The consumer group says these banks are failing to implement anti-fraud protections which could leave their customers at risk to spoofing scams.

Spoofing is a type of scam where criminals impersonate legitimate companies, such as banks. The fraudsters forge the name or number that comes up on an email, phone call, or text message so it matches that of a genuine company.

This tricks the victim into thinking it is the legitimate company calling and the caller then usually encourages the recipient to part with personal or financial data.

Which? says it’s heard from victims who have lost life-changing sums of money through these scams.

In the last three months, 40.8 million UK adults have received a suspicious call or text message, according to Ofcom.

Companies can use Ofcom’s ‘Do Not Originate’ (DNO) list

To tackle the problem firms can sign up to the “Do Not Originate” (DNO) list from Ofcom.

It is a shared resource with telecoms providers which helps to identify and block calls from numbers that are likely to be spoofed. The list makes a record of telephone numbers used by genuine firms or agencies to receive calls but never make them.

To test which banks used the DNO list, Which? made calls to a test phone, spoofing the prominent numbers of 14 current account providers using numbers printed on the back of debit cards or listed as fraud helplines on their websites.

It found at least one phone number from HSBC, Lloyds, Santander, TSB, Nationwide and Virgin Money was successfully spoofed.

Four in ten have not heard about spoofing

Four in ten adults have not heard about spoofing, according to Which? research.

Of people who have lost money to fraud in the last two years, of those who were initially approached by either phone or text, two thirds (68%) said the incident involved number spoofing, according to Which?.

It comes as the Metropolitan Police last week contacted 70,000 scam victims by text message to inform them they had probably been targeted by fraudsters. A warning was also published this week ahead of the festive season as cases of identify fraud (ID) rise 18% in two years.

Spoofing is often used in authorised push payment scams

Malicious spoofing is largely used in authorised push payment (APP) scams. These scams occur when victims unwittingly transfer money to bank accounts controlled by criminals. Yet some victims are struggling to access refunds when they lose money through these scams.

There was a 20% rise to 9,370 in 2022 in the number of cases of victims approaching the Financial Ombudsman Service (FOS) for help, after being denied a reimbursement of lost money by their bank.

The Payment Systems Regulator (PSR) has proposed that all banks send payments over the “faster payments” system to fully reimburse APP scam victims in all but exceptional cases. Yet for this to happen parliament must first pass the Financial Services and Markets Bill into law.

Rocio Concha, Which? director of policy and advocacy, said: “Spoofing is all too common in APP fraud, where victims continue to lose potentially life-changing amounts of money and still face a battle to get their money back.

“Proposals by the PSR to introduce mandatory reimbursement for APP fraud in all but exceptional cases could be a game changer for victims – and help drive payment firms to do more to prevent fraud taking place.”

What did the banks say?

All of the banks mentioned were contacted by the group and these are the responses.

• A HSBC spokesperson said: “We are participants of the Do Not Originate scheme which provides additional protection, alongside numerous other measures, to help protect customers from scams and fraud. We regularly review the numbers we have registered with a view to additional entries where it is appropriate to do so. We are currently in the process of adding those two numbers to those already on the Register.”
• A Lloyds spokesperson said: “Banks can’t solve the problem of number spoofing alone and telecoms firms need to speedily address the technical gaps in their systems that allow this type of fraud to happen, even with ‘Do Not Originate’ lists in place.”
• A Nationwide spokesperson said: “Nationwide takes the protection of its members seriously and our contact numbers are on the Do Not Originate list – and therefore cannot be spoofed. However, it appears one of our numbers was inadvertently missed, for which we would like to thank Which? for bringing to our attention. We can confirm this is now being added to our list of protected numbers for future.”
• A Santander spokesperson said: “Thank you for bringing this to our attention. We have now requested that Ofcom adds this number to the DNO list. As part of the measures we take to protect customers against fraud, we aim to include all our inbound-only customer service phone numbers on the DNO list, which provides some protection against spoofing but is not 100% comprehensive.”
• A TSB spokesperson said: “TSB has 13 lines that can be called by customers that are already covered by DNO. We are considering the operational changes that will be required to include the three numbers.”
• A Virgin Money spokesperson said: “Virgin Money currently has over 40 numbers registered for the Do Not Originate service and we continue to add numbers to this to ensure as much coverage as possible. The list is not a guarantee that spoofing won’t occur as not all providers use the list and technology constraints can mean that some calls get through, however we will raise this with them and ensure that all the numbers you highlighted are registered.”