Some banks are leaving customers vulnerable to fraudulent spoofing attempts by failing to implement important anti-fraud protections, a Which? investigation has found.
Spoofing, where fraudsters impersonate legitimate companies, such as banks, utilities providers or government agencies, is a common tactic used to deceive victims. Ofcom estimates that 40.8 million UK adults have received a suspicious call or text in the last three months.
Scammers will forge the name or number that comes up on an email, phone call or text message so that it appears to match that of a genuine firm, making it very difficult for victims to realise that it is a fraudster. Which? has heard of victims losing life-changing sums of money as a result of spoofing.
To make it harder for fraudsters to impersonate them, companies can sign up to regulator Ofcom’s ‘Do Not Originate’ (DNO) list, a shared resource with telecoms providers to help them identify and block calls from numbers that are most likely to be spoofed. The DNO list makes a record of telephone numbers used by genuine firms or agencies to receive calls but never make them.
To test how effective banks were at protecting their customers, Which? made calls to a test phone, spoofing the prominent numbers of 14 current account providers. The firms’ numbers were chosen if they were the ones printed on the back of debit cards or listed as fraud helplines on their websites.
The consumer champion found that at least six major banks and building societies have failed to make full use of the DNO list. At least one phone number from HSBC, Lloyds, Santander, TSB, Nationwide and Virgin Money was successfully spoofed, leaving customers of those firms potentially at risk.
Such errors are particularly concerning given the high prevalence of spoofing attempts and the relatively low awareness of it among the wider public, meaning potential victims are more likely to engage with ostensibly familiar numbers.
Which? research in September found that of 2,000 adults, four in ten (42%) said they had not heard of number spoofing scams.
A separate survey from the consumer champion in June 2022, which covered 1,008 people who lost money to fraud in the past two years, found that of those who were initially approached by either phone or text, two thirds (68%) said the incident involved number spoofing. One in ten (9%) said they did not know or could not remember.
The investigation comes as the Metropolitan Police last week contacted 70,000 scam victims by text message to inform them they had probably been targeted by fraudsters. The Met’s investigation, Operation Elaborate, focussed on a website that enabled fraudsters to make calls to consumers posing as their bank, tax office or other official agencies.
Ofcom has recently introduced new rules to fight fake number fraud, including making sure numbers meet the UK’s 10- or 11-digit format, blocking calls from numbers not found on the DNO list and identifying and blocking calls from abroad which spoof a UK caller ID.
The consumer champion believes it is encouraging to see the regulator crack down on this type of fraud, which continues to be endemic. The most recent figures from UK Finance found that £59.6m was lost to fraud involving impersonation of banks in the first half of 2022, with the sophistication of scams constantly evolving.
However, with malicious spoofing predominantly used in authorised push payment (APP) scams, where victims unwittingly transfer money to bank accounts controlled by criminals, victims of APP fraud still face a battle to receive reimbursement.
The latest figures from the Financial Ombudsman Service (FOS), where victims can take their case if their bank denies them reimbursement, reported a 20 per cent increase in the number of authorised scam complaints, with 9,370 in the last year, with the FOS upholding verdicts in the victim’s favour in three quarters of cases – evidence that the current voluntary Contingent Reimbursement Model code, to which most major banks are signed up, is not working effectively.
The Payment Systems Regulator (PSR) has proposed to require all payment service providers sending payments over Faster Payments to fully reimburse APP scam victims in all but exceptional cases. Which? believes these new rules could be a game changer for APP fraud victims, leading to fairer and more consistent treatment, and should help incentive payment providers to prevent fraud from happening in the first place.
In order for the PSR to implement these proposals, parliament must first pass the Financial Services and Markets Bill into law. Which? believes this Bill must be passed before next Spring’s King’s Speech.
Rocio Concha, Which? Director of Policy and Advocacy, said:
“Number spoofing is a particularly malicious form of fraud used by scammers to deceive their victims – and our research shows some banks could potentially be leaving their customers at risk.
“Spoofing is all too common in APP fraud, where victims continue to lose potentially life-changing amounts of money and still face a battle to get their money back.
“Proposals by the PSR to introduce mandatory reimbursement for APP fraud in all but exceptional cases could be a game changer for victims – and help drive payment firms to do more to prevent fraud taking place.”
Notes to Editors
- Members of the public that receive suspicious calls, texts or emails can send them to Which?’s Scam Alert Service to help raise awareness of fraudsters’ tactics.
- Which? surveyed 2,000 adults in the UK between 2nd and 6th September 2022. Fieldwork was carried out online by Opinium and data has been weighted to be representative of the UK population (aged 18+).
- In a separate survey, Which? surveyed 1,008 victims of fraud in the UK who had lost money to it in the last two years. Fieldwork was carried out online by Focaldata in May-June 2022 and data has been weighted by age and gender to be representative of victims of fraud using data from the ONS Crime Survey. In the survey, respondents were asked if they had been diagnosed with a mental health disorder and the analysis was carried out using the information provided by participants to this question.
Right of replies
A HSBC spokesperson said: ‘We are participants of the Do Not Originate scheme which provides additional protection, alongside numerous other measures, to help protect customers from scams and fraud. We regularly review the numbers we have registered with a view to additional entries where it is appropriate to do so. We are currently in the process of adding those two numbers to those already on the Register.’
A Lloyds spokesperson said: ‘Banks can’t solve the problem of number spoofing alone and telecoms firms need to speedily address the technical gaps in their systems that allow this type of fraud to happen, even with ‘Do Not Originate’ lists in place.
A Nationwide spokesperson said: ‘Nationwide takes the protection of its members seriously and our contact numbers are on the Do Not Originate list – and therefore cannot be spoofed. However, it appears one of our numbers was inadvertently missed, for which we would like to thank Which? for bringing to our attention. We can confirm this is now being added to our list of protected numbers for future.’
A Santander spokesperson said: ‘Thank you for bringing this to our attention. We have now requested that Ofcom adds this number to the DNO list. As part of the measures we take to protect customers against fraud, we aim to include all our inbound-only customer service phone numbers on the DNO list, which provides some protection against spoofing but is not 100% comprehensive.’
A TSB spokesperson said: ‘TSB has 13 lines that can be called by customers that are already covered by DNO. We are considering the operational changes that will be required to include the three numbers.’
A Virgin Money spokesperson said: ‘Virgin Money currently has over 40 numbers registered for the Do Not Originate service and we continue to add numbers to this to ensure as much coverage as possible. The list is not a guarantee that spoofing won’t occur as not all providers use the list and technology constraints can mean that some calls get through, however we will raise this with them and ensure that all the numbers you highlighted are registered.’
Which? is the UK’s consumer champion. As an organisation we’re not for profit – a powerful force for good, here to make life simpler, fairer and safer for everyone. We’re the independent consumer voice that provides impartial advice, investigates, holds businesses to account and works with policymakers to make change happen. We fund our work mainly through member subscriptions. We’re not influenced by third parties – we never take advertising and we buy all the products that we test.