Category: information

Stay Safe From Insurance Scams

Insurance scams take many forms. It could be fake policies for sale on social media, people being tricked into thinking they’re entitled to compensation or criminals that deliberately crash into other drivers to make a claim. In recent months, we’ve also seen an increase in fraudsters targeting people effected by Covid-19 to steal money and personal information.

Insurance scams are estimated to cost consumers in the UK more £3 billion each year.

A YouGov survey into the public’s understanding of insurance scams showed:

  • 95% of the people sampled ‘knew little’ or ‘knew nothing’ about insurance fraud.
  • Only 18% had heard of claims farming.
  • Only 15% had heard of Ghost Broking.
  • A total of 58% were either ‘very worried’ or ‘fairly worried’ about falling victim to data theft.

Report insurance fraud to CheatLine by calling 0800 422 0421.

It’s safe, easy and completely confidential – and if you don’t want to provide your details, that’s okay. You can do it anonymously. There are three pages of questions that should only take a few minutes to complete depending upon the information you have. The first page asks for details about the perpetrators, the second asks for further information you might have, the third asks how you know about CheatLine and if we can contact you should we need to; you simply need to say yes and leave contact details, or no and report anonymously.

We share the information you provide with insurers, the police and industry watchdogs, helping to protect people from insurance scams.

Typical Insurance Frauds

Application fraud – Where inaccurate or misleading information has been provided to obtain insurance cover.

Claims fraud – You suspect someone has voluntarily provided, or has been coerced to provide inaccurate information as part of an insurance claim.

Claims farming – Actively incentivising someone to make a false claim or provide misleading information as part of a genuine insurance claim.

Data theft – Stealing or acquiring personal data to obtain insurance or make a fraudulent insurance claim.


Know the signs of these common insurance scams

Compensation scams

If contacted out of the blue, never provide personal or financial information.

Only make a claim directly through the insurance provider and only use the contact details provided at the point the policy was taken out.

If support is required to manage a claim, use a reputable FCA-registered company or SRA-regulated (Solicitors Regulation Authority) Solicitors firm.

Take steps to protect personal data from being stolen to help to prevent being targeted. Guidance can be found at the Information Commissioner’s Office.

Ghost broking

When buying insurance, check that the seller is registered with:

The British Insurance Brokers’ Association (BIBA) if it’s an Insurance Broker.

The Motor Insurers’ Bureau (MIB) if it’s an insurer selling motor insurance.

The Financial Conduct Authority (FCA) can also be checked for all Insurance Advisors.

It’s recommended to check that the seller has a legitimate website, UK phone number and address. It’s also important to look out for any behavior that seems unprofessional or unusual.

Crash for Cash

There are several ways drivers can protect themselves from ‘Crash for Cash’ scams:

Keep your distance – Always keep a safe distance from the vehicle in front:

Two seconds in dry conditions. Four seconds in wet conditions. 20 seconds in ice/snow.

Stay alert – Drive safe and stick to the Highway Code. If you see someone driving suspiciously, stay calm and keep back.

Know the signs – if you’re involved in a suspicious collision the other driver or their passengers might:

Appear unphased by the collision.

Display injuries at complete odds with the impact of the collision.

Provide pre-written insurance details.

If you have any experiences with these scams do let me know, by email.

Fightback Ninja Signature

How to Report a Data Breach to the Information Commissioner

Not all organisation data breaches need to be reported to the Information Commissioner’s Office (ICO).

ICO do recommend that any serious breach is reported to them, but it isn’t mandatory and ‘serious breaches’ are not defined. However, the following should assist data controllers in considering whether breaches should be reported:

  1. The potential detriment to individuals is the overriding consideration in deciding whether a breach of data security should be reported to the ICO. Detriment includes emotional distress as well as both physical and financial damage.

Ways in which detriment can occur include:

  1. exposure to identity theft through the release of non-public identifiers, eg passport number
  2. information about the private aspects of a person’s life becoming known to others, eg financial circumstances

The extent of detriment likely to occur is dependent on both the volume of personal data involved and the sensitivity of the data where there is significant actual or potential detriment as a result of the breach.

