Which? asserts that security weaknesses at some of the largest banks in the UK are leaving customers vulnerable to fraud.
The consumer champion’s investigation focused on spoofing, a tactic where fraudsters impersonate legitimate companies—such as banks, utility providers, or government agencies—to trick victims into revealing their banking details. Scammers often manipulate the name or number displayed on emails, phone calls, or text messages, making it seem as though communication is coming from a credible source, which can mislead potential victims.
To combat this issue, companies have the option to enroll in Ofcom’s ‘Do Not Originate’ (DNO) list, a shared resource for telecom providers to help identify and block calls from frequently spoofed numbers. The DNO list documents telephone numbers used by legitimate firms or agencies, establishing that these numbers are only for receiving calls, not making them.
To assess how well banks protect their customers, Which? executed calls to test phones, spoofing the prominent numbers of 14 current account providers. The numbers chosen were those printed on debit cards or listed as fraud helplines on the firms’ websites.
The findings revealed that at least six major banks and building societies have not fully utilized the DNO list. Specifically, at least one number from HSBC, Lloyds, Santander, TSB, Nationwide, and Virgin Money was successfully spoofed, putting their customers at risk.
This investigation follows the Metropolitan Police’s recent outreach to 70,000 scam victims via text, warning them of potential fraud attempts. The Met’s operation, known as Operation Elaborate, centered on a website that allowed fraudsters to impersonate legitimate institutions during calls.
In response to the rising problem of fake number fraud, Ofcom has implemented new rules. These include ensuring that all numbers conform to the UK’s 10- or 11-digit format, blocking calls from numbers not on the DNO list, and identifying and blocking international calls that spoof a UK caller ID.
Rocio Concha, Which? director of policy and advocacy, commented: “Spoofing is all too common in APP fraud, where victims continue to lose potentially life-changing amounts of money and face challenges in recovering their losses. Proposals by the PSR to introduce mandatory reimbursement for APP fraud in almost all cases could significantly impact victims and encourage payment firms to take stronger actions against fraud.”