We use cookies to allow us and selected partners to improve your experience and our advertising. By continuing to browse you consent to our use of cookies. You can understand more and change your cookies preferences here.

Is your bank protecting you from number spoofing scams?

Which? finds some banks are making life too easy for impersonation scammers

Is your bank protecting you from number spoofing scams?

Any phone number advertised to customers is also advertised to scammers, making them vulnerable to spoofing. Banks can protect their inbound numbers so that scammers can’t copy them, but not all have done so, Which? Money reveals. 

Number spoofing is a valuable tool for scammers: by manipulating caller ID to show a number that matches the one on the back of your debit card, for example, they stand a much better chance of convincing you to part with your life savings.

To help tackle this, Ofcom has worked with the banking industry body UK Finance to identify a list of ‘do not originate’ (DNO) numbers – in short, those that are never used for outbound calls.

But not every bank is making use of this scheme, making life far too easy for scammers.


Tackling phone number spoofing

Firms can submit their inbound-only numbers to the DNO database, which is shared with phone networks so they can block attempts to spoof those numbers before they reach you.

Numbers used for outbound calls to customers aren’t eligible for DNO, so these can’t be protected.

HMRC was first to join the scheme in April 2019 and reported a sizeable reduction in spoof calls.

The majority of banks have since signed up but Which? can reveal that The Co-operative Bank and Nationwide are notable exceptions (although both plan to join).

Update: The Co-operative Bank confirmed to Which? on 10 June 2021 that it has now signed up to the DNO scheme.

What about fake text messages?

Banks can also shield their customers from spoof SMS text messages, thanks to the SMS SenderID Protection Registry, developed by the Mobile Ecosystem Forum (MEF).

Bank of Ireland UK, Barclays, Danske Bank, First Direct, HSBC, Lloyds Banking Group, Metro Bank, Nationwide, NatWest Group, Santander, Starling, and TSB are all members.

However, The Co-operative Bank is yet to sign up and has no plans to do so. AIB UK, Tesco Bank and Virgin Money told us they’re in the process of signing up. Monzo didn’t confirm its status to Which?.

Phone networks need to plug the gap

Even if your bank is using these schemes, your phone network may not be signed up, which means spoofed calls and texts will get through to you regardless.

We asked Ofcom to confirm which phone networks are using the DNO list, but it told us this is classed as sensitive information.

MEF told us that the four main mobile networks (EE, Three, O2 and Vodafone) have signed up for the SMS Registry, but a small number of ‘Tier 1 aggregators’ (effectively the SMS providers that act as the link between your bank and your mobile network) are yet to join.

In April, Ofcom told BBC Radio 4’s Money Box programme that despite the progress made to tackle number spoofing, ‘there’s no silver bullet that will solve the problem overnight’.

Which? agrees that, for now at least, it’s safest not to trust caller ID.

Banks must make it easier to spot scams

It’s often near impossible for customers to tell legitimate messages apart from a scam. It’s vital that businesses do more to improve customer communications, and they must be clear about what they will and won’t do.

As a minimum, we want businesses to protect their message headers and phone numbers through the SMS SenderID Protection Registry and DNO database.

We also want banks to stop including website links and phone numbers in text messages:

  • Barclays and Danske Bank have already removed phone numbers and links in their SMS alerts.
  • Starling told us it doesn’t include links in SMS alerts and that only one legacy message includes a phone number, which is being phased out.
  • TSB said its texts have no links and numbers are limited (although required for certain types of customer/product).
  • Tesco Bank said it includes phone numbers and hyperlinks in a small number of SMS messages sent to customers in financial difficulty, and these will never include links to bank login pages.

If other banks stopped including numbers and web links in messages – and clearly communicated this to customers – it would make phishing scams much easier to spot and help to build consumer trust in businesses.

First featured in June’s Which? Money magazine

Each month we publish investigations, news and advice features covering all areas of money.

Magazine subscribers also get access to tailored 1:1 guidance from the Which? Money Helpline.

Join Which? Money today and take control of your finances.

Back to top
Back to top