Is it really your bank calling? How some banks are failing customers on fraud protection

How number spoofing works and what banks can do to prevent it
Chiara CavaglieriSenior researcher & writer

Some banks are leaving their customers vulnerable to fraud attempts by failing to implement important protections, a Which? investigation has found. 

Spoofing, where fraudsters impersonate legitimate companies, such as banks, utilities providers or government agencies, is a common tactic used to deceive victims.

There are measures banks can take to protect customers, but not all are using them adequately. Here, we explain how impersonation scams work and offer advice on how to stay safe.

Be more money savvy

free newsletter

Get a firmer grip on your finances with the expert tips in our Money newsletter – it's free weekly.

This newsletter delivers free money-related content, along with other information about Which? Group products and services. Unsubscribe whenever you want. Your data will be processed in accordance with our Privacy policy

What is number spoofing?

The most common way of checking who’s calling you – the caller ID on your phone – drives many impersonation scams. 

First the fraudster will call you, perhaps claiming your account has been compromised to create panic.

Next, they'll alleviate your doubts by telling you to check the phone number on the back of your card or listed on the bank’s official website. This will match the number they're calling from.

Unfortunately, it's not yet possible to stop fraudsters manipulating caller IDs, but banks and brands can access a blacklist called the 'do not originate' (DNO) list.

This blocks spoofing of specific phone numbers, but we've found that at least half a dozen banks have failed to make full use of the DNO list, needlessly exposing their customers to additional risk. 

How do scammers spoof numbers?

It is not illegal to spoof a phone number. For example, a legitimate business may choose to modify the caller ID to display an official office number on all outgoing calls, or leave an 0800 number for customers to call back. 

But this software is being abused by fraudsters. Voice over Internet Protocol (VoIP), the technology used to make calls over the internet, has made spoofing a breeze. 

A quick web search reveals dozens of freely available spoofing services, and criminals with some technical know-how may create their own tools.

Scammers can also spoof the sender address on emails and SMS sender names, so that a message appears to be from your bank or another company. It may even appear in the same thread as genuine messages, making it even harder to spot.

The banks we managed to spoof

Ofcom and UK Finance set up the DNO database in 2019. It worked with telecoms companies, government agencies and other public-sector bodies to list their public telephone numbers. These are inbound-only – and never used to call customers. 

The idea is that any outgoing calls appearing to originate from one of these inbound-only numbers must be spoofed. This list is then shared with telecoms providers, their intermediaries and call-blocking or filtering services, which block calls from these numbers before they reach the intended recipient. 

All of the major current account providers have previously told Which? they are signed up to the DNO list. 

We made calls to a test phone, spoofing the prominent numbers of 14 bank account providers. We focused on the numbers most useful to scammers – those printed on the back of debit cards and listed as fraud helplines.

While most calls couldn’t be connected, suggesting the DNO list is effective, we could successfully spoof at least one phone number belonging to HSBC, Lloyds, Santander, TSB, Nationwide and Virgin Money.

These phone numbers were not on the DNO list, making them an easy target for scammers. 

chameleon near a mobile phone

Why aren’t all numbers on the DNO list?

Ofcom decides whether or not to add a number to the database. It told us it takes a range of factors into account when considering requests, such as whether the number is publicly available, and the degree of potential harm to those consumers.

But it confirmed that 'requests for numbers on the back of bank cards or on bank websites are expected to meet these criteria if submitted'. 

When we reported our findings to the banks involved, they responded as follows:

  • Virgin Money said it has more than 40 numbers registered and will ensure the four numbers we highlighted are registered. 
  • TSB told us it has 13 telephone lines that are already covered by DNO and is ‘considering the operational changes that will be required to include the three numbers’ we identified.
  • HSBC said it is in the process of adding two debit card numbers to those already on the DNO list.
  • Both Nationwide and Santander had one number that could be spoofed. Nationwide said its debit card number was ‘inadvertently missed’ and thanked Which? for bringing it to attention. Santander has asked Ofcom to add its fraud helpline to the DNO list and ‘aims to include all inbound-only customer service phone numbers’. 
  • Lloyds told us that two of its fraud helplines were, until recently, being used for outbound calls, meaning they were not suitable for the DNO list. It has since requested that they are added.

How spoofing leads to fraud

Malicious spoofing is most keenly felt in authorised push payment (APP) scams, where criminals trick you into transferring money to an account they control. 

UK Finance figures show £60m was lost to APP scams involving impersonation of banks in the first half of 2022. Imitating other organisations such as a utility company, communications service provider or government department netted fraudsters a further £31m.

In cases where fraudsters impersonate organisations through spoofing and other sophisticated tactics, we believe victims should be fully refunded unless the bank can prove they were unusually careless.

Rocio Concha, Which? director of policy and advocacy, says: 'Spoofing is all too common in APP fraud, where victims continue to lose potentially life-changing amounts of money and still face a battle to get their money back. 

'Proposals by the regulator to introduce mandatory reimbursement for APP fraud in all but exceptional cases could be a game changer for victims and must become a reality as soon as possible.'

key information

Don’t be conned by caller ID

  • Stop Scams 159: don’t give out sensitive information on an incoming call. Hang up, wait for five minutes and either call the firm on a trusted number (such as on their website) or dial 159. This will connect you to your bank’s fraud team, under a scheme most banks have signed up to. 
  • Services to block calls: check to see if your landline provider offers call blocking. BT has Call Protect, Sky has Talk Shield and TalkTalk offers Call Safe, all of which allow you to screen unrecognised numbers and block unwanted callers.
  • Smartphone call blocking: iPhones and Android phones offer call blocking, spam protection and caller ID verification. These services aren’t perfect, and third-party apps are also available.
  • Call-blocking phones: a trueCall device plugs into your existing phone, or you could opt for a call-blocking phone. Both let calls from contacts through, but ask other callers to leave a message. The phones reviewed here, plus trueCall, are rated highest by Which?. 

