After decades working in IT, I really should have known better. I do the training. Every year, like everyone else, I click through the e-learning as quickly as I can, answer the quiz at the end, and move on to something else. I’ve even been that person who feels suitably smug when he spots the simulated phishing attempt and logs a support ticket, just in case. AKA a smart arse. A real joy to work with, I’m sure.
But this time, I slipped up. I was travelling back from Germany and needed to buy a CIV ticket for the UK leg of the journey – from St Pancras International to my local station. The ticket office at the station could only help with the outbound leg – and that was no use to me, because (to my eternal shame and against my environmental principles) I flew out. With Ryanair. For a short hop. I wanted to take the train both ways, but couldn’t justify the cost to my travelling companion. Even though the alternative was Ryanair.
With time running out, I tried Mark Smith, The Man in Seat 61, for advice. No luck. In a final attempt, I contacted Eurostar via X (formerly Twitter). I usually avoid X – because of Elon Musk – but I needed to get an answer quickly.
Spot the warning signs
I got a reply. From @EurostarUKcs – apparently the “Eurostar UK Support Line”. The odd capitalisation should have tipped me off. So should the fact they only had two followers and had been set up in May 2025. But I missed that. I followed them back. I sent them a Direct Message. They replied. This looked like help. And then they insisted on speaking by phone.
I was on a moving train so I explained that a call wasn’t ideal. But they called anyway, on WhatsApp, from a +245 number (Kenya). And that’s when it clicked. This was a scam.
Damage control
I hung up. Deleted the message history. Contacted Eurostar (the real one) just in case anyone tried to change my booking. Luckily, I hadn’t given away much more than the sort of information you might post in a public forum. But it was still more than I should have.
I got away lightly. There was no harm done, just a dented ego. But the whole episode was a timely reminder: it’s not just your mother-in-law who gets phished. It can happen to any of us – even the smug ones who think they know better.
Lessons learned
- Don’t assume every official-looking account on social media is legit – especially if it’s brand new and barely followed.
- Be wary of unsolicited calls – especially via WhatsApp or from unusual international numbers.
- Trust your gut – if something feels off, it probably is.
I share this not because I want sympathy, but because it’s important. If it can happen to me, it can happen to anyone. Stay alert.
Featured image: created by ChatGPT