Security failings at the largest British banks are leaving customers vulnerable to spoofing fraud when imposters impersonate legitimate companies
To test how efficiently banks are protecting their customers, the consumers’ association Which? made test phone calls, imitating the prominent numbers of 14 current account providers. At least one phone number from six major UK banks was successfully spoofed.
Spoofing is a dangerous kind of scam as fraudsters meticulously forge the name or number that appears on an email, phone call or text message. That’s why it looks like a legitimate bank communication. Victims often don’t realise that it is a fraudster and hand over their banking details.
Organisations can sign up to regulator Ofcom’s ‘Do Not Originate’ (DNO) list to make impersonation difficult. This shared resource exchanges information with telecom providers. Thus, they can easier identify and block calls from numbers that are most likely to be spoofed. The DNO list records telephone numbers used by genuine firms or agencies to receive calls but never make them.
Besides, Ofcom has introduced new rules, ensuring numbers meet the UK’s 10- or 11-digit format, blocking calls from numbers not found on the DNO list and calls from abroad that spoof a UK caller ID.
However, Which? investigation revealed that at least one phone number from HSBC, Lloyds, Santander, TSB, Nationwide and Virgin Money could be successfully spoofed.
Bank spoofing in action
Just a week ago, London’s Metropolitan Police Service shut down the fraud website iSpoof, arresting over 100 UK citizens in connection with the case. The police contacted 70,000 potential scam victims who had probably been targeted by fraudsters.
As many as 20 people every minute were being contacted by the scammers, who paid in Bitcoin, to disguise their phone numbers and impersonated major banks including Barclays, HSBC, and Lloyds. Therefore, iSpoof earned as much as £3.2 million ($3.9 million) over the 20-month period from the scheme.
Rocio Concha, Which? director of policy and advocacy, noted that PSR proposals to introduce mandatory reimbursement for APP fraud can help drive payment firms to do more to prevent fraud.