Cybersecurity 3 min read

Fighting Back: How I Turned the Tables on a Phishing Scammer

Today I had the pleasure of having some fun at a scammer’s expense. It started with a phishing email — someone impersonating a colleague, requesting their salary be redirected to a new bank account. The usual playbook. But instead of just reporting it and moving on, I decided to turn the tables.

The Setup

The email claimed to be from “Matt,” asking me to update his bank details for his next salary payment. Three things gave it away immediately: Matt sits about four metres from me and would just ask in person, he’d use his work email rather than a random Gmail address, and his English is considerably better than whatever this was.

Normally, this would go straight to the spam folder. But a close friend had recently lost thousands to fraudsters, and that was still fresh in my mind. So I thought: what if I could waste this person’s time the way they waste everyone else’s?

The Game

I replied enthusiastically, telling the “employee” I’d be happy to help — and oh, by the way, there was a £2,400 bonus due as well. Would they like that paid to the new account too? Of course they would.

When the fraudster provided a US bank account (for a UK salary — another red flag the size of a bedsheet), I explained that international transfers required a “processing fee” to be paid upfront. Small amount, standard procedure, happens all the time.

What followed was a week of increasingly desperate emails. The scammer begged, declared mental health issues, swore on various deities, and generally displayed a level of emotional manipulation that would be impressive if it weren’t so transparent. They even opened a Revolut account — which I promptly reported to Revolut’s fraud team.

The Serious Point

This is funny in the retelling, but the reality of business email compromise is anything but. These scams cost UK businesses millions every year. The technique — impersonating a colleague to redirect payments — is one of the most common forms of cyber fraud, and it works because it exploits trust and urgency.

As a software company, we take this seriously. Every system we build includes proper authentication, audit trails, and verification workflows. But technology is only half the battle. The human element — knowing what a phishing email looks like, having processes that require multi-person sign-off for financial changes, and fostering a culture where people feel comfortable questioning suspicious requests — is equally important.

What You Can Do

If you run a business, here are the basics:

  • Verify payment changes verbally. Always. No exceptions. If someone emails asking to change bank details, pick up the phone and call them on a number you already have.
  • Train your team. Not a once-a-year slideshow — regular, practical examples of what these scams look like.
  • Multi-person approval for any financial transaction above a threshold. No single person should be able to redirect a payment unilaterally.
  • Report it. Even if you don’t fall for it. Report to Action Fraud (actionfraud.police.uk) and the platform used. The more reports, the more likely these accounts get shut down.

As for our scammer? Last I checked, they’re still waiting for their “bonus.” They can keep waiting.

Let's build something great

Tell us about your project and we'll get back to you within one working day. No hard sell, just a straight conversation about what you need.

Start a conversation