Minerva Studio - stock.adobe.com

Rise in fraudsters spoofing the websites of leading UK banks

Despite safeguards to protect customers from scams, UK retail banks are still seeing high volumes of fake phishing websites exploiting their brands, and the problem seems to be increasing in scope and scale

Despite their best efforts to get on top of the problem, some of the UK’s biggest retail banks continue to find their brands being abused and spoofed by cyber criminal fraudsters and scammers, according to data compiled by BrandShield, a supplier of brand protection technology services.

BrandShield’s researchers set out to explore the breadth and depth of the issue, and found evidence that there has been a clear rise in the number of web domain registrations relating to leading UK banks since October 2022.

Some of this increased activity is likely linked to the cost-of-living crisis. As people become more aware of their finances and actively involved in their management, the opportunity for scammers and fraudsters to infiltrate the process has certainly grown.

During the exercise, the BrandShield team found more than 1,590 illegitimate web domains relating to some of the UK’s largest providers of consumer banking services – Barclays, HSBC and Lloyds.

BrandShield tracked 349 malicious domains spoofing Barclays properties during the observation period, with the most significant volumes coming in May 2023, with 54, and July 2023, with 85.

The team tracked 439 malicious domains linked to Lloyds branding, with significant volumes in February, March and May 2023, with 52 domains seen in all three months.

Likely due to its size and market visibility, HSBC was by some margin the most targeted bank, with 811 malicious domain registrations observed during the period. Significantly, the number of rogue websites that spoofed HSBC branding more than trebled between April and May 2023, when 147 malicious domains were observed. HSBC also saw significant spikes in malicious domain registrations in November 2022, with 93, June 2023, with 95, and July 2023, with 83.

“The goal was to look at what was going on – is there anything going on, who is more affected than others, and at what scale?” BrandShield CEO Yoav Keren told Computer Weekly.

“Overall, the number we’ve seen is significant. [But] this is not the only type of phishing out there – these are just domain names that impersonate the brand … which is very transparent.”

Keren said the research findings were concerning given the increased digitisation of consumer banking, and clearly highlighted that cyber criminals and fraudsters are awake to this.

Some of these websites will have been near-perfect replicas of the targeted banks’ websites. Others may appear at first glance to be a site linked to some kind of special offer from the bank that does not exist.

Many of the latter type may be linked to rogue accounts on social media platforms, which remain popular avenues for cyber criminals to reach out to ordinary people. Often, they will pretend to be from the bank’s own security team, warning that the customer’s account has been compromised and asking for account credentials – such as one-time passcodes often used to log in to mobile banking services – in order to fix the problem.

In all cases, said Keren, such websites may be becoming even more convincing thanks to the capabilities of generative artificial intelligence (AI).

Read more about online fraud

“We can’t say, as a fact, that cyber criminals are using AI,” he said. “But what we can say is that what we see, more and more, are better-looking, more sophisticated websites with fewer typos, clear usage of images and text at a higher level.

“It’s started happening more and more in the past year. Many of these scammers come from non-English speaking countries, [and] it’s not that suddenly their English has improved so much. Indications are that AI is a tool being used to improve.”

A problem for every brand

As a matter of course, banks such as Barclays, HSBC and Lloyds deploy technology that seeks out and takes down fake websites as fast as is practical, but the fact that hundreds are still surfacing should be of grave concern to all.

It’s not just large organisations, like the surveyed banks with millions of customers and billions of pounds worth of assets, that are at risk of this kind of malicious activity, said Keren. “You will definitely see smaller institutions that are targeted, in massive numbers,” he said.

“This is happening to everyone today, and to really avoid the damage, being proactive is extremely important. The damage is not only the fact that your users, customers, partners or employees fall for a scam or fraud and lose money, it’s a loss of trust”
Yoav Keren, BrandShield

“When we did a recent fundraising, I did a call with one of the investors who wanted to see a demo of our system. This is a small organisation – they manage a lot of money, but it’s not a big organisation. You wouldn’t expect them to have phishing websites, but we ran a scan and we found them,” said Keren.

“This is happening to everyone today, and to really avoid the damage, being proactive is extremely important. The damage is not only the fact that your users, customers, partners or employees fall for a scam or fraud and lose money, it’s a loss of trust. A customer that has been phished will probably not be your customer down the road. That’s something that damages the brand reputation.”

Keren urged security teams to consider brand protection and safeguarding against malicious spoofing activities as part of a holistic security practice that goes beyond defending the organisation’s perimeter.

In some ways, he said, brand spoofing should be a greater concern to CISOs than traditional cyber threats because many organisations have vastly improved their cyber security defences, leaving fewer options for criminality, whereas creating a phishing website is a relatively simple affair that doesn’t require an actual cyber attack, and will potentially generate a good return on investment for those behind it.

Guidance for customers

Computer Weekly reached out to the three banks surveyed during BrandShield’s exercise and received responses from all.

A Barclays spokesperson said its security systems typically stop thousands of fraud attempts every day, and the organisation invests millions of pounds every year to improve its defences still further.

It has also taken the lead in working to arm the public with information and tools to spot and stop fraud and scams, including spoof websites. This includes a partnership with Get Safe Online that enables people to check whether or not websites are legitimate, and communicates regularly with advice for customers on spotting dangerous websites.

In-person advice can also be sought through its Digital Eagles volunteer network, which frequently runs virtual events covering fraud and scams. Urgent security issues, meanwhile, are communicated through the Barclays mobile app and on official social channels.

An HSBC UK spokesperson said: “Protecting customers and their money is an absolute priority for us, so we continually monitor for malicious domain registrations, taking speedy and timely action alongside third parties to take down potentially malicious domains.”

HSBC customers can also keep abreast of current scam warnings and find cyber security advice via the bank’s online Fraud and Security Centre.

A Lloyds spokesperson told Computer Weekly that all the bank’s sites use HTTPS, which means it can guarantee that people access its properties via a connection that is using end-to-end encryption. This can be spotted in the address bar, evidenced by https at the start of the URL.

“The URL we use is consistent (lloydsbank.com) and visitors should carefully check URLs to make sure they are on a legitimate website – sometimes even just one letter can be different,” they said. “Best practice is to store your bank URLs as bookmarks or favourites in your browser and always use those stored links.”

Lloyds also shared some potential giveaways of a spoofed website that users can look out for:

  • No padlock icon displayed in the URL field.
  • Spelling mistakes.
  • Inconsistent design across web pages.
  • Inconsistent tone of voice.
  • Inconsistent fonts.
  • Inconsistent or strange brand logos, in low resolution.
  • Subsequent receipt of unexpected links over SMS or email that may appear to be from the bank.

Read more on Hackers and cybercrime prevention

Data Center
Data Management