+44 345 1255400
← Back to blog Cyber Security

Three Spring Scams Fooling UK Teams Right Now, and the Simple Habits That Stop Them

· Equate Group

April Fools’ Day comes and goes. The pranks and fake announcements disappear. Unfortunately, scammers don’t get the memo.

Spring is one of the most productive seasons for the people trying to con your business. Not because teams are careless, but because everyone’s busy, a little distracted and moving fast. That’s when the almost-believable stuff slips through, the kind that blends into a normal workday and doesn’t feel dangerous until it’s too late.

Here are three scams working on UK businesses right now. Not on gullible people, but on sharp, well-meaning employees who are just trying to get through their day.

As you read, ask one honest question: would everyone on your team pause long enough to catch each of these?

Scam 1: The “unpaid crossing” text

An employee gets a text:

“You have an unpaid Dartford Crossing charge of £3.50. Pay within 12 hours to avoid a £70 fine.”

It names something real, Dart Charge, the London ULEZ, the M6 Toll, the Mersey Gateway, whatever fits the part of the country they’re in. The amount is small enough not to set off alarm bells. They’re between meetings, they click, they pay and they move on.

Except the link wasn’t real.

Action Fraud and the NCSC have flagged a steep rise in this exact pattern over the past year. Researchers have identified thousands of lookalike domains built specifically to impersonate UK road-charging schemes, a level of infrastructure that tells you how profitable this scam has become. Some of these texts have even hit people who’ve never driven through a toll.

It works because £3.50 doesn’t feel risky, and most people genuinely have crossed a charge zone recently. The message feels completely plausible.

The habit that stops it: legitimate UK road-charging agencies don’t demand payment by text link. Sensible businesses make it a rule, no payments happen through text-message links, full stop. If something might be real, employees go directly to the official website (gov.uk/pay-dartford-crossing-charge, TfL, etc.) themselves. They never reply, not even “STOP”, responding confirms the number is active and invites more.

Convenience is the bait. Process is the defence.

Scam 2: “Your file is ready”

This one blends perfectly into everyday work.

An employee receives an email saying a document has been shared with them. Usually something ordinary, a contract in DocuSign, a spreadsheet in OneDrive, a file in SharePoint or Google Drive.

The sender’s name looks right. The formatting looks exactly like every other file-share notification they see.

They click. They’re prompted to log in. They enter their work credentials.

Now someone else has them. And if they used their work login, the attacker is inside your company’s Microsoft 365 or Google Workspace environment.

This type of attack has exploded. Phishing campaigns abusing trusted platforms like OneDrive, DocuSign, Google Drive and Salesforce rose sharply through 2025, and the trend is continuing. Notifications that piggyback on the platform’s own sharing tools are particularly dangerous because the email genuinely comes from Microsoft’s or Google’s real servers. Your spam filter doesn’t flag it, because technically it’s a legitimate notification.

Employees are much more likely to click a link from OneDrive or SharePoint than from a random email, because the notification looks identical to the real thing, because, in a sense, it is.

The habit that stops it: if a shared file wasn’t expected, employees are trained not to click the link in the email. Instead, they open a browser and log into the platform directly. If the file is genuine, it’ll be there. Businesses also reduce risk by restricting external file-sharing permissions and turning on alerts for unusual login activity. Your IT team can configure both in about fifteen minutes.

Boring habit. Very effective result.

Scam 3: The email that’s written too well

Remember when phishing emails were easy to spot? We were trained to look for broken grammar, strange formatting and obvious nonsense.

Those days are over.

AI-generated phishing emails are now many times more effective than the old human-written ones. The reason is simple: these emails don’t look like scams any more. They reference real company names, real job titles and real workflows, all scraped from LinkedIn and company websites in seconds.

The newer twist is departmental targeting. HR and payroll get fake employee-verification requests. Finance gets fake supplier bank-detail changes. Directors get fake urgent approvals. The messages are calm, professional, and urgent without being dramatic. They look like a normal Tuesday in your inbox.

The habit that stops it: any request involving credentials, payment changes or sensitive data gets verified through a second channel, a phone call, a chat message, or a walk down the corridor. Before clicking any link, employees hover over the sender’s email address to check the actual domain. And when an email creates urgency, the urgency itself is treated as the warning sign.

Real security doesn’t need to panic people into clicking.

What this really comes down to

All of these scams rely on four things: familiarity, authority, timing, and the quiet assumption that “this will only take a second.”

That’s why the real risk isn’t a careless employee. It’s a business where the process assumes everyone will always slow down, double-check, and make the perfect call under pressure.

If one rushed click could derail your day, that isn’t a people problem. It’s a process problem.

Process problems are fixable.

Where we come in

Most business owners don’t want to turn this into another project, or become the person responsible for teaching everyone what not to click. They just want to know the business isn’t quietly exposed.

If you’re concerned about what your team might be dealing with, or you know another business owner who probably should be, get in touch. We’ll talk through:

  • The kinds of scams hitting UK businesses like yours right now
  • Where the gaps tend to be in day-to-day workflows
  • Practical ways to reduce exposure without slowing people down, from Cyber Essentials certification through to day-to-day managed IT support

No pressure, no scare tactics, just a chance to surface concerns and talk through options.

We work with UK SMBs across sectors, including accountants and financial firms where these scams hit particularly hard. For a real example of what the outcome looks like, read how we took Ennvee Financial Consultants through Cyber Essentials Plus to close exactly this kind of gap.

Call +44 345 1255400 or book a 15-minute discovery call.

If this isn’t for you, forward it to someone who’d appreciate the heads-up. Sometimes knowing what to look for is all it takes to turn a “would have clicked” into a “nice try”.