Phishing attacks – who is most at risk?

Fraudsters send messages over email, text or social media, posing as trusted organisations to trick people into handing over money or personal details. But who is most at risk, and what can we do to protect ourselves?

26 September 2022

New data have revealed half of adults reported receiving a "phishing" message in the month before being asked.

Those aged 25 to 44 years are most likely to be targeted, according to results from the Telephone-operated Crime Survey of England and Wales (TCSEW).

Traditionally sent via email, phishing involves messages from fraudsters posing as legitimate organisations to extract personal information, or money, from the victim.

They have exploited significant events, including the coronavirus (COVID-19) pandemic and the rising cost of living, to target victims.

There is also evidence of fraudsters taking advantage of widespread behavioural changes because of the pandemic, such as the rise in online shopping.

This includes a nine-fold rise in "advance fee fraud" (victims making upfront payments for goods or services which then do not materialise) and a 57% rise in "consumer and retail fraud" from pre-pandemic levels.

Advance fee fraud is significantly higher than pre-pandemic levels

Incidents of fraud, England and Wales, year ending March 2017 to year ending March 2020, Crime Survey of England and Wales, and year ending March 2022 interviews, Telephone Operated Crime Survey of England and Wales

Source: Office for National Statistics – Crime Survey of England and Wales (CSEW) and Telephone Operated Crime Survey of England and Wales (TCSEW)

Notes:
  1. TCSEW data are not directly comparable with CSEW estimates. Estimates from the TCSEW for the year ending March 2022 are compared with the year ending March 2020 using comparable data and are not part of the main CSEW time series.

Download this chart Advance fee fraud is significantly higher than pre-pandemic levels

Image .csv .xls

It comes amid a general rise in fraud, with a 25% rise on pre-pandemic levels (to around 4.5 million offences) in the year to March 2022.

Almost two thirds (61%) of these were flagged as cyber-related (conducted online).

Phishing scams continue to pose a significant threat for both individuals and businesses. I would urge everyone to be vigilant of unexpected messages or calls that ask for your personal or financial information. Remember, your bank, or any official source, will never ask you to supply personal information via email or text message

Detective Chief Superintendent Oliver Shaw, City of London Police

COVID-19 and the rising cost of living

Fraudsters are always adapting their phishing attacks, and recent emerging trends have exploited the COVID-19 pandemic and rising cost of living.

In the latest year, 4.8% of all fraud was perceived to be coronavirus-related, rising to 6.3% of all cyber fraud. In one campaign, victims received text messages apparently from the NHS claiming they had been in close contact with someone who had the Omicron variant.

The message provides a link to a website claiming to be hosted by the NHS where they can book a test, prompting them to provide personal information and pay a delivery fee.

Phishing attacks have exploited the COVID-19 pandemic

Phishing text message claiming the recipient had come into contact with someone who tested positive for COVID-19
Download this image Phishing attacks have exploited the COVID-19 pandemic
.png (202.0 kB)

The National Fraud Intelligence Bureau (NFIB) at City of London Police, the national policing lead on fraud, has also identified new trends, as phishing attacks target those in a difficult financial situation.

They include the promise of energy and council tax rebates or encouraging people to apply for a "cost of living payment", mimicking genuine government support packages.

Of those who replied to or clicked on a link in a phishing message, more than a third (35%) said they did so for financial or material gain, and 30% to pay an invoice or bill, according to the TCSEW.

Some phishing messages mimic genuine government support

Screenshot of phishing message offering to check eligibility for the government Energy Bills Support Scheme
Download this image Some phishing messages mimic genuine government support
.png (146.3 kB)

In the two weeks to 5 August 2022, more than 1,500 reports were made to the Suspicious Emails Reporting Service (SERS), run by the National Cyber Security Centre, about scam emails pretending to be legitimate energy rebates from Ofgem, the energy regulator in Great Britain.

The emails use the Ofgem logo and colours and have the subject header “Claim your bill rebate now”.

It is shameful that in a time of financial hardship, criminal are targeting members of the public by claiming they are entitled to receiving rebates and refunds. If an email is genuine, the company will never push you into handing over your details.

Detective Chief Inspector Hayley King, City of London Police

Cifas, a UK fraud prevention service, said there is a “real concern due to the rise in living costs, criminals will look to target loan products and deferred credit services.”

Common campaigns they have encountered include fraudsters posing as utility providers offering deals on energy bills, or competitions to win fuel vouchers.

What tactics are used?

Traditionally phishing has involved email messages.

However, other methods of communication are increasingly being used, with "smishing" (using text messages) now just as common as email phishing.

Almost a third (32%) of respondents to the TCSEW reported receiving a message via text or instant messaging, which may have been phishing, in the month before being asked.

This was a similar proportion to those who had received suspicious emails which could have been phishing (34%).

More than half (54%) of those who received phishing messages said the sender had been posing as a delivery company, as fraudsters take advantage of the rise of online shopping and homeworking.

A third (32%) received messages apparently from their bank or building society, and a quarter (25%) from government services.

More than half of those who received phishing messages reported they were from senders posing as delivery companies

If you have received a potential phishing message in the last month, what type of company were they pretending to be? TCSEW October 2021 to March 2022 interviews England and Wales

Source: Office for National Statistics – Telephone-operated Crime Survey for England and Wales (TCSEW)

Download this chart More than half of those who received phishing messages reported they were from senders posing as delivery companies

Image .csv .xls

The NFIB has also seen a rise in reports about scams where victims are targeted on WhatsApp by criminals pretending to be someone they know – typically their children.

