More than 2,000 websites have been flagged as imitating legitimate banking pages in a bid to trick innocent customers out of their cash. Here’s how to protect yourself online.
As the appeal of digital banking grows, scammers continue to conjure up new ways to steal your data and your cash.
An investigation undertaken by consumer champion Which? revealed more than 2,000 websites that appear to imitate UK banks were reported in 2023 alone.
While banks attempt to get them taken down, it can mean they are live long enough to reel in unsuspecting victims.
Blocklists and browser warnings
Which? teamed up with DNS Research Federation (DNSRF), which carries out policy research on domain names and internet governance.
It consulted industry blocklists that include websites reported as hosting illegal content – you’d typically see a browser warning not to proceed to the site – and provided the firm with a list of major UK banking brands.
This included: AIB (Allied Irish Banks), Barclays, Bank of Scotland, The Co-operative Bank, Danske Bank, First Direct, HSBC, Halifax, Lloyds, Metro Bank, Monzo, Nationwide, NatWest, RBS, Santander, Starling, TSB, Ulster Bank and Virgin Money/Clydesdale.
DNSRF scoured a specialist phishing blocklist for sites reported in 2023 to find that the names of some of the brands were included somewhere in their web address, for example ‘helphsbc.net’.
The affected banks were Barclays, HSBC, Halifax, Lloyds, Monzo, Nationwide, NatWest, Santander and Starling.
Which? said: “The majority of sites in the raw data look like blatant attempts to lead bank customers astray – mysantander-suspend-login.com and lloydsbanklnggroup.com, for example.”
DNSRF also checked another blocklist, run by Scamadviser.com, from 2023. In this case, it extracted data on URLs containing its specified bank brand names that had a ‘trust score’ of less than 50 out of 100. Again, more than 2,000 URLs were found containing the names of the specified brands. Copycats mimicked the same brands as in the phishing blocklist, with the addition of Clydesdale.
Across both blocklists, Santander and Barclays were the most common.
However, Which? said this data is “inexact and experimental” as “it’s impossible to view and check sites were genuinely fraudulent” as they were already taken down by web hosting companies or scammers themselves.
Further, some copycat sites may not be on blocklists, with Which? adding that under-reporting of fraud is “an enormous issue worldwide”.
Self-regulating industry
Another problem relates to the domains themselves, with names continuing to operate on a first-come, first-served basis. In the early days of the internet, domains were registered at pace, making it nearly impossible to check them all.
Which? explained: “To set up a copycat website, fraudsters need to use a domain registrar. To take one down, you need to contact a web hosting company. Many companies do both – and yet, at the time of writing, this industry continues to self-regulate.”
It added that the UK Government is currently consulting on powers to seize domains used for criminal purposes.
“One of the barriers to change has been the enormous complexity of the industry, which involves a plethora of domain registrars, resellers and hosting companies from the very large – such as GoDaddy – to the very small and obscure, many based outside the UK.
“We’ve seen examples of good practice, with scam sites swiftly taken down by hosting companies, and at the other end of the spectrum a total failure to respond to our reports,” the consumer champion added.
When it approached the big banks – Barclays, Lloyds, HSBC, NatWest and Santander – to ask them how they handle copycat websites, it was told that they employ tools to monitor for sites maliciously impersonating their brands. Take-down requests then follow where evidence is found.
How to protect yourself when banking online
The consumer champion lists these three steps to help you stay safe when going online to carry out banking tasks:
- Use trusted details: Avoid clicking on links or calling numbers contained in emails, texts and instant messages. Instead, go direct by finding the authentic phone number and website on your bank card or statement. Contact your bank to query any unusual requests.
- Don’t ignore warnings: Pay attention to warning screens on your browser. Antivirus software can also warn you about suspicious websites and scan downloads.
- Check a site’s birthday: You can use a domain lookup service such as Who.is to see when a site has been registered. A major bank wouldn’t have a website registered last month. These services will also show you an ‘abuse’ email address for reporting the rogue site to its hosting company. Scam sites can also be reported to the National Cyber Security Centre.
If you’ve been a victim of fraud, report it to Action Fraud (or call the police on 101 in Scotland).
Related: Banks given more time to ‘break spell’ of push payment fraud