Where there is little risk that individuals would suffer significant detriment, for example because a stolen laptop is properly encrypted or the information that is the subject of the breach is publicly-available information, there is no need to report.

  1. The volume of personal data lost / released / corrupted: There should be a presumption to report to the ICO where a large volume of personal data is concerned and there is a real risk of individuals suffering some harm.
  2. The sensitivity of the data lost / released / corrupted:

How to Report a Breach

Serious breaches should be reported to the ICO using the DPA security breach helpline on 0303 123 1113 (open Monday to Friday, 9am to 5pm). Select option 3 to speak to staff that will record the breach and give you advice about what to do next or report in writing using the  DPA security breach notification form, which should be sent to the email address [email protected] or by post to the office address at:- Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF.

When a breach is reported, the nature and seriousness of the breach and the adequacy of any remedial action taken will be assessed and a course of action determined.

ICO may:

  • Record the breach and take no further action, or  Investigate the circumstances of the breach and any
  • remedial action, which could lead to further action;
  • Set a requirement on the data controller to undertake a course of action to prevent further breaches;
  • Start formal enforcement action which could lead to a fine of up to £500,000

For further information see

Do enter your email address and click on the subscribe button on top right to keep up to date with new posts.

Fightback Ninja Signature

Amazon Merged Reviews Make No Sense

Amazon monitors product reviews by the public and manages to delete most fake reviews, but “merged reviews” are proving to be a problem as scammers are increasingly using them.

Merged reviews are where a seller may have multiple items  that are basically the same item but with very minor differences such as woolly hats where one has a bobble on top and the other doesn’t.

In these cases Amazon allows for the same reviews to appear on both products.

But scammers are merging reviews for entirely different products in order to show popularity for items that haven’t earned it.

Which? magazine investigated this and found for example reviews for headphones that are actually reviews for cuddly toys – done as a way of getting apparently excellent reviews for a new product. Some of the these scammers are dumb enough to do this even where the original reviews have photos attached to show they are completely different products.

Which? found that nine out of 10 of the top-rated headphones on the site earlier this year had glowing reviews for a range of unrelated products.

Amazon took action to remove these products and reviews, once informed of the problem.

But using such reviews for unrelated products is against Amazon’s terms and conditions, because it can make something look more popular than it is.

Which? focused on just one category – Bluetooth-enabled headphones – and followed the reviews for the top 10 products over the course of a month, from February to March this year.

Most of the brands were not household names and were all sold by more than one seller, so Which? was unable to determine whether the brands themselves were implicated in any wrongdoing.

One headphone listing had 863 reviews for a personalised jigsaw puzzle, while a third had 1,386 reviews for beach umbrellas

Only one of the headphones on the list, made by one of the best-known audio electronics firm Bose, showed no evidence of review merging. But its headphones were ranked only eighth best out of the 10 investigated.

Which? magazine focussed on earphones but also found that various other products have the same problem.

If you’re relying on customer reviews, then try to make sure they are genuine.
E.g. check if there is a photo attached that matches the product and ignore any reviews that could conceivably be for anything else.

If you have any experiences with these issues do let me know, by email.

Fightback Ninja Signature

Scammers Make Their Offer Irresistible

Scammers use a set of psychological tricks to make you trust whatever they are offering.

These’ ‘tricks’ are well-known and used by Marketers and many others.

These include

  1. Create a sense of legitimacy
    • Lists of references from satisfied customers
    • ‘Professional’ reviews of the product or service
    • Celebrity endorsements
    • Ride on the back of well respected products
  2. Invoke emotion
    • Create excitement around a new release or a ‘first’ of some kind
    • Create fear about missing out on the product or service
    • Create worry about regretting not taking the opportunity
    • Create anger that the product has been kept hidden away from the public until now
  3. Create a sense of urgency
    • Fake deadline
    • Only a limited number/amount of the product remains
    • Be the first to get this product or service
  4. Use social influence
    • Happy references from members of the public
    • 100,000 people have tried this and recommend it


Do think about how the scammer’s message affects you before making any decisions. This also applies to whenever someone is trying to sell you something  or to get you to do something and always applies to unsolicited emails, texts and calls.

Do Share this post on social media – click on the post title then scroll down to the social media share buttons.

