Report Fraud

UK Dial: 0330 156 0155

Overseas Dial: +44 1606 566208

Suspicious email

Barclays will never send you unsolicited emails requesting personal information or your bank security details. If you receive a suspicious email, please send it on as an attachment to internetsecurity@barclays.co.uk and delete the email immediately.

Invoice and CEO Fraud: 

Invoice fraud (also known as mandate or change of existing payee fraud) occurs when fraudsters impersonate new or existing suppliers in an attempt to redirect payments to accounts managed by them. They often state that their payment details have changed, provide new account details and imply urgency. The scam may only come to light when the genuine supplier seeks payment.

With CEO Fraud fraudsters will pose as senior management or other members of staff within your business and request urgent payments.

Fraudsters have been known to target businesses ahead of public holidays so be mindful of any last-minute requests, including end of day emails when staff are leaving the office.

These scams pose a constant threat and continue to contribute to devastating financial losses to businesses across the globe. Verbal checks are essential to protect your organisation from these scams. Below are some tips on how to carry these out effectively:With CEO Fraud fraudsters will pose as senior management or other members of staff within your business and request urgent payments.

Fraudsters have been known to target businesses ahead of public holidays so be mindful of any last-minute requests, including end of day emails when staff are leaving the office.

These scams pose a constant threat and continue to contribute to devastating financial losses to businesses across the globe. Verbal checks are essential to protect your organisation from these scams. Below are some tips on how to carry these out effectively:

• Always conduct verbal checks over the phone for any new or amended payment instructions, and any requests to amend contact details
• Use contact details you hold on file, and apply the same principles to requests from within your organisation
• Don’t use a number included within the request to make the call as this could result in you speaking with the fraudster
• Ask your contact to read the beneficiary bank details back to you - this will confirm whether they match the details provided to you in the instruction
• Never rely on an in-bound call for confirmation
• Don’t rush - if you feel pressured to make a decision, take five minutes to stop and think about what is being asked of you, and follow the steps above.  

Confirmation of Payee (CoP):

The CoP service enables consumers, businesses and corporations to check the name of an account against the sort code and account number. Though this is a valuable anti-fraud tool, it’s important to understand CoP’s limitations. The following payment types are in scope for CoP when submitted as single payments electronically via our online payment channels:

• Faster Payment Service (FPS)
• CHAPS
• Standing Orders

BACS and currency payments however are out of scope.

Fraudsters understand the CoP functionality including its limitations and will adapt their approach accordingly. Examples of this could include:

•  Setting up accounts in the name of the business or individual they are impersonating so that a CoP ‘Match’ gives confidence to the target that they are paying a genuine beneficiary
• Convincing the target to ignore any ‘No Match’ results with reasons as to why this may have occurred such as ‘an issue with our account that’s being looked into with our bank’.

CoP cannot be relied upon alone to validate that a payment request is genuine or to prevent fraud and should be used in conjunction with strong fraud controls such as conducting verbal checks on payment requests. 

Business Email Compromise (BEC): 

Phishing is the fraudulent use of emails to manipulate targets into revealing passwords and sensitive information or transferring money into other accounts. Phishing messages often contain links to fake websites that request password and account information or install viruses in your devices.

BEC  is a sophisticated type of phishing where criminals gain access to an individual’s email account and use their emails to pose as a trusted individual to try and trick you into sending money or divulging confidential information. This makes it harder to spot inconsistencies in email requests that appear to come from a known contact as the email address will be genuine and the fraudster can use previous correspondence to adopt the appropriate tone and language used.

