SOME banks have left customers vulnerable to fraudulent spoofing attempts by failing to implement important anti-fraud protections, an investigation has found.
Spoofing, where fraudsters impersonate legitimate companies, such as banks, utilities providers or government agencies, is a common tactic used to deceive victims.
Scammers forge the name or number that comes up on an email, phone call or text so it appears to match that of a genuine firm.
Ofcom estimates that 40.8 million UK adults have received a suspicious call or text in the last three months.
Companies can sign up to regulator Ofcom’s ‘Do Not Originate’ (DNO) list, a shared resource with telecoms providers to help them identify and block calls from numbers that are most likely to be spoofed.
But the investigation by the consumer organisation Which found at least six major banks and building societies - including Scottish-based TSB have failed to make full use of the DNO list.
To test how effective banks were at protecting their customers, Which? made calls to a test phone, spoofing the prominent numbers of 14 current account providers.
Firms’ numbers were chosen if they were the ones printed on the back of debit cards or listed as fraud helplines on their websites.
At least one phone number from the Edinburgh-based bank as well as HSBC, Lloyds, Santander, Nationwide and Virgin Money was successfully spoofed, leaving customers of those firms potentially at risk.
A previous Which? survey among fraud victims found that of those who were initially approached by either phone or text, two-thirds (68%) said the incident involved number spoofing.
Ofcom recently strengthened its rules and guidance to require telephone networks involved in transmitting calls – either to mobiles or landlines – to identify and block spoofed calls, where technically feasible, making it harder for scammers to use spoofed numbers.
Rocio Concha, Which? director of policy and advocacy, said: “Number spoofing is a particularly malicious form of fraud used by scammers to deceive their victims – and our research shows some banks could potentially be leaving their customers at risk.”
TSB said that all relevant TSB numbers are now on Do Not Originate.
A spokesperson for trade association UK Finance said: “Protecting customers from fraud is a top priority for the finance industry which is why we are actively working with the regulator Ofcom to help crack down on number spoofing.
“This initiative prevents criminals impersonating banks by protecting bank inbound phone numbers from being used to make outbound calls and socially engineer or scam bank customers.
“It is important to remember that anyone can be caught out by these criminals and that you should always stay alert.
“To help stay safe, customers should always follow the advice of our Take Five to Stop Fraud campaign and question any uninvited call requesting their personal information or money in case it’s a scam.”
A HSBC spokesman said: “We are participants of the Do Not Originate scheme which provides additional protection, alongside numerous other measures, to help protect customers from scams and fraud.
“We regularly review the numbers we have registered with a view to additional entries where it is appropriate to do so. We are currently in the process of adding those two numbers to those already on the register.”
Lloyds Bank said: “Banks can’t solve the problem of number spoofing alone and telecoms firms need to speedily address the technical gaps in their systems that allow this type of fraud to happen, even with Do Not Originate lists in place.”
A Nationwide spokesman added: “Nationwide takes the protection of its members seriously and our contact numbers are on the Do Not Originate list – and therefore cannot be spoofed.
“However, it appears one of our numbers was inadvertently missed, for which we would like to thank Which? for bringing to our attention. We can confirm this is now being added to our list of protected numbers for future.”
A Santander spokesman said: “Thank you for bringing this to our attention.
“We have now requested that Ofcom adds this number to the DNO list. As part of the measures we take to protect customers against fraud, we aim to include all our inbound-only customer service phone numbers on the DNO list, which provides some protection against spoofing but is not 100% comprehensive.”
A Virgin Money spokesperson said: “Virgin Money currently has over 40 numbers registered for the Do Not Originate service and we continue to add numbers to this to ensure as much coverage as possible.
“The list is not a guarantee that spoofing won’t occur as not all providers use the list and technology constraints can mean that some calls get through, however, we will raise this with them and ensure that all the numbers you highlighted are registered.”
Read more by Martin Williams
. Ferguson Marine: Chairman of troubled Prestwick Airport takes helm
. Jim McColl: FM should have known about ferry crisis five years ago
. Scot Gov finds £33m to fund NHS wage rises as cost of living gap soars
Why are you making commenting on The Herald only available to subscribers?
It should have been a safe space for informed debate, somewhere for readers to discuss issues around the biggest stories of the day, but all too often the below the line comments on most websites have become bogged down by off-topic discussions and abuse.
heraldscotland.com is tackling this problem by allowing only subscribers to comment.
We are doing this to improve the experience for our loyal readers and we believe it will reduce the ability of trolls and troublemakers, who occasionally find their way onto our site, to abuse our journalists and readers. We also hope it will help the comments section fulfil its promise as a part of Scotland's conversation with itself.
We are lucky at The Herald. We are read by an informed, educated readership who can add their knowledge and insights to our stories.
That is invaluable.
We are making the subscriber-only change to support our valued readers, who tell us they don't want the site cluttered up with irrelevant comments, untruths and abuse.
In the past, the journalist’s job was to collect and distribute information to the audience. Technology means that readers can shape a discussion. We look forward to hearing from you on heraldscotland.com
Comments & Moderation
Readers’ comments: You are personally liable for the content of any comments you upload to this website, so please act responsibly. We do not pre-moderate or monitor readers’ comments appearing on our websites, but we do post-moderate in response to complaints we receive or otherwise when a potential problem comes to our attention. You can make a complaint by using the ‘report this post’ link . We may then apply our discretion under the user terms to amend or delete comments.
Post moderation is undertaken full-time 9am-6pm on weekdays, and on a part-time basis outwith those hours.
Read the rules hereLast Updated:
Report this comment Cancel