Which? claims that security failings at some of the UK's largest banks are leaving customers vulnerable to fraud.
The consumer champion's investigation centred around spoofing, where fraudsters impersonate legitimate companies, such as banks, utilities providers or government agencies, to deceive victims into handing over their banking details. .
Scammers will forge the name or number that comes up on an email, phone call or text message so that it appears to match that of a genuine firm, making it difficult for victims to realise that it is a fraudster.
To make it harder for fraudsters to impersonate them, companies can sign up to regulator Ofcom’s ‘Do Not Originate’ (DNO) list, a shared resource with telecoms providers to help them identify and block calls from numbers that are most likely to be spoofed. The DNO list makes a record of telephone numbers used by genuine firms or agencies to receive calls but never make them.
To test how effective banks were at protecting their customers, Which? made calls to a test phone, spoofing the prominent numbers of 14 current account providers. The firms’ numbers were chosen if they were the ones printed on the back of debit cards or listed as fraud helplines on their websites.
The consumer champion found that at least six major banks and building societies have failed to make full use of the DNO list. At least one phone number from HSBC, Lloyds, Santander, TSB, Nationwide and Virgin Money was successfully spoofed, leaving customers of those firms potentially at risk.
The investigation comes as the Metropolitan Police last week contacted 70,000 scam victims by text message to inform them they had probably been targeted by fraudsters. The Met’s investigation, Operation Elaborate, focussed on a website that enabled fraudsters to make calls to consumers posing as their bank, tax office or other official agencies.
Ofcom has recently introduced new rules to fight fake number fraud, including making sure numbers meet the UK’s 10- or 11-digit format, blocking calls from numbers not found on the DNO list and identifying and blocking calls from abroad which spoof a UK caller ID.
Rocio Concha, Which? director of policy and advocacy, says: “Spoofing is all too common in APP fraud, where victims continue to lose potentially life-changing amounts of money and still face a battle to get their money back.
“Proposals by the PSR to introduce mandatory reimbursement for APP fraud in all but exceptional cases could be a game changer for victims - and help drive payment firms to do more to prevent fraud taking place.”