Banks have been urged to take firm action on spam calls and texts after research found several major high street lenders were yet to implement the UK regulator’s anti-fraud safeguard measures fully.
In an exercise, the consumer group Which? said it had spoofed the phone numbers of six major banks and building societies, allowing it to impersonate service providers at HSBC, Lloyds, Santander, TSB, Nationwide and Virgin Money.
Telecoms regulator Ofcom issued new rules and guidance to phone network operators in November as it attempted to clamp down on scam calls and texts. Banks have been able to register phone numbers on a block list since 2019.
Spoofing gives scammers the means to impersonate mainstream institutions, making it easier for them to exploit possible victims. The range of online services offering to mimic numbers has eased the process of committing widespread fraud.
“Spoofing is all too common in authorised push payment fraud, where victims continue to lose potentially life-changing amounts of money,” said Rocio Concha, Which? director of policy and advocacy. “Our research shows some banks could potentially be leaving their customers at risk.”
Which? selected numbers that were either printed on the back of debit cards or listed as fraud helplines on banks’ websites. It identified at least one phone number it was able to spoof for each of the banks mentioned.
The practice of “spoofing” involves scammers calling or texting from numbers which appear to be from banks, government departments and other trusted institutions. Its use has surged amid the growth of internet call handling services, which allow users to alter the way their phone number is displayed at a low cost.
Police and bank staff impersonation accounted for 10 per cent of all payment fraud in the first half of this year, according to UK Finance. This amounted to £59.6mn, lower than last year but markedly higher than the £34.7mn lost in the first half of 2020.
Ofcom and UK Finance, the banking industry body, set up a “Do Not Originate” (DNO) list three years ago to record phone numbers from institutions which are used for inbound numbers, often used by customers to flag suspicious activity on their card. Launched as a voluntary register, it generated a list of numbers which phone companies could then block as malicious if used for outbound purposes.
Under Ofcom’s most recent guidance, providers must ramp up “know your customer” checks on business customers and suspend numbers linked to fraud within the next six months. This strengthened provisions in place as not all phone providers have acted to apply the list since it launched three years ago.
This month, international law enforcement shut down a website used by scammers to impersonate several mainstream institutions. Action Fraud, the national reporting centre for fraud, said the iSpoof site was used to target more than 200,000 UK residents and to steal nearly £48mn.
iSpoof allowed scammers to pose as representatives of banks including several featured in the Which? Investigation. UK police have since arrested more than 100 people linked to the website on suspicion of fraud.
Responding to the findings, HSBC, Nationwide, Santander, TSB and Virgin Money said they were participants in Ofcom’s scheme and were taking steps to add the numbers spoofed by Which? to the DNO list.
Lloyds said: “Telecoms firms need to speedily address the technical gaps in their systems that allow this type of fraud to happen, even with ‘Do Not Originate’ lists in place.”