No easy way to end number spoofing

Although we want banks to add all of their customer-facing numbers to the DNO list, number spoofing is not a problem they can address alone. 

Frustratingly, not every phone company even checks the DNO at present. Even where providers are using the list, technical constraints mean that a small number of calls are still connected, due to the route the call takes across networks.

Furthermore, the DNO list can only ever stop a proportion of scam calls, because not all spoofing is done to impersonate another organisation.

Similar issues make it difficult to stop SMS spoofing. Businesses can protect their names via the 'SMS SenderID Protection Registry', run by The Mobile Ecosystem Forum (MEF), which blocks messages if the sender ID isn't authorised by the relevant brand.

However, not all SMS providers have signed up and several big brands are yet to join, including The Co-operative Bank, the Post Office and PayPal. 

Fraudsters are also finding ways to bypass the registry, such as through intentional misspellings or by using spaces between letters. MEF works with mobile network to investigate such instances, so do report scam texts and calls to your operator before deleting them.

Regulator to impose stricter rules on networks

It’s clear that telecoms providers need stronger anti-fraud systems in place. 

Earlier this month, Ofcom announced that it is strengthening its rules and guidance to require all telephone networks involved in transmitting calls – either to mobiles or landlines – to identify and block spoofed calls, where technically feasible. These rules will come into force in May 2023. 

The regulator said it expects firms to make sure a number is formatted correctly (meeting the UK’s 10 or 11-digit format); check the DNO list; and identify and block calls from abroad that are spoofing a UK caller ID. 

Its new guidance also sets out expectations for phone providers to run ‘Know Your Customer’ checks on businesses to prevent valid numbers being misused, and to report evidence of fraudulent or other criminal activity to law enforcement. 

Which? welcomes Ofcom's proposals, as this will mean that the majority of consumers are protected against spoofing scams, though we want to see continued collaboration between Ofcom and smaller telecoms providers to ensure that the same protections are offered to all.

A version of this article originally appeared in December's Which? Money magazine.

Make your money go further

Find the best deals, avoid scams, and grow your savings with our expert guidance. From only £4.99 a month.

Join Which? Money

Cancel anytime.

More on this

Related articles

About Us

Which? Limited is registered in England and Wales to 2 Marylebone Road, London NW1 4DF, company number 00677665  and is an Introducer Appointed Representative (FRN 610689) of the following:


1. Inspop.com Ltd for the introduction of non-investment motor, home, travel and pet insurance, who are authorised and regulated by the Financial Conduct Authority (FCA) to provide advice and arrange non-investment motor, home, travel and pet insurance products (FRN310635). Inspop.com Ltd is authorised and regulated by the Financial Conduct Authority (FCA) to provide advice and arrange non-investment motor, home, travel and pet insurance products (FRN310635) and is registered in England and Wales to Greyfriars House, Greyfriars Road, Cardiff, South Wales, CF10 3AL, company number 03857130. Confused.com is a trading name of Inspop.com Ltd. 


2. LifeSearch Partners Limited (FRN656479), for the introduction of Pure Protection Contracts and Private Health Insurance, who are authorised and regulated by the FCA to provide advice and arrange Pure Protection Contracts and Private Health Insurance Contracts.  LifeSearch Partners Ltd is registered in England and Wales to 3000a Parkway, Whiteley, Hampshire, PO15 7FX, company number 03412386.


3. HUB Financial Solutions, for the introduction of equity release advice and an annuity comparison service, who are authorised and regulated by the Financial Conduct Authority (‘FCA’) to provide advice and guidance on financial products for those who have retired or are approaching retirement (FCA Firm Reference Number: 455713). HUB Financial Solutions is registered in England and Wales to Enterprise House, Bancroft Road, Reigate, Surrey RH12 7RP, company number 05125701.


4. Alan Boswell Insurance Brokers Ltd (FRN 301), for the introduction of non-investment landlord insurances, who are authorised and regulated by the Financial Conduct Authority to provide advice and arrange insurance contracts. Alan Boswell insurance brokers Ltd is registered in England at Prospect House, Rouen Rd, Norwich NR1 1RE, company number 02591252.


Other financial services:

Mortgage service provided by London & Country Mortgages (L&C), Unit 26 (2.06), Newark Works, 2 Foundry Lane, Bath BA2 3GZ. London & Country are authorised and regulated by the Financial Conduct Authority (registered number: 143002). The FCA does not regulate most Buy to Let mortgages. Your home or property may be repossessed if you do not keep up repayments on your mortgage.


We do not make, nor do we seek to make, any recommendations or personalised advice on financial products or services that are regulated by the FCA, as we’re not regulated or authorised by the FCA to advise you in this way. In some cases, however, we have included links to regulated brands or providers with whom we have a commercial relationship and, if you choose to, you can buy a product from our commercial partners. 


If you go ahead and buy a product using our link, we will receive a commission to help fund our not-for-profit mission and our campaigns work as a champion for the UK consumer. Please note that a link alone does not constitute an endorsement by Which?.