By clicking a retailer link you consent to third-party cookies that track your onward journey. This enables W? to receive an affiliate commission if you make a purchase, which supports our mission to be the UK's consumer champion.

Is your bank protecting you from number spoofing scams?

Which? finds some banks are making life too easy for impersonation scammers
Chiara CavaglieriSenior researcher & writer

Any phone number advertised to customers is also advertised to scammers, making them vulnerable to spoofing. Banks can protect their inbound numbers so that scammers can't copy them, but not all have done so, Which? Money reveals.

Number spoofing is a valuable tool for scammers: by manipulating caller ID to show a number that matches the one on the back of your debit card, for example, they stand a much better chance of convincing you to part with your life savings.

To help tackle this, Ofcom has worked with the banking industry body UK Finance to identify a list of 'do not originate' (DNO) numbers - in short, those that are never used for outbound calls.

But not every bank is making use of this scheme, making life far too easy for scammers.

Be more money savvy

free newsletter

Get a firmer grip on your finances with the expert tips in our Money newsletter – it's free weekly.

This newsletter delivers free money-related content, along with other information about Which? Group products and services. Unsubscribe whenever you want. Your data will be processed in accordance with our Privacy policy

Tackling phone number spoofing

Firms can submit their inbound-only numbers to the DNO database, which is shared with phone networks so they can block attempts to spoof those numbers before they reach you.

Numbers used for outbound calls to customers aren't eligible for DNO, so these can't be protected.

HMRC was first to join the scheme in April 2019 and reported a sizeable reduction in spoof calls.

The majority of banks have since signed up but Which? can reveal that The Co-operative Bank and Nationwide are notable exceptions (although both plan to join).

Update: The Co-operative Bank confirmed to Which? on 10 June 2021 that it has now signed up to the DNO scheme.

What about fake text messages?

Banks can also shield their customers from spoof SMS text messages, thanks to the SMS SenderID Protection Registry, developed by the Mobile Ecosystem Forum (MEF).

Bank of Ireland UK, Barclays, Danske Bank, First Direct, HSBC, Lloyds Banking Group, Metro Bank, Nationwide, NatWest Group, Santander, Starling, and TSB are all members.

However, The Co-operative Bank is yet to sign up and has no plans to do so. AIB UK, Tesco Bank and Virgin Money told us they're in the process of signing up. Monzo didn't confirm its status to Which?.

Phone networks need to plug the gap

Even if your bank is using these schemes, your phone network may not be signed up, which means spoofed calls and texts will get through to you regardless.

We asked Ofcom to confirm which phone networks are using the DNO list, but it told us this is classed as sensitