Which? calls for government action on fake banking sites
Amid high volumes of spoofed, fraudulent banking websites, Which? is calling for the government to implement new legal obligations for domain registrars
Thousands of fraudulent websites that appear to be those of the UK’s largest retail banks – but are, of course, nothing of the kind – are being reported every year. More than 2,000 such copycats were seen in 2023, with Barclays and Santander the most frequently spoofed.
This is according to consumer watchdog Which?, which is calling for new legal duties to force domain registrars to do more to stop these remarkably persistent scams.
Which? worked alongside the DNS Research Federation (DNSRF), an Oxford-based non-profit that researches domain name and internet governance, to scour phishing blocklists for sites reported in 2023 that had the names of various bank brands in their URLs.
It found no shortage of such sites, affecting high street banks and building societies such as Barclays, HSCB, Halifax, Lloyds, Nationwide, NatWest and Santander, as well as online newcomers such as Monzo and Starling. The majority of these appeared to be phishing websites where users are duped into entering their online banking details.
The DNSRF also examined Scamadviser.com’s blocklist, extracting data on URLs containing the specified bank names that had a “trustscore” of less than 50 out of a possible 100. This proprietary metric is based on 40 different elements, including website ownership, whether contact details are hidden, where it is hosted, and so on. The researchers found more than 2,000 potentially dangerous URLs on this list.
Across both lists, the words Barclays and Santander appeared most frequently. Santander in particular has been one of the most frequently targeted brands for impersonation in recent years – indeed, in May 2023, it reported its own head of fraud was impersonated in a £60,000 theft from a customer.
“It’s hugely concerning that thousands of banking copycat websites were reported in a single year – potentially leaving millions of consumers exposed to fraudulent content online”
Rocio Concha, Which?
The data obtained by Which? and the DNSRF is experimental and does not account for every copycat banking website that may have existed. Notably, TSB had to be excluded from the results as its name is a common string of letters that generated too many false positives. It has also not been possible to review and check if all the websites seen were actually fraudulent or, indeed, even impersonating the banks in question, as many of them have already been removed by web hosting companies or the scammers themselves.
However, said Rocio Concha, Which? director of policy and advocacy, it is likely that the 2,000 sites found are just the tip of the iceberg and that a great many others were missed. Many never appear on blocklists, and some are active for mere days or even hours before being pulled.
“It’s hugely concerning that thousands of banking copycat websites were reported in a single year – potentially leaving millions of consumers exposed to fraudulent content online,” she said. “Consumers who are just trying to bank online should not have to shoulder the responsibility of reporting scam sites and chasing domain registrars to take them down.”
Concha said the fact that domain registrars were able to self-regulate continued to put consumers at risk. Which? also found that many registrars vary in their approach to reports of scams – while some quickly remove offenders, others do not even respond to reports.
She urged domain registrars to take on more of the burden in the fight against online fraud. “With an election just around the corner, the next government must make fighting fraud a national priority, and place new legal duties on these companies to prevent scammers from setting up these fraudulent copycat websites,” she said.
What the banks are doing
A spokesperson for Santander said: “Protecting our customers from fraud and scams is a key priority for everyone at Santander. We have a range of measures to keep customers safe, including sophisticated tools to detect and take down fake Santander websites.
“We know that in many cases these scams start with an SMS phishing text providing a fake link for customers to follow. We’re working with telecoms companies to prevent these at source and would urge customers to never click on links in a text or email purporting to be from their bank or another trusted organisation,” they said.
A Barclays spokesperson said: “The protection of our customers’ funds and data is our highest priority. We use a number of controls to detect and request that malicious websites are taken down via the domain registrar. We also invite customers to share details of any suspicious sites or pages via the reporting routes detailed on our website.
“Our security team works round the clock to keep customers safe and we offer a wide range of resources to help people spot fraudulent websites and scams. Customers should never disclose their debit card PIN, full telephone banking passcode, full online banking membership number or login details to anyone. If a customer thinks they have been a victim of fraud or notices a transaction on their account that they do not recognise, we encourage them to contact their bank immediately and report the case to the police through Action Fraud.”
An HSBC spokesperson said: “Protecting customers and their money online is an absolute priority for us, so we continually monitor for malicious domain registrations and hosting activity, taking any appropriate enforcement action in a timely manner.
“We would encourage all customers to visit our fraud and security centre on a regular basis, to keep up to date on the latest scams, warnings and advice.”
Liz Ziegler, fraud prevention director at Lloyds Bank, said: “We recognise the threat posed by fraudsters attempting to impersonate our brands. This problem isn’t unique to us – unfortunately, all major companies are targeted by organised crime groups.
“Protecting our customers from fraud is our priority, and we use the latest technology to actively search for fake websites, as well as responding to intelligence received from third parties. We take the appropriate steps to have fake websites removed, where necessary working with partners across law enforcement, the finance industry and tech sector.
“However, it’s important to understand that this process is complex, and the options available to us can be limited. This is why it is vital that tech firms do more to crack down on the criminals using their platforms to impersonate trusted brands.”
NatWest Group, which works with a specialist takedown service provider Netcraft to hunt copycat websites and with internet service providers to block bad domains on their networks, said that while in most cases it can’t act purely on the basis of a domain that contains its brand name – as some may be legitimate – it does carefully monitor any such sites and acts quickly if they show signs of malicious intent.
NatWest is also highly active in pushing for the takedown of scam crypto and investment sites targeting UK residents, which currently amounts to over 15,000 malicious websites every month.
Ordinary people are more aware of online fraud
Despite the continuing and frustrating game of whack-a-mole being played with scammers, Which? also found some more encouraging signs that awareness of scam websites is growing. When Which? polled 1,200 members of the Which? Connect panel in January, it found that only 2% thought they had ever entered their details on a fake site, with 3% unsure.
The vast majority of respondents were also comfortably able to identify some of the hallmarks of a scam website, such as strange or unofficial-looking web addresses, poor spelling and grammar – although only one in four were aware of the existence of domain lookup services such as who.is, which can also help identify such websites.
Which? did warn, however, that the growth in adoption of artificial intelligence (AI) text generators among cyber criminals may begin to reduce the number of glaring errors, making it harder for ordinary people to spot the fakes.
This article was updated at 12:25 BST on 26 March 2024 to incorporate a statement from Barclays.
The UK’s major banks have told the prime minister to force tech firms to do more to prevent fraud that the banks end up paying for.
A different approach to managing personal data across the web is possible - and it could minimise online fraud, boost e-commerce, and help make the web more secure. So why isn't the government doing it?
