Barclays released an advert on YouTube titled Scam or Legit in November 2022. It features YouTubers Chunkz and Young Filly.
The video acknowledges that it’s hard to spot scams today, but the provided examples and advice do not readily improve matters, they just give further evidence of a challenging environment.
The solution offered is to check spelling and grammar. This is outdated advice — many scams use correct spelling and grammar. Of course, if there are errors, it should reveal a scam, but it should not be the singular advice. The implication from their advice is that if it reads okay, it is likely safe.
In reality, the most important thing to check is the link, the URL, and what they are asking you to do.
They graphic highlights the malicious signals of the text, including bad domains, but the presenters do not talk about them.
This is poor and incomplete advice. Chunkz says this is legitimate because it’s a one-time password, on their basis that if you’re using one-time passwords, you’ve gone beyond simple passwords and are using multi-factor authentication, so you’re improving your security. But the video doesn’t explain this, they don’t say what one-time passwords are and why you would use them.
People should adopt one-time passwords and multi-factor authentication, but this is not the end of the story. If you receive a text like this, and you’re not expecting it, it means someone is trying to log in as you. They might try and obtain this code from you in other channels. They shouldn’t be able to log in without the one-time password but you should see this text as a signal to check your account (not using any links in the text). You should check your account because often the one-time password is requested after the password is successfully entered, which means a malicious party could have your password, and so you should change your password. It could also be that someone has signed up for an account with some business with your phone number, which should be investigated.
If you’re not logging in, you shouldn’t see this message, so if you get it out of the blue, it is something to be checked with the official website by logging in yourself.
The principal signal they used to identify the scam is that the message says “from your GP”, rather than the name of your GP. The presence of the real GP or surgery name should not convince the recipient it is safe and legitimate.
They do mention the strangeness of the URL which is good to talk about. They mention that it has a lot of “slashes” meaning dashes or hyphens. This isn’t everything though. The fact it ends in "·info"
is important, because this is unusual in UK health settings. You would expect a domain of "nhs·uk"
or your medical centre website which probably ends in "·co·uk"
. To me, this link looks very suspect. But it could appear much more genuine and hard to spot by eye that it’s a scam — this link could look legitimate with a more targeted domain name, perhaps something which is closer to the name of your GP.
A link checker would help to confirm it is safe.
This is the kicker.
Barclays report that this message is legitimate. They say it’s safe because it mentions the name of the driver, “Ryan”, and it’s to deliver a parcel. Ostensibly, because it doesn’t mention any fees and doesn’t have spelling mistakes, it’s okay. Crucially, they do not talk about the safety of the link. How do you know, just from the message that it’s safe? What if when you click the link, it takes you to a site claiming there are delivery fees to pay, asking for your personal information and bank details. This would be unsafe. This is even more apparent with the use of "bit·ly"
, a link shortening service that will redirect to another site when clicked. You do not know the final destination, you cannot trust "bit·ly"
links on visual inspection.
The conflicting advice on link safety from Barclays is confusing and dangerous. In saying the previous message was bad because of an unsafe link, Barclays should not claim that this link or message is safe. It is equally unsafe. Until proven otherwise, links should be considered unsafe. Until you know where the link goes, what the URL is in your browser, and what it’s asking you to do, it’s unsafe.
This further emphasises the pressing need to use a link checker to confirm safety.
Always scan for a scam? How? In what way? The methods described won’t work for scams in the wild.
At the end of the video, I am no clearer in my understanding of phishing and scams, and doubtless the same for others. All it achieves is making people more nervous and afraid. If it makes people more aware and alert, it may have some of the effect Barclays desired, but it does not offer concrete advice and positive examples that make a real difference.
Chunkz and Young Filly are trying to do their bit in the war on scams; I do not place the blame for the errors with them. Barclays, with their responsibility to keep customers and their accounts safe, are at fault here. It is their video, emblazoned with their branding, and sponsored by them.
The video has the wrong examples, wrong explanations and sometimes the opposite advice. At its best, it has little impact in helping people identify a scam themselves. At its worst, their misplaced and dangerous advice on link and message safety could lull people into false safety and make scam detection worse.