Some banks are leaving their customers vulnerable to fraud attempts by failing to implement important protections, a Which? investigation has found.
Spoofing, where fraudsters impersonate legitimate companies, such as banks, utilities providers or government agencies, is a common tactic used to deceive victims.
There are measures banks can take to protect customers, but not all are using them adequately. Here, we explain how impersonation scams work and offer advice on how to stay safe.
What is number spoofing?
The most common way of checking who’s calling you – the caller ID on your phone – drives many impersonation scams.
First the fraudster will call you, perhaps claiming your account has been compromised to create panic.
Next, they'll alleviate your doubts by telling you to check the phone number on the back of your card or listed on the bank’s official website. This will match the number they're calling from.
Unfortunately, it's not yet possible to stop fraudsters manipulating caller IDs, but banks and brands can access a blacklist called the 'do not originate' (DNO) list.
This blocks spoofing of specific phone numbers, but we've found that at least half a dozen banks have failed to make full use of the DNO list, needlessly exposing their customers to additional risk.
How do scammers spoof numbers?
It is not illegal to spoof a phone number. For example, a legitimate business may choose to modify the caller ID to display an official office number on all outgoing calls, or leave an 0800 number for customers to call back.
But this software is being abused by fraudsters. Voice over Internet Protocol (VoIP), the technology used to make calls over the internet, has made spoofing a breeze.
A quick web search reveals dozens of freely available spoofing services, and criminals with some technical know-how may create their own tools.
Scammers can also spoof the sender address on emails and SMS sender names, so that a message appears to be from your bank or another company. It may even appear in the same thread as genuine messages, making it even harder to spot.
- Find out more: watch out for this fake HSBC text
The banks we managed to spoof
Ofcom and UK Finance set up the DNO database in 2019. It worked with telecoms companies, government agencies and other public-sector bodies to list their public telephone numbers. These are inbound-only – and never used to call customers.
The idea is that any outgoing calls appearing to originate from one of these inbound-only numbers must be spoofed. This list is then shared with telecoms providers, their intermediaries and call-blocking or filtering services, which block calls from these numbers before they reach the intended recipient.
All of the major current account providers have previously told Which? they are signed up to the DNO list.
We made calls to a test phone, spoofing the prominent numbers of 14 bank account providers. We focused on the numbers most useful to scammers – those printed on the back of debit cards and listed as fraud helplines.
While most calls couldn’t be connected, suggesting the DNO list is effective, we could successfully spoof at least one phone number belonging to HSBC, Lloyds, Santander, TSB, Nationwide and Virgin Money.
These phone numbers were not on the DNO list, making them an easy target for scammers.
Why aren’t all numbers on the DNO list?
Ofcom decides whether or not to add a number to the database. It told us it takes a range of factors into account when considering requests, such as whether the number is publicly available, and the degree of potential harm to those consumers.
But it confirmed that 'requests for numbers on the back of bank cards or on bank websites are expected to meet these criteria if submitted'.
When we reported our findings to the banks involved, they responded as follows:
- Virgin Money said it has more than 40 numbers registered and will ensure the four numbers we highlighted are registered.
- TSB told us it has 13 telephone lines that are already covered by DNO and is ‘considering the operational changes that will be required to include the three numbers’ we identified.
- HSBC said it is in the process of adding two debit card numbers to those already on the DNO list.
- Both Nationwide and Santander had one number that could be spoofed. Nationwide said its debit card number was ‘inadvertently missed’ and thanked Which? for bringing it to attention. Santander has asked Ofcom to add its fraud helpline to the DNO list and ‘aims to include all inbound-only customer service phone numbers’.
- Lloyds told us that two of its fraud helplines were, until recently, being used for outbound calls, meaning they were not suitable for the DNO list. It has since requested that they are added.
How spoofing leads to fraud
Malicious spoofing is most keenly felt in authorised push payment (APP) scams, where criminals trick you into transferring money to an account they control.