Between 3 February and 21 June 2022, 1,235 reports were linked to this scam, with total reported losses exceeding £1.5 million.

Messages typically open with “Hello Mum” or “Hello Dad” and will say that they are texting from a new mobile number as their phone was lost or damaged. They will then ask for money to purchase a new one or claim that they need money urgently to pay a bill.

Other scams include posing as companies such as Tesco and Amazon, offering reward cards or vouchers in exchange for personal information.

Fraudsters are using increasingly sophisticated methods to trick people into parting with their personal and financial information. Checking to make sure the person or organisation is genuine, contacting them via their official website, and using the Check-a-website tool to make sure the site is safe, are all ways to thwart a phishing attempt.

Sandra Peaston, Director of Research and Development at Cifas, a UK fraud prevention service

Who is most at risk?

Among those who received suspected phishing messages 3% replied or clicked on a link; which is equivalent to more than 700,000 people across England and Wales.

Of those who replied or clicked on a link, 11% provided information that could be used by fraudsters.

While this was fewer than 1% of those who had received a phishing message, it would equate to around 80,000 people across England and Wales.

Adults aged between 25 and 34 years or 35 and 44 years were more likely to receive a phishing message (58% and 60% respectively) than other age groups.

Those aged 35 to 44 years also had the highest proportion of respondents who replied to the message or clicked a link (4.8%).

Those aged 25 to 44 years were most likely to receive a phishing message

Proportion of adults who received a message that may have been phishing and the proportion of those who replied to or clicked on a link in the message, by personal characteristics

Source: Office for National Statistics – Telephone-operated Crime Survey for England and Wales (TCSEW)

Notes:
  1. Data for those aged 18 to 24 years are not reported because of a small unweighted base

Download this chart Those aged 25 to 44 years were most likely to receive a phishing message

Image .csv .xls

Phishing is less common among older adults, with just over one in four (27.9%) of those aged 75 years and over receiving phishing messages in the previous month.

Those who are most often targeted by phishing attacks also have the most disposable income to lose, are homeowners, or have children to support.

In the financial year 2020 to 21, those aged 35 to 44 years had an average annual disposable income of £42,952. This is 23.3% higher than the youngest age group (18 to 24 years, £34,843) and 50.6% higher than the oldest (85 years and over, £28,516).

Adults were more likely to receive a phishing message if they;

  • were employed (56% compared with 39% of unemployed adults)
  • were married or in a civil partnership, or cohabiting (53% and 56% compared with 45% of single adults)
  • lived in households with children (58% compared with 47% among adults in households without children)
  • were homeowners or private renters (52% and 53% compared with 36% of social renters)
  • lived in the least deprived areas in England (56% compared with 42% in the most deprived areas)

Adults in the least deprived areas of England were more likely to have received phishing messages

Proportion of adults who received a message that may have been phishing and the proportion of those who replied to or clicked on a link in the message, by personal characteristics

Source: Office for National Statistics – Telephone-operated Crime Survey for England and Wales (TCSEW)

Download this chart Adults in the least deprived areas of England were more likely to have received phishing messages

Image .csv .xls

Some of those who were least likely to receive a message would most commonly engage with them. A higher proportion of adults responded to or clicked a link in a phishing message if they;

  • were social renters (7% compared with 3% of homeowners)
  • lived in the most deprived areas of England (5% compared with 2% in the least deprived areas)

What is phishing?

Phishing is when criminals use scam emails, text messages or phone calls to trick their victims.

It could be an email asking to verify bank account details, or a text message claiming the recipient has been in close contact with someone who has coronavirus.

The aim is to successfully deceive people into handing over personal and financial information, or parting with cash.

They will often be very convincing, using brand or company logos and linking to websites which appear genuine.

🠕 Back to the top

What can we do to protect ourselves?

The National Cyber Security Centre (NCSC) – a part of GCHQ – has published practical advice on how to spot phishing attempts and report suspicious messages.

By August 2022, more than 13 million reports were made to the Suspicious Email Reporting Service (SERS), with the removal of over 95,000 scams across 174,000 malicious websites.

SERS was launched by the NCSC and the City of London Police in April 2020 to enable the public to forward suspicious emails to an automated system that scans them for malicious links.

However, according to the TCSEW, only one in four (27%) of those who receive suspicious phishing messages report them to an authority.

And just 2% reported messages directly to the NCSC, with 9% reporting them directly to an internet or phone provider.

Below is some practical advice from Action Fraud you can follow when it come to dealing with phishing scams;

If you have any doubts about a message, contact the organisation directly.

If you think an email could be a scam, you can report it by forwarding the email to: report@phishing.gov.uk.

Most phone providers are part of a scheme that allows customers to report suspicious text messages for free by forwarding it to 7726.

If you have lost money or provided personal information as a result of a phishing scam, notify your bank immediately and report it to Action Fraud at www.actionfraud.police.uk or by calling 0300 123 2040. In Scotland, call Police Scotland on 101.

I'd encourage people to remain vigilant of any suspicious emails or texts and report them via these channels to the NCSC. If found to be malicious, we will take appropriate action to remove them.

Sarah Lyons, NCSC Deputy Director of Economy and Society Resilience

The NCSC also runs the Takedown Service as part of its Active Cyber Defence programme, which aimed at high volume attacks, including phishing.

In 2021, the NCSC took down more than 2.7 million scam campaigns from the internet – a record number and nearly four times more than in 2020.

It took down more than 11,000 phishing campaigns which were disguised as coming from the UK government, as well as more than 1,400 NHS-themed phishing campaigns – an 11-fold increase on 2020.

Contact

digitalcontent@ons.gov.uk