Protecting your business from phishing:

• Stay vigilant: Be alert to the style, tone and grammar of emails you receive, especially if they don’t use your name but remember, if the sender email address has been compromised there may be no red flags and it may even follow an existing email chain
• Double check: Evaluate what is being asked of you and verify any instructions received by other means such as using a contact number held on file
• Unverified senders and links: Never enter any personal or security information in a site accessed through an unverified email link, click on links, or open attachments in emails from unverified senders 
• Wider implications: Phishing and malware can be used to gain access to a genuine email account (BEC) leading to fraud and scams, and/or data breaches. For this reason, it’s important that you carry out due diligence before you act in relation to any requests received
• Remember: We will never contact you and ask for your PIN, passcodes, complete passwords, full account details, QR Codes or Device Activation Codes

Employee training: Make all staff aware of the risks of phishing emails, especially payment scams, and inform them of how to respond if they are targeted.

Impersonation Fraud:

Vishing is the fraudulent use of phone calls or voice messages to impersonate trusted organisations to obtain sensitive information. Bank impersonation vishing attacks are becoming increasingly prevalent where criminals call customers posing as Barclays bank staff, advising that there is an issue with a payment or that access to their account has been restricted.

They often give a telephone number for the customer to call back and encourage customers to visit a website address with a ‘live chat’ that allows them to gain access to the customers’ online banking platforms. The customer is then encouraged to enter their PIN or use their authentication device to ‘reinstate access’, but what this actually does is authorise payments set up by the fraudster to accounts they control.

Don’t let the fraudsters in:

• It’s important to never assume a caller is legitimate because they know information about you, your company or your colleagues
• Caller ID can be faked, so never rely on that as an indicator of legitimacy. Call backs should only be made to a known genuine number, never one provided by a caller
• Be wary of visiting links provided by a caller or received in an email or text message, these may be malicious
• Watch out for any unusual references such as ‘fraudulent activity’ or a ‘payment of concern’. Reference to a ‘restriction of access to your online accounts’ should also ring alarm bells.

To help protect your organisation remember, Barclays will never:

• Ask you to make payments or move money to a ‘safe account’
• Call you and ask you to provide or enter your PIN or use your biometric device, for ANY reason
• Ask you to provide QR Codes or Device Activation Codes via any method of communication
• Take control of your computer or call you unexpectedly and direct you to a website.

Purchase scams:

Scammers will trick businesses into buying products that don’t exist, such as vehicles, machinery, office supplies, or even contracts to supply services to an established and reputable business.

The product or service may be advertised online, or you may be approached directly by a seemingly legitimate company with an offer. After making a payment or payments for the goods, services or a registration fee, the product or contract is never received, and in many cases contact from the individual or company will cease, leaving you out of pocket.

Avoid falling victim to purchase scams:

• Do your research. If you’re planning to buy something online or make a deal with a new business, research the company and check reviews. Don’t solely rely on reviews on the company’s own website. Look for alternative online reviews on the company that may highlight risks
• Search for the company’s details via the relevant governing body website to check if the company is registered
• Check that the website is secure (i.e. begins with ‘https://’) and professional. Look out for any spelling or grammar mistakes
• Use https://www.whois.com/whois/ to check the domain details, such as the owner and the age of the website.
• Avoid making a big first-time order – if it seems too good to be true, it probably is!
• Check any documentation and serial numbers carefully to ensure what you’re buying is genuine and if there’s a good reason why the cost may be lower.

Ransomware: 

Ransomware is a type of malware that disables your IT system and prevents you from accessing your data, usually by encrypting files. A criminal group will then demand a ransom in exchange for decryption.

Preventing ransomware

• Layers of defence: Use layers of defence to help you detect malware and stop it causing harm 
• Backup files: Make regular backups of critical files. Store offline backups in a different location from your network and systems, or in a cloud service designed for this purpose
• Take initiative: Guard against malicious content reaching your devices, for instance by filtering file types and blocking malicious websites
• Antivirus and anti-malware software: Prevent malware from running if it does reach your company devices by using up-to-date antivirus or anti-malware products and technologies on all devices, including mobile phones and tablets
• Vet suppliers: Ensure your suppliers have the right level of protection 
• Employee Training: Train employees to be aware of the threat and vigilant about suspicious activity – malware is often delivered via email attachments