Which? is urging bank customers to watch out for fake text messages, after uncovering a new Barclays phishing website designed to steal online banking login details.
In this latest example of a fake bank website, fraudsters first sent texts that told recipients a fictional new payee ‘R Davies’ had been added to their account before inviting them to click a link if this wasn’t authorised.
This led potential victims to a website that used images and wording copied from the real Barclays website, asking for login details including their membership number, card details and proof of identity.
At present, Which? is not aware of any customers entering their details on this fake site. Anyone who is concerned that they may have done so, should contact the Barclays fraud department immediately.
Watch out for this fake Barclays text
Phishing messages are designed to trick you into divulging sensitive personal and financial information, or infect your computer with malware, often by pretending to be from a source you trust, such as your bank.
The text below, shared by a keen-eyed Which? member, has been doing the rounds.
We’ve also shared a similar fake HSBC text that was spotted a few weeks ago and shared on our social channels to warn others.
A closer look at the fake Barclays site
The fake Barclays text includes a link to a website that wouldn’t immediately arouse suspicion in the average person, particularly one who was distracted by the content of the message.
However, as we explain in this news story about fake shopping sites, you should work backwards from the end of the full web address to identify the unique domain name.
In this example, the real domain is highlighted – https.//barclays.uk.detect-attempts.com/ – and the subdomain (barclays.uk) is being used to make it seem like a genuine Barclays site.
According to Whois.net, the website in question was registered on 7 May 2020. By the time Which? came across this site on 11 May, most web browsers had already identified it as malicious – with the notable exception of Internet Explorer – although the website was still live.
We immediately reported detect-attempts.com to both Barclays and the domain registrar (Namesilo.com).
The site, shown below, has at the time of publishing still not been taken down.
What are banks doing to protect customers from phishing?
Criminals bet on the fact that texts such as the one involved in this scam look familiar – many banks do send messages like this, asking customers to confirm transactions for security purposes.
Last year, Barclays told Which? it has a Group-level policy that bans the use of phone numbers and URLs in any customer alerts or notifications, which was introduced following our annual online banking security test.
So, if you receive a text with a link or a phone number claiming to be from Barclays, our advice is to report it, then delete it.
Which? believes that other customers should know exactly what to expect when they receive a genuine message from their bank to make spotting fakes that much easier.
If a criminal uses your details to make unauthorised payments, these should be refunded by your bank under the Payment Services Regulations – as long as you haven’t acted fraudulently or with ‘gross negligence’ (a high bar that goes beyond ordinary carelessness).
- Find out more: I think I may have given a fraudster my bank details
How to spot a bank scam
Your bank, and any other firm holding your financial details, should make it clear what it will NEVER ask you to do.
If you receive a message and you’re concerned there really is a problem, give the organisation a call using a number you trust, not the number on the email. You’ll find your bank’s number on the back of your card.
Here are some other tips:
- Check the wording of messages carefully. Does it address you impersonally or try to create a sense of panic? Both are common phishing tactics.
- Pay attention to the URL of any website. Is there a spelling error or an unexpected domain?
- Keep your browser and security software up to date, and run regular virus scans.
- Mark unwanted emails as junk, as you can train these filters to recognise spam by marking offending emails as ‘junk’ rather than just deleting them.
- Click links or download attachments from emails and texts. Type web addresses into the address bar of your browser manually instead.
- Rely on the caller display on your phone, as this can be spoofed, and never enter your card Pin into the keypad.
- Let someone access your computer, or other devices such as a phone or tablet, unless you know the caller and their intentions.
Which? has launched a free Scam Alert email service. Sign up to receive warnings and examples of scams straight to your inbox as we uncover them.