Jenny Ross: Who’s calling? It may not be who it seems

Don’t trust your phone – it can lie to you. Or more accurately, criminals can lie to you by manipulating your phone’s caller ID to make you think you’re speaking to someone else. If someone rings you from a withheld number claiming to be from your bank, you’re likely to be suspicious – and scammers know this. So to achieve a veneer of authenticity in their attempt to part you from your cash, they’ll make the number that appears on your screen match the one on your bank statement, or on the back of your debit card.

It’s a trick known as malicious number spoofing. Telecoms regulator Ofcom told us it doesn’t know how many maliciously spoofed calls there are in the UK each year. But at Which? we’ve seen a marked increase in reports of these types of scams in 2019, and we’re concerned about the scale of the problem and the amount victims are losing.

Impersonation scams like these resulted in losses of £56.3 million in 2018, according to banking association UK Finance. They typically involve a fraudster posing as a bank employee or police officer claiming that your account has been compromised. They’ll then try to persuade you to transfer your money to a ‘safe account’, which is anything but.

Sign up to our daily newsletter

UK Finance says that the criminal will often research their victim first, including using information gathered from other scams and data breaches in order to make their approach sound genuine.

Because the victim has knowingly transferred their money, these cases are known as ‘authorised push payment (APP)’ fraud. There had long been a gap in protection for people who’ve had money stolen in this way; Which? submitted a super-complaint calling for action in 2016. In 2018, losses from all types of APP fraud totalled £354.3m, of which just £82.6m was returned.

Fortunately, most major banks and building societies have now signed up to an industry code to compensate victims who’ve done nothing wrong. But it’s likely some victims of number spoofing will have their refund requests refused, in cases where the bank believes they were at fault.

How do criminals mimic a legitimate organisation’s number in the first place? Disturbingly, with very little effort. It simply involves making use of online software. The same goes for text messages. As part of a Which? Money investigation in 2017, we tested just how easy it was to send a fraudulent text in the name of a high street bank by using a number-spoofing website which advertised itself as being a way to prank your friends. This message even appeared as part of a thread of genuine messages from the customer’s bank.

Number spoofing does have legitimate uses. For example, a company could choose to display a freephone number on your caller display instead of the number it’s calling you from, so that if you need to ring back you won’t be charged.

But the technology is clearly being exploited. The good news is that action is being taken to tackle the problem. Earlier this year, Ofcom launched a scheme called ‘do not originate’, which is designed to protect the phone numbers of some of the most spoofed organisations such as banks, HMRC and insurers.

The scheme applies to numbers from which no outbound calls are ever made. So if a bank prints a customer service number on the back of its debit cards, but never actually dials customers from that number, it could enrol that number in ‘do not originate’. This would inform phone networks that no legitimate outbound calls are ever made from the number, and so calls appearing to be from this number should always be blocked.

‘Do not originate’ was first adopted by HMRC in April. Prior to the scheme’s introduction, criminals had repeatedly posed as the taxman, threatening victims with fines and jail terms if they failed to pay fictional tax bills.

HMRC told us the scheme has been hugely effective, with spoofed calls falling by 25 per cent in the first month, and a further 23 per cent by the second month.

It’s not a silver bullet – fraudsters can spoof numbers that are very close to those that are legitimate and protected. But HMRC’s results show that it’s making a big difference. So it’s concerning that the scheme hasn’t been fully adopted by the banking industry. Which? is calling on all banks to protect their numbers in this way by the end of the year.

While this will help to reduce the risk of people falling for impersonation scams, sadly it won’t deter criminals from trying. If you’re in any doubt about whether a call is genuine, the safest thing to do is put the phone down and ring the organisation using a number you’ve been able to verify independently – for example, by checking the contact details provided on a bill or letter. Any request for your personal or banking information should immediately set alarm bells ringing – your cue to ring off.

Jenny Ross is Editor of Which? Money