.svg)
A new study by UK consumer watchdog Which? has found that some banks are leaving customers vulnerable to "spoofing" fraud by failing to implement protections.
In an undercover investigation, Which? made calls to a test phone after impersonating the caller ID of the main phone numbers used by 14 UK bank account providers.
Which? said it focused on the numbers most useful to scammers, namely those printed on the back of debit cards and those listed as fraud helplines.
Although most calls could not be connected to the test phone, Which? successfully spoofed at least one phone number each belonging to HSBC, Lloyds, Santander, TSB, Nationwide and Virgin Money.
Spoofing is when a fraudster replaces his real caller ID with the phone number of his impersonation target, typically a bank, utility company or government agency.
The fraudster then calls the intended victim and tells them that their account has been compromised in order to create panic.
If the victim has doubts about the caller’s real identity, the fraudster will tell the victim to cross-check the caller ID with the phone number printed on the back of their card or on the bank’s website.
In a successful spoof, the numbers will match, giving the victim the false impression that they are talking to a bank employee.
How does spoofing take place?
It is not illegal to spoof a phone number. For example, a legitimate business may choose to modify the caller ID to display an official office number on outgoing calls, or leave an 0800 number for customers to call back.
However, spoofing is increasingly being abused by fraudsters and this has been made even easier by Voice over Internet Protocol (VoIP), the technology used to make calls over the internet.
Likewise, using legitimate business tools, fraudsters can also spoof the sender address on emails and SMS sender names, so that a message appears to be from a bank or another impersonation target.
The message from the spoofed number can even appear in the same thread as genuine messages, making it extremely difficult for consumers to spot.
As Which? points out, it is not yet possible to stop fraudsters manipulating caller IDs, but banks and other organisations can access a blacklist called the Do Not Originate (DNO) list.
Launched in 2019 by broadcast and telecom regulator Ofcom and UK Finance, the DNO list allows banks to stop their phone numbers from being spoofed by making them in-bound only.
The DNO list is then shared with telecoms providers, intermediaries and call-blocking or filtering services, which block calls from these numbers before they reach the intended recipient.
However, according to Which?, at least half a dozen banks have “failed to make full use of the DNO list, needlessly exposing their customers to additional risk”.
As noted by Which?, this is despite the fact that all of the major current account providers in the UK have previously said that they are signed up to the DNO list.
In response to its investigation, Which? received replies from all six banks whose numbers it succeeded in spoofing, and all six said that the numbers highlighted by Which? will be added to the DNO list.
Spoofing is used for a specific type of authorised push payment (APP) fraud involving bank impersonation.
In the first half of 2022, according to data from UK Finance, £60m was initially lost to APP fraud involving bank or police impersonation, with £42m returned to victims.
Highlighting proposals by the Payment Systems Regulator (PSR) to introduce mandatory reimbursement for APP fraud, Which? said such a move could be a “game changer” for victims and should be pursued as soon as possible.
