Fraudsters are able to send ‘spoofed’ bank texts with incredible ease, a Which? Money investigation has found – with many landing in previously legitimate message threads due to a quirk of smartphone technology.
Text spoofing scams – where fraudulent messages bear the name of a bank or other genuine business – are increasingly prominent. A spate of high-profile cases in recent years has seen bank customers tricked out of £1,000s.
The texts are particularly effective at duping customers because of the way smartphones group messages which claim to come from the same source.
So if you already have genuine texts from Barclays on your phone, and a fraudster sends a message using the short name ‘Barclays,’ your phone will include it under the legitimate ones, making it harder to spot the deception.
Victims of such scams are often devastated to learn they won’t get their money back, as by providing their online banking information to the impostor, they are said to have authorised the payment. In May this year, Action Fraud warned about the latest round of text message scams duping people with credit cards.
We set out to infiltrate a message thread and prove how easy it is for fraudsters to abuse the technology.
- The full version of this investigation appeared first in the November issue of Which? Money magazine. Try Which? Money for two months for £1.
Banks and credit card firms sometimes text you to let you know about new products or offers, or to check whether you’ve carried out a particular transaction.
To make sure these texts come from a company name rather than a number, organisations use text ‘gateways’, which allow them to send thousands or even millions of messages at a time using a computer, for less than a penny a text.
Most texts sent this way are legitimate, and the providers of those services do attempt to check use is lawful. Unfortunately, fraudsters are making good use of this technology, too.
How we managed to scam by text message
We teamed up with ethical hacker and Trading Standards ‘scambassador’ Scott McGready. Mr McGready has set up his own spoofing gateway, which he uses to educate the public about the risk of scams.
We wrote a message mimicking a typical fraudulent text: it claimed to be from a major bank, building society or card firm, stated that the recipient’s account had been suspended and asked them to click on a link to unlock it.
The link we included was benign and led to a blank webpage – but in a real scam it could contain software that harms your phone, or lead you to a convincing mock-up of your bank’s online login page, which tricks you into giving away your details.
The texts were sent in the names of more than a dozen financial firms and all of them arrived on our test phones, with some (pictured) appearing in existing threads.
Independently of our work with an ethical hacker, we were also able to send a fraudulent text with the short name of a high street bank by using a number-spoofing website, which advertises itself as being a way to prank your friends. This also arrived in a legitimate message thread.
Many of these sites are freely available on the web.
Thousands lost from ‘spoofed’ bank messages
The true scale of the problem isn’t known as none of the bodies involved in preventing this type of crime collect data specifically on text spoofing.
However, the Financial Ombudsman Service (FOS) has heard several complaints related to this in recent months, including the case of ‘Mrs P,’ who ‘received a text message asking whether certain payments from her account were genuine. The text had been ‘spoofed’ to show it as coming from Santander.
‘She called the number [contained within the text] as she did not recognise the payments given.’ Mrs P was then duped into telling the fraudsters her passcode, which they used to access her accounts and transfer £18,000 to another bank.
Sadly for Mrs P, the FOS ruled that Santander need not refund her as it hadn’t been responsible for the fraud.
The story closely mirrors that of one Which? member, who we have chosen not to name to protect her privacy. Earlier this year, she too received a text purporting to be a security check from her bank.
She rang the number within the message and was tricked into generating and handing over a one-time passcode which allowed fraudsters to ransack her account. In total £20,000 was taken and her request for the bank to refund it is now being considered by the FOS.
Can spoofing be stopped?
In February 2016 a new taskforce was announced to tackle fraud, encompassing the government, the police, and the legal and banking sectors. One of its main aims is tackling ‘systematic vulnerabilities’ and ‘weak links’ in processes, which fraudsters can exploit.
Eighteen months on, Which? wants to know what action it will urgently take to safeguard consumers from scams.
As it stands, banks say they can’t prevent scammers using technology to impersonate them, as they don’t control the gateways through which spoofed texts are sent – while Mobile UK (which represents mobile networks) says it’s ‘not possible to distinguish spoofed from genuine texts ex ante [before they’re delivered].’
However, Scott McGready believes he’s devised a possible solution, which verifies banking texts at the receiving end and would ‘mark genuine messages as such and, more importantly in my opinion, mark spoof and fake messages as illegitimate – or just not display them at all.’
Whether this solution, or something like it, will eventually be adopted by the financial services industry, remains to be seen.
How to protect yourself from text message scams
- Never assume a text from a company is genuine. Even if it’s in a previously legitimate thread, it could still be a scam.
- Don’t click on any links or call any numbers contained within a text message – look up the organisation’s details independently and contact it to verify the message.
- A genuine bank will never contact you asking for your Pin, full password, or to move money to a safe account.
- Avoid giving out your number on publicly available websites or social media profiles.
- Don’t respond to or text ‘STOP’ to a message if you’re not sure it’s genuine; if it’s a scam, doing so could confirm to the fraudster(s) that your line is ‘live’.
- Spam and suspicious texts can be reported to your network by forwarding them to 7726 and to the regulator by filling in a form at ico.org.uk.
- If you’re conned out of money or tricked into giving away your personal details, contact your bank immediately and report it to Action Fraud at actionfraud.police.uk.
- If you’re scammed, you may not get your money back – the rules on this are complex.