Banks leaving customers vulnerable to spoofing scams

Some banks may be leaving customers vulnerable to fraudulent spoofing attempts, according to an investigation by consumer group Which?

Spoofing, where fraudsters impersonate legitimate companies, such as banks, utilities providers or government agencies, is a common tactic used to deceive victims. Ofcom estimates that 40.8 million UK adults have received a suspicious call or text in the last three months.

Scammers will forge the name or number that comes up on an email, phone call or text message so that it appears to match that of a genuine firm, making it very difficult for victims to realise that it is a fraudster. Which? has heard of victims losing life-changing sums of money as a result of spoofing. 

To make it harder for fraudsters to impersonate them, companies can sign up to regulator Ofcom’s ‘Do Not Originate’ (DNO) list, a shared resource with telecoms providers to help them identify and block calls from numbers that are most likely to be spoofed. The DNO list makes a record of telephone numbers used by genuine firms or agencies to receive calls but never make them. 

To test how effective banks were at protecting their customers, Which? made calls to a test phone, spoofing the prominent numbers of 14 current account providers. The firms’ numbers were chosen if they were the ones printed on the back of debit cards or listed as fraud helplines on their websites. 

The consumer champion found that at least six major banks and building societies have failed to make full use of the DNO list. At least one phone number from HSBC, Lloyds, Santander, TSB, Nationwide and Virgin Money was successfully spoofed, leaving customers of those firms potentially at risk. 

Such errors are particularly concerning given the high prevalence of spoofing attempts and the relatively low awareness of it among the wider public, meaning potential victims are more likely to engage with ostensibly familiar numbers. 

Which? research in September found that of 2,000 adults, four in ten (42%) said they had not heard of number spoofing scams. 

A separate survey from the consumer champion in June 2022, which covered 1,008 people who lost money to fraud in the past two years, found that of those who were initially approached by either phone or text, two thirds (68%) said the incident involved number spoofing. One in ten (9%) said they did not know or could not remember. 

The investigation comes as the Metropolitan Police last week contacted 70,000 scam victims by text message to inform them they had probably been targeted by fraudsters. The Met’s investigation, Operation Elaborate, focussed on a website that enabled fraudsters to make calls to consumers posing as their bank, tax office or other official agencies.

Ofcom has recently introduced new rules to fight fake number fraud, including making sure numbers meet the UK’s 10- or 11-digit format, blocking calls from numbers not found on the DNO list and identifying and blocking calls from abroad which spoof a UK caller ID.

The consumer champion believes it is encouraging to see the regulator crack down on this type of fraud, which continues to be endemic. The most recent figures from UK Finance found that £59.6m was lost to fraud involving impersonation of banks in the first half of 2022, with the sophistication of scams constantly evolving. 

However, with malicious spoofing predominantly used in authorised push payment (APP) scams, where victims unwittingly transfer money to bank accounts controlled by criminals, victims of APP fraud still face a battle to receive reimbursement. 

The latest figures from the Financial Ombudsman Service (FOS), where victims can take their case if their bank denies them reimbursement, reported a 20 per cent increase in the number of authorised scam complaints, with 9,370 in the last year, with the FOS upholding verdicts in the victim’s favour in three quarters of cases – evidence that the current voluntary Contingent Reimbursement Model code, to which most major banks are signed up, is not working effectively. 

The Payment Systems Regulator (PSR) has proposed to require all payment service providers sending payments over Faster Payments to fully reimburse APP scam victims in all but exceptional cases. Which? believes these new rules could be a game changer for APP fraud victims, leading to fairer and more consistent treatment, and should help incentive payment providers to prevent fraud from happening in the first place. 

In order for the PSR to implement these proposals, parliament must first pass the Financial Services and Markets Bill into law. Which? believes this Bill must be passed before next Spring’s King’s Speech.

Rocio Concha, Which? Director of Policy and Advocacy, said “Number spoofing is a particularly malicious form of fraud used by scammers to deceive their victims – and our research shows some banks could potentially be leaving their customers at risk.”

“Spoofing is all too common in APP fraud, where victims continue to lose potentially life-changing amounts of money and still face a battle to get their money back. ”

“Proposals by the PSR to introduce mandatory reimbursement for APP fraud in all but exceptional cases could be a game changer for victims – and help drive payment firms to do more to prevent fraud taking place.”