The threat of scams and fraud facing Manx people has been laid bare in a report which has seen a 50 per cent increase suspicious email reports and a staggering £2.2m lost by victims.

The Annual Cyber Threat Update 2024 has been published by the Cyber Security Centre for the Isle of Man which has revealed some alarming figures and sets out the ways people are being targeted by scammers.

There were a total of 9,372 suspicious emails reported to the Suspicious Email Reporting Service (SERS) which is up 50.7% from the previous year, along with almost 500 cyber concerns reported.

The report sets out the types of scams and frauds committed and includes case studies from 2024.

This refers to the unauthorised access or takeover of an individual's or organisation's online account by a third-party, often with malicious intent

There were 47 such concerns reported resulting in £113,472 in financial loses with £95,000 the largest single loss.

In one case, more than 60 accounts were compromised in a targeted phishing attack using Manx Telecom and Manx.net branding, where victims received emails claiming their accounts would be closed unless they updated their details.

These emails led to phishing pages that captured login credentials, giving attackers access to the accounts. The accounts were then used to send fraudulent emails and execute gift card scams.

Victims, believing the emails were from trusted contacts, were coerced into purchasing gift cards and providing the scammer with the codes. In response, accounts were suspended, and users were advised to use stronger passwords to prevent future attacks.

Bank fraud refers to the deliberate and illegal act of using deceit, trickery, or false means to obtain money, assets, or other property owned or held by a financial institution.

There were eight such concerns reported with losses totalling £11,836.

In one case a complainant experienced fraudulent transactions on their Wise accounts, totalling £10,501.84. The funds were transferred to an individual in Ukraine.

Fraudulent/Scam websites involve the false misrepresentation of a legitimate website or a website set-up for the sole purpose of criminal activity.

There were 36 concerns reported with £844 financial loses reported.

Late last year a Facebook page called ‘Public Transport Isle of Man’, along with similar variations, using stock images and official logos advertised six months of free travel for £2.

These ads linked to an external site that asked generic questions before directing users to click on pictures of gift boxes.

The second box always revealed a ‘prize’ of cheap travel, leading to a page requesting personal and card details and initiating a €2 charge (foreign currency being a strong indicator this was a scam).

Victims later reported further unauthorised charges and spam emails and were advised to contact their banks to cancel or freeze their cards.

Removing these scam ads has been difficult due to ‘Facebook’s procedures and slow reporting process’, the report says.

Cybercriminals use a range of techniques, including impersonating a work colleague, friend or family member, in order to get you to purchase gift cards. The cards are then redeemed by the cybercriminal, and it is incredibly difficult to retrieve funds.

There were 11 such concerns raised with a total of £2,150 lost.

Typically, gift card fraud is commonly associated with business emails and became prevalent in 2024, as a direct consequence of the many Manx.net email accounts being compromised. (See the Accounts compromise section).

Investment scams are on the rise and criminals employ diverse tactics to deceive unsuspecting individuals.

This was the scam which generated the most losses with 35 concerns reported and with losses of £1,278,920.

They frequently exploit a person's interest in shares or cryptocurrency: enticing victims with promises of rapid returns. However, in many instances, these supposed shares or cryptocurrencies are non-existent.

One victim lost over £85,000 after investing in cryptocurrency through a fake trading platform, while others were deceived by fraudulent schemes using false celebrity endorsements, including Jeremy Clarkson and Richard Hammond.

An invoice scam is a type of fraud where criminals send fake invoices to businesses or individuals, hoping they will pay without verifying the details.

Scammers may impersonate legitimate suppliers, use phishing tactics, or intercept real invoices and alter payment details to divert funds to their accounts.

There were five such concerns reported with losses totalling £44,540.

In September 2024, a local organisation lost £37,640 in an authorised push payment (APP) scam after an employee’s email account was compromised through phishing.

The attacker, posing as a trusted entity, sent urgent emails with fake invoices, prompting multiple fraudulent payments. The scam remained undetected for weeks until a routine review identified breaches of internal payment procedures.

Purchase scams occur both in the real world and online. However, Island residents can be targeted from all over the world online, making any recovery of funds extremely difficult.

There were 60 concerns reported with losses totalling £24,204.

There is significant variety in purchase scams, from pets to flat deposits. Scams involving Facebook make up a significant number of reports. Typically purchase scams are often of a smaller amount but are far more frequent.

In one case a buyer on Facebook Marketplace attempted to purchase garden furniture for £200 and sent a £30 delivery fee via PayPal’s ‘goods and services’ option.

The seller falsely claimed they hadn’t received the payment because it wasn’t sent via the ‘friends and family’ option, which lacks buyer protection.

Suspecting a scam, the buyer blocked the seller on Facebook Messenger and WhatsApp. Days later, they received an unexplained £115 deposit from a stranger. Concerned, they contacted their bank, which reversed the deposit, cancelled their card, and secured their account.

In another case, a buyer ordered a neon sign from a Facebook seller, making three payments totalling £34 via PayPal’s ‘friends and family’ option. The seller never delivered the item, and the victim couldn’t dispute the transactions despite having proof of chats and payments.

What is particularly worrying about romance scams is the emotional impact they have on the victim and their close friends and family.

There were seven concerns reported totalling £40,500 although these figures could be far higher.

Two scams over the year highlight that while financial losses weren't incurred, scammers will invest significant amounts of time to manipulate victims in the hopes of conning them out of money.

In the first case, a scammer posing as ‘Alice Wellberk’ on Meetisleofmansingles.co.uk used WhatsApp (+44 7908 922293) to gain trust by sharing explicit content before attempting to obtain the victim’s bank details.

The individual, unaware of such scams, reported the incident to the police and blocked the scammer before any money was lost.

In the second case, another victim was targeted by someone claiming to be ‘Chery Jenny Bryce’ a U.S. Army soldier. Communicating via WhatsApp (+1 920 939 9442), the scammer sought personal details and pressured the victim to pay fake parcel tracking fees.

This person is known to have lost £150 by paying a fake medical invoice, but it is thought over £400 was lost. This is recorded under Invoice Fraud.

Towards the end of the year there was a report of a £25,000 loss. While details were limited, it is believed the victim sent money to a male from Nigeria with the final payment sent in the hopes of the love interest coming to the island to marry.

These are text-based scams with the most popular being parcel delivery scams.

There were 110 concerns reported with losses totalling £2,390.

Criminals utilise trusted names and brands as well as using spoofed numbers to create an element of trust. Despite a large number of reports there have been comparatively low financial losses.

Vishing is like phishing but using the telephone. Typically, criminals are using publicly available information, including names and addresses to add legitimacy to their calls.

The variety of vishing scams we received this year is a worrying indicator of the success of vishing calls but as with smishing criminals are utilising trusted names and brands as well as using spoofed numbers to create an element of trust.

There were 56 concerns reported with losses totalling £391,674.

In one case, £66,100 was fraudulently removed from a bank account after an attacker impersonated a bank employee from NatWest Bank, claiming fraudulent activity had been detected.

The caller provided a URL for the bank, instructing the victim to log in and check the accounts. Upon accessing the site, a code was displayed, but it is unclear whether the employee shared it. During the interaction, the employee noticed AnyDesk, a remote access tool, displayed on the screen but does not recall downloading it.

The fraud was immediately reported to the bank, but the stolen funds had already been withdrawn.

To read the full report and for further advice click here.