Fightback Ninja Signature

UK Gov Phishing Attacks

A phishing attack is when criminals create fake websites that look like well-known websites such as Marks and Spencer or HMRC or British Gas etc.  They use the fake websites to get your confidential information.

Top 10 Government ‘Brands’

Brand                                                   No of phishing sites    No of attack groups    Phishing Site Availability                                                                            in hours

HM Revenue & Customs                     16,064                         2,466                           10                                                 1,541                           241                              15

TV Licensing                                        172                              93                                5

DVLA                                                   107                              53                                11

Government Gateway                        46                                22                                6

Crown Prosecution Service                 43                                26                                15

Student Loans Company                     19                                11                                17

Student Finance Direct                       13                                3                                  3

British Broadcasting Corporation       8                                  7                                  35


When a phishing site is identified that is pretending to be a UK government brand, the hosting provider is asked  to take the site down. While some government departments do their own brand protection, most don’t and it is simpler and cheaper for this to be done centrally.

Example of a phishing site impersonating HMRC

The domain name that’s been used is onlinehmrctax @ That’s intended to deceive the user into thinking this is a real HMRC site. Not all phishing sites use domains like this and many are hosted in areas of legitimate sites that have been compromised by the criminal. Phishing sites are also automatically added to a number of industry safe browsing lists that are consumed by the major browsers and so even if the hosting provider doesn’t respond, or it takes long time for the site to be removed, users of modern browsers with the default security settings are protected anyway

The availability of an attack is the total amount of time the phishing site is available from when the Netcraft service  first becomes aware of the attack through to when it is  finally taken down. This accounts for the

times when an attack is reinstated by the criminal after first being taken down by the provider, which can happen multiple times in some cases. It is also often the case that a single attack can involve multiple spoof sites, hosted on the same server. If there are many phishing URLs in a single attack, they can easily skew statistics through the responsiveness or otherwise of the hosting provider. Given a group of attacks are all hosted on the same `server’, we group these together taking the longest time any one of them is available as the availability for that group.

Over the last calendar year, we’ve taken down 18, 067 HMG-related phishing sites.

For comparison, in the previous 6 months 5, the volume was 19; 443 sites, also shown on the chart. It’s clear that we have performed fewer HMG-related phishing takedowns in 2017 and the trend is generally downward. Given how the service is driven, it’s reasonable to assume that it sees a relatively constant percentage of the global phishing and so this strongly suggests that there has been less HMG-related phishing this year than last.

However, it is very likely (in the opinion of the author) that this work has had a direct impact on the viability of criminal phishing targeting HMG brands, making them less lucrative and therefore less likely to be used.

It’s obvious from the table that the vast majority of HMG-related phishing attacks continue to use the HMRC brand. That’s unsurprising given that most adults have a relationship with them and everyone would welcome a tax refund.

Fightback Ninja Signature

Dark Web Pricelist

The Dark Web is the name for websites and services on the Internet that are hidden. You cannot find them on Google or other normal search engines – only on ones for criminal purposes or if you have the direct URL.

On the Dark Web, people buy and sell assorted criminal products and services such as selling stolen credit cards, providing ransomware as a service, facilities to send out mass scam emails etc.

It’s a bad place filled with bad people.

Below are some example prices charged for stolen information, credit cards etc. as found by researchers in October 2020

Category Product
Credit Card Data  
Cloned Mastercard with PIN $15
Cloned American Express with PIN $35
Cloned VISA with PIN $25
Credit card details, account balance up to $1000 $12
Credit card details, account balance up to $5000 $20
Stolen online banking logins, minimum $100 on account $35
Stolen online banking logins, minimum $2000 on account $65
Walmart account with credit card attached $10
Payment processing services  
Stolen PayPal account details, minimum $100 $198.56
Western Union transfer from stolen account, above $1000 $98.15
Forged documents  
US driving license, average quality $70
US driving license, high quality $550
Auto insurance card $70
AAA emergency road service membership card $70
Wells Fargo bank statement $25
US, Canada, or Europe passport $1500
Europe national ID card $550


If you have any experiences with these scams do let me know, by email.

Fightback Ninja Signature