How to Avoid Online Fraud in the UK: Practical Tips to Protect Your Money
Published 20th of June 2012·Updated 2 April 2026
Reviewed by: Reviewed for accuracy April 2026
Online fraud is the most common crime in England and Wales. UK Finance reported that fraud losses totalled over £1.2 billion in 2023, with authorised push payment (APP) fraud - where victims are tricked into transferring money themselves - accounting for a large proportion. Protecting yourself requires knowing what fraud looks like and building habits that reduce your exposure.
Short Summary
Online fraud ranges from phishing emails and fake websites to sophisticated impersonation scams where criminals pose as your bank, HMRC or the police. No bank or government agency will ever ask you to transfer money urgently or share your full PIN or password.
Authorised push payment (APP) fraud is now the most common type. A criminal convinces you to send money voluntarily - often by impersonating your bank's fraud team. Your bank can recover these funds in some cases under the Payment Systems Regulator's mandatory reimbursement rules (introduced October 2023), but recovery is not guaranteed.
Strong, unique passwords and two-factor authentication (2FA) are your first line of defence for every account. A password manager such as Bitwarden or 1Password removes the need to remember dozens of different passwords.
If you believe you have been defrauded, contact your bank immediately on the number on the back of your card. Report the fraud to Action Fraud (0300 123 2040) and check your credit file for any accounts opened fraudulently.
What does online fraud actually look like?
Fraudsters use several well-established methods. Phishing emails impersonate trusted organisations - HMRC, Royal Mail, your bank - and direct you to fake websites designed to capture your login details or card numbers. Smishing works the same way via text message. Vishing involves a phone call from someone claiming to be your bank or a government agency.
More sophisticated scams include investment fraud (unusually high returns promised on cryptocurrency or other assets), romance fraud (a relationship cultivated online to extract money), and purchase fraud (goods paid for online that are never delivered). The National Fraud Intelligence Bureau (NFIB) tracks thousands of new variants each year.
How do I spot a phishing email or scam message?
Look for these warning signs:
- The sender's email address does not match the organisation's genuine domain (e.g. "[email protected]" is not HMRC)
- Urgent language pressuring you to act immediately ("your account will be suspended")
- Requests to click a link and enter login or payment details
- Grammar and spelling errors (though AI-generated scams are increasingly well-written)
- Requests for personal information that a legitimate organisation already holds
If you receive a suspicious message, do not click any links. Go directly to the organisation's official website by typing the address into your browser, or call them on a number from their official website - not from the message.
How can I protect my bank details online?
Use a unique, strong password for every financial account and enable two-factor authentication (2FA) wherever it is offered. 2FA sends a code to your phone or generates one via an app (such as Google Authenticator or Microsoft Authenticator) before granting access to your account. This means that even if a criminal obtains your password, they cannot log in without the second factor.
Never enter card details on a website that does not show "https" in the address bar and a padlock icon. Check the URL carefully - fraudulent sites often use slight misspellings of legitimate brand names. Avoid making financial transactions over public Wi-Fi networks; use your mobile data connection instead.
What are the warning signs of an investment scam?
Investment scams typically promise returns significantly above market rates with little or no risk described. Common formats include cryptocurrency investment platforms, bond or stock investment schemes run outside the UK, and clone firm fraud (where a criminal impersonates a genuine FCA-regulated firm). The Financial Conduct Authority (FCA) maintains a warning list of known scam firms on its website at fca.org.uk/scamsmart.
Before investing in anything, check that the firm is on the FCA register. If someone contacts you unsolicited about an investment opportunity, treat it as suspicious.
What should I do if I think I've been scammed?
Act immediately:
- Contact your bank on the number on the back of your card. Ask them to stop any pending payments and flag your account.
- Report to Action Fraud at actionfraud.police.uk or by calling 0300 123 2040. Keep a reference number.
- Check your credit file through Experian, ClearScore or Credit Karma for any accounts or applications you did not make.
- Change passwords for any accounts that may have been compromised, starting with your email account.
- If you were deceived into sending money, ask your bank about reimbursement under the Payment Systems Regulator's mandatory reimbursement scheme.
| Fraud type | What to do immediately |
|---|---|
| Phishing - clicked a link | Change passwords; contact bank; check credit file |
| APP fraud - sent money | Call bank immediately; report to Action Fraud |
| Purchase fraud - goods not received | Report to Action Fraud; raise a chargeback with your card issuer |
| Investment scam | Report to Action Fraud and the FCA; do not send further money |
| Identity theft | Contact CIFAS (cifas.org.uk) to place a protective registration |
Frequently Asked Questions
Will my bank refund me if I am a victim of fraud?
If a criminal makes unauthorised transactions on your account without your involvement, your bank must refund you under the Payment Services Regulations. If you were tricked into authorising a payment yourself (APP fraud), the Payment Systems Regulator's mandatory reimbursement rules (in force from October 2023) require most banks to reimburse victims unless the bank can show you were grossly negligent. Contact your bank immediately and ask to speak to their fraud team.
Does online fraud affect my credit score?
It can, if a fraudster opens accounts or takes out credit in your name. Check your credit file with Experian, Equifax and TransUnion after any suspected fraud. You can place a CIFAS protective registration on your file (a small fee applies), which requires lenders to apply additional checks before approving credit in your name.
Is it safe to save my card details on shopping websites?
The risk is that if the retailer's database is breached, your card details may be exposed. Major retailers use tokenisation (which stores a reference rather than your actual card number), reducing this risk. Using a virtual card number through your bank's app (offered by some banks including Monzo and Starling) or paying via PayPal adds a layer of separation between the retailer and your actual card details.
What is the safest way to pay for things online?
Paying by credit card gives you the strongest consumer protection. Under Section 75 of the Consumer Credit Act, purchases between £100 and £30,000 on a credit card are covered jointly by the card issuer if the retailer fails to deliver. Debit card purchases can be disputed through the Visa or Mastercard chargeback scheme, though this is a voluntary process rather than a legal right.
How do I report a scam website?
Report scam websites to the National Cyber Security Centre (NCSC) at report.ncsc.gov.uk. The NCSC's takedown service has removed hundreds of thousands of scam sites. You can also report to Action Fraud and, if financial services fraud is involved, to the FCA via their online reporting tool at fca.org.uk.