Beware of scam emails impersonating Marks and Spencer

Sneaky messages claim to offer free products

Following the recent cyberattack on the company, M&S has been offering some customers an e-gift card as a goodwill gesture for the disruption. However, Which? is urging M&S customers to be cautious after reports of scam M&S emails circulating. 

In the past week, some M&S customers have received a £5 or £10 e-gift card. While these emails are genuine, scammers are also sending out phishing emails impersonating M&S, and it can be hard to know what to trust. 

Here, we take a look at the scam emails claiming to be from M&S and explain how you can spot a genuine email.

Sign up for scam alerts

Our emails will alert you to scams doing the rounds, and provide practical advice to keep you one step ahead of fraudsters.

Sign up for scam alerts
Sign up

M&S cyberattack

In May, M&S experienced a cyberattack caused by a criminal group named 'DragonForce'.

The hackers accessed some customer data in the attack. M&S warned that this could include contact details, dates of birth and online order histories.

Speaking at the time of the cyberattack, M&S operations director, Jayne Wall, warned that while its customers didn't need to take action, they 'might receive emails, calls or texts claiming to be from M&S when they are not'.

The attack also impacted online orders and stock availability in stores. While M&S recently resumed a normal service, some products continue to be unavailable.

M&S gift card email

An email from M&S offering an e-gift card
An email from M&S offering an e-gift card

As an apology for the disruption, last week M&S started sending some customers an email offering an e-gift card. 

The email announces that the retailer is 'really sorry for cancelling your order in April,’ it then goes on to offer an e-gift card to spend online.

In Northern Ireland, the gift card is only valid in-store as online orders in the region haven’t yet resumed.

The email ends by saying that there will be another email from M&S within the same day with the e-gift card.

Concerned recipients of this email have taken to online forums to say that they’ve received vouchers worth £5 and £10, but are concerned that it could be a scam.

Which? contacted M&S and it confirmed that it has sent e-gift cards to some customers as a gesture of goodwill. The gift cards have been sent via email. It told us that these have been given to customers who either had their online order cancelled or experienced delays to their Click & Collect order as a result of the cyberattack.

M&S also told Which? that customers should check the email address any communications claiming to be from M&S are sent from. If the email address ends in 'marksandspencer.com', they'll know it's legitimate. 

Scam M&S emails

A scam email impersonating M&S
A scam email impersonating M&S

Scammers often use current events to make their schemes seem more plausible, and it can be incredibly hard to distinguish between a genuine email and a scam. 

One example Which? has seen is a scam email offering a 'free' M&S afternoon tea hamper in exchange for completing a few survey questions. Which? first warned about this email in February when we saw a spike in reports about this scam, but versions of it continue to circulate. 

M&S scam website

A large collection of images displayed on this page are available at https://www.which.co.uk/news/article/beware-of-scam-emails-impersonating-ms-an7aB2U55r5g

The email contains very similar branding to M&S and the link in the email led to a dodgy site that continued to impersonate M&S. Once on the website, you're prompted to complete a short survey to receive an afternoon tea hamper.

The scam website also included a countdown timer to pile on the pressure. Survey questions included asking about your shopping experience at M&S, and why you’re interested in receiving the free hamper. This is all information that the scammer can use to target you later down the line.

After completing the survey, you’re taken to a separate website that asks for your personal and payment information under the guise of sending you the hamper.

Spotting and reporting scam emails

Genuine M&S emails will be sent from email addresses ending in 'marksandspencer.com'. However, scammers can mask sender details and make it seem as though they are sending the email from a trusted address – this is known as spoofing. You should always take caution when you receive an email you weren't expecting and it asks you to click links, or confirm personal or financial details. 

If you receive an email you’re not sure about, take these steps:

  • Look at the sender’s email address – scam emails are typically sent from random addresses comprised of a mix of numbers and letters. Brands might have their official email addresses listed on their websites, so make sure to check these out. You can find the sender’s email address by hovering your cursor over or right-clicking on the sender's name.
  • See if the greeting is impersonal, as most brands will address you by name.
  • Look out for blurry, pixelated and out-of-date branding. Beware of pressure tactics, such as a short deadline, to claim an offer.
  • Check the links in the email by hovering over where you’d expect to see one, such as where it says 'click here,' to see where the message leads.
  • Be suspicious of emails asking for your personal or financial details.
  • Watch out for poor spelling and grammar.

If you receive an email from a brand you have an account with and you're not sure whether it's genuine, you should log in to your account using a website you've used before and know can be trusted. Or, you can use a website that you've independently searched for on a search engine. Once you've logged in, you should verify the information in the email before following any links from the email. You could also call the customer service number using details from its official website or a recent letter. 

Scam emails should be reported to report@phishing.gov.uk. All you need to do is forward the email – do not reply to it. Dodgy websites can be reported to the National Cyber Security Centre and you can forward scam emails to report@phishing.gov.uk.

If you lose any money to a scam, call your bank immediately using the number on the back of your bank card. Also report it to Action Fraud, or call the police on 101 if you’re in Scotland.