a victim of fraud, please contact us immediately either online or via the phone on 0345 900 0900.

Fraudsters may tempt you with investment opportunities in cryptocurrencies.

Beware of cold callers and adverts on social media advertising crypto assets, in particular promises of high returns and pressure to invest quickly.

Some scams claim to be investing in cryptocurrency, but they’re not paying a wallet provider. If they are paying a wallet provider, check the following:

• how do you know the wallet is in your name and only you have access to it?
• if the payment does go to a wallet you control, why are you being asked to move your currency to another wallet?
• how can you keep the contents of your wallet secure and never share access details with anyone else?

Always conduct your own due diligence prior to investing any funds. The FCA website provides details around crypto assets and also has a list of all regulated companies.

You can find out more about cryptocurrency scams from the national cybercrime reporting centre ActionFraud.

Criminals are sending fake text messages and emails claiming to be from a delivery company.

They say they tried to deliver a parcel to you and ask you to click on a link to find out more or rearrange delivery.

Don't click on any links or give any information, especially personal or financial details.

If you think the message may be genuine, open a separate window and visit the company's website using an address that you know is safe. Once there, you can enter your tracking number to see if the message was genuine.

If you think the message isn't genuine, delete it.

Never give any information if you're contacted unexpectedly by email, phone or text. Contact the company separately using a phone number you trust.

Please call us immediately on 0345 900 0900 if you think you've been a victim of this scam.

Fraudsters will try to take advantage of the cost of living crisis and might get in contact about a range of issues affecting us all. They might pretend to represent local councils offering financial support, energy companies, or retailers offering too-good-to-be-true discounts, or direct you to fake loan websites or offers.

The rising cost of energy is also leading to scammers contacting consumers about energy price offers and refunds. If someone gets in touch about an offer for a great energy price deal or a refund, don't click on any links or give them any personal information over the phone. Genuine companies will understand if you want to look into the offer, or call back on a number you can find on their website.

If you're looking for retail offers and discounts, be wary of offers that seem too good to be true. Use reputable discount websites by typing the address in rather than using a search engine, or go directly to the retailer.

Remember, never disclose your security details such as a PINs, One Time Passcodes (OTPs), Passwords or Bank Details, only a fraudster would ask for these.

If you think you've been a victim of fraud, please contact us immediately either online or via the phone on 0345 900 0900.

Impersonation scams, where criminals pretend to be from organisations we know and trust, are becoming much more common. They often start with a phone call, email or text informing you:

• your National Insurance number has been compromised
• you’re eligible for a tax rebate from HMRC
• there’s been a suspicious transaction on your card or bank account
• your account with a retailer has been compromised

Whatever the reason given for contacting you, if it’s a scam, they’re trying to trick you into giving them money or personal/financial details and they’ll often try to pressure you into taking action immediately.

Criminals sometimes make the call seem more authentic by using ‘number spoofing’. This makes their phone number look like one you know and trust.

Remember, never disclose your security details such as a PIN, online password or temporary 'one time passcodes’, only a fraudster would ask for these.

To help protect yourself from fraud, find out more about impersonation scams by downloading our scams leaflet (PDF, 255KB).

Around Valentine's Day, fraudsters are known to target victims in what is often known as a 'romance' scam.

These scams work by exploiting your emotions. Fraudsters set up fake profiles on dating websites, apps and social media. They try to appeal to your compassionate side and then ask for money.

To avoid falling victim to a romance scam, never send money to someone you've only met online.

Fraudsters often go to great lengths to gain your trust, sometimes sending gifts such as flowers, wine or chocolates. They usually ask for lots of personal information but share very little about themselves. Here are some tell-tale signs that you're actually dealing with a fraudster:

• They seem to have fallen in love with you rather quickly
• They soon want to leave the dating site or app, to use instant messaging, email or text instead
• They claim to be from the UK, but say they're away working or travelling
• They plan a visit to see you, but something comes up at the last minute to prevent them from coming

If you think you may have been the victim of a scam, report it to us as soon as soon as possible by calling 0345 900 0900. You should also report it to Action Fraud.

Recently, we've seen an increase in authorised push payment (APP) scams, also known as bank transfer scams, which happen when fraudsters trick victims into unknowingly transferring money into an account they control.

Usually, fraudsters gain access to a victim's information via a hacked email account and then contact them pretending to be someone the victim does business with or posing as a trusted organisation - such as the police or HMRC.

For example, some scammers will say they're calling from your bank's fraud team about a security issue and ask you to authorise a payment into a 'safe account'. Others will pretend to be a contractor they know you've hired after gleaning information from your email - such as an estate agent, solicitor or driveway repair company - and trick you into paying an expected invoice into their account instead.

Always remember, M&S Bank will never ask you to disclose your security details such as a PIN, online password or temporary 'one time passcodes' and would never ask you to move your funds to a 'safe account'.

APP fraud can happen to anyone and so it is critical you ask yourself the right questions before you make any payments:

• Have you been contacted unexpectedly to make this payment? Have you received an unexpected email or phone call?
• How were you given the bank details? If by email, SMS or phone call, these should be checked with a trusted source before proceeding
• Why are you making the payment today?
• Is this a payment you've been planning to make?
• Is this a regular payment that you are going to be making?

If you think you've been a victim of APP fraud, please call us immediately on 0345 900 0900 (this number can be checked against the number on the back of your card).

There's been an increase in criminals taking over mobile phone numbers using SIM swap and number porting fraud.

This gives fraudsters control of their victims' calls and texts and allows them to authorise payments set up in online banking, using personal data they've gained through social media.

With SIM swap, they contact the network provider impersonating their victims. They claim their phone has been damaged and ask for a new SIM for their new device.

Number porting is similar - the criminals impersonate their victims to get the PAC code (porting authorisation code), which is needed to switch from one network to another. Sometimes they might also hack into their online mobile phone account. Once they have the code, they move the number to a new network provider. Other techniques include claiming their SIM has been damaged and asking for a replacement, either by phone or in a shop.

Criminals often get personal data for their impersonations from social media.

If calls and texts stop working on your phone, your number could have been stolen - particularly if you're in a place where you normally have good reception. This is because a mobile phone number can only link to one SIM at a time.

If this happens, contact your network provider straight away. If you can't get through, contact your bank to remove the phone number from your account.

Purchase scams happen when you’re paying for an item or service. The item doesn't arrive or the service doesn't happen and your money is lost.

Typically, these scams:

• seem too good to be true – probably because they are
• have 'limited availability' or are a 'special offer' to encourage you to act before you have time to think it through
• ask you to send money via bank transfer rather than using normal ways to pay

Remember to:

• use safe sites when shopping online
• use safe ways to pay, such as your debit or credit card 
• check the returns and cancellations policy
• research the retailer online to make sure they’re legitimate
• stop and think – would you be willing to send cash in the post for an item you've ordered?
• research and check the validity of the item before agreeing to pay via other means

If you've been a victim of a purchase scam, please call us on 0345 900 0900 so we can look into your case.

These scams involve switching real QR codes with fake ones, then persuading their targets to scan the QR code with their phone. If you scan the code you could find money is taken from your bank account or malware is downloaded onto your phone.

M&S Bank will only ever ask you to scan a QR code in the following scenarios: 

• as an existing customer, when activating Internet Banking on a new device using your old device registered with us
• as a new customer, during the process of completing identification checks when opening an account online
• to find out more about one of our products or services
• to easily navigate to the relevant app store to download the M&S Banking App

If you’re asked to scan an M&S Bank QR code in another scenario, it will not be genuine.

Criminals may contact you to offer investment opportunities which may seem too good to be true.

They often use false testimonials, fake celebrity endorsements, spoof websites and fake companies with similar names to genuine investment organisations. They can usually provide convincing marketing materials to make the scams appear genuine.

Check the Financial Conduct Authority (FCA) website to confirm the company is authorised and also look for verified contact details. The FCA also has a list of known scam companies and advice on how to avoid investment scams.

Criminals claim they can unlock pension funds by moving them from an existing scheme to a new one, allowing early access to benefits before the legal age of 55. Targets may be told by the scammer not to tell their pension provider why they’re trying to withdraw funds.

Victims of these scams are usually asked to pay a very high fee and may also face serious tax consequences. Be wary of scams like this and, if in doubt, seek advice from registered pension providers.

There are many fake websites, online adverts, emails, social media posts and texts that promise great holidays or travel arrangements which are fake. Either the holiday doesn’t exist – or it does exist, but has been sold to you by a criminal who isn’t in a position to actually sell it to you.

You might not realise you’ve been scammed until the flight tickets don’t arrive, or you turn up at the resort, airport or cruise terminal only to find there’s no holiday and you’ve lost your money.

Whether it’s a short break or a dream holiday, you can find out more about how to avoid this type of scam by checking out Get Safe Online.

Criminals often target those who are strapped for cash to act as 'money mules'. By agreeing to do this, you allow money to be transferred through your account in exchange for payment.

You'll be asked to provide your bank details, receive a payment into your account and then, either withdraw it in cash, or transfer it to another account.

Job adverts and spam emails offer 'easy money' and it might seem a harmless way to earn income, but the money being transferred is stolen and used to fund organised crime.

This can get you into serious trouble. If you're caught, your bank accounts will be closed, you'll have problems applying for a loan, a mortgage or even a mobile phone contract. You may also be given a prison sentence of up to 14 years.

To learn more about the consequences of becoming a money mule and what the proceeds of money laundering are used for, check out the Don't Be Fooled website.

Some fraudsters will phone on your landline claiming to be from your bank, credit card company or the police, and tell you that your account has been compromised. They may say that a courier needs to collect your cards or ask you to purchase high value goods or foreign currency for collection. They may also ask you to write down your PIN and hand it over as well. To add credibility the fraudster may even advise you to cut the card in half.

Identity theft happens when fraudsters get enough information about someone's identity (such as their name, date of birth, current or previous addresses) to commit identity fraud.

Identity fraud happens when someone uses your personal details without your knowledge or consent. They might use the information to get a credit card or loan. You may only find out that you've been a victim of identity theft when you start to receive bills for things you haven't ordered or received.

Bitcoins are increasingly becoming a more common target for fraud and scams, due to the difficulty in tracking the funds. Fraudsters can employ a range of tactics including; creating fake exchanges to purchase Bitcoins, fake giveaways to secure personal details or Ponzi schemes where victims are offered a guaranteed return in exchange for an upfront deposit.

Payment diversion scams are where victims are intending to pay a genuine party but have been contacted by a fraudster and given the fraudster's bank details to send funds to. For example, a fraudster masquerading as a conveyancer during a house sale and instructing the victim to transfer funds to a fraudulent account.