UK Finance figures show £60m was lost to APP scams involving impersonation of banks in the first half of 2022. Imitating other organisations such as a utility company, communications service provider or government department netted fraudsters a further £31m.
In cases where fraudsters impersonate organisations through spoofing and other sophisticated tactics, we believe victims should be fully refunded unless the bank can prove they were unusually careless.
Rocio Concha, Which? director of policy and advocacy, says: 'Spoofing is all too common in APP fraud, where victims continue to lose potentially life-changing amounts of money and still face a battle to get their money back.
'Proposals by the regulator to introduce mandatory reimbursement for APP fraud in all but exceptional cases could be a game changer for victims and must become a reality as soon as possible.'
- Find out more: what to do if you're a victim of a bank transfer scam
Don’t be conned by caller ID
- Stop Scams 159: don’t give out sensitive information on an incoming call. Hang up, wait for five minutes and either call the firm on a trusted number (such as on their website) or dial 159. This will connect you to your bank’s fraud team, under a scheme most banks have signed up to.
- Services to block calls: check to see if your landline provider offers call blocking. BT has Call Protect, Sky has Talk Shield and TalkTalk offers Call Safe, all of which allow you to screen unrecognised numbers and block unwanted callers.
- Smartphone call blocking: iPhones and Android phones offer call blocking, spam protection and caller ID verification. These services aren’t perfect, and third-party apps are also available.
- Call-blocking phones: a trueCall device plugs into your existing phone, or you could opt for a call-blocking phone. Both let calls from contacts through, but ask other callers to leave a message. The phones reviewed here, plus trueCall, are rated highest by Which?.
No easy way to end number spoofing
Although we want banks to add all of their customer-facing numbers to the DNO list, number spoofing is not a problem they can address alone.
Frustratingly, not every phone company even checks the DNO at present. Even where providers are using the list, technical constraints mean that a small number of calls are still connected, due to the route the call takes across networks.
Furthermore, the DNO list can only ever stop a proportion of scam calls, because not all spoofing is done to impersonate another organisation.
Similar issues make it difficult to stop SMS spoofing. Businesses can protect their names via the 'SMS SenderID Protection Registry', run by The Mobile Ecosystem Forum (MEF), which blocks messages if the sender ID isn't authorised by the relevant brand.
However, not all SMS providers have signed up and several big brands are yet to join, including The Co-operative Bank, the Post Office and PayPal.
Fraudsters are also finding ways to bypass the registry, such as through intentional misspellings or by using spaces between letters. MEF works with mobile network to investigate such instances, so do report scam texts and calls to your operator before deleting them.
- Report mobile phone scams: how to forward texts and calls to 7726
Regulator to impose stricter rules on networks
It’s clear that telecoms providers need stronger anti-fraud systems in place.
Earlier this month, Ofcom announced that it is strengthening its rules and guidance to require all telephone networks involved in transmitting calls – either to mobiles or landlines – to identify and block spoofed calls, where technically feasible. These rules will come into force in May 2023.
The regulator said it expects firms to make sure a number is formatted correctly (meeting the UK’s 10 or 11-digit format); check the DNO list; and identify and block calls from abroad that are spoofing a UK caller ID.
Its new guidance also sets out expectations for phone providers to run ‘Know Your Customer’ checks on businesses to prevent valid numbers being misused, and to report evidence of fraudulent or other criminal activity to law enforcement.
Which? welcomes Ofcom's proposals, as this will mean that the majority of consumers are protected against spoofing scams, though we want to see continued collaboration between Ofcom and smaller telecoms providers to ensure that the same protections are offered to all.
A version of this article originally appeared in December's Which? Money magazine.
undefinedsource https://www.which.co.uk/news/article/is-it-really-your-bank-calling-how-some-banks-are-failing-customers-on-fraud-protection-aY6Xq2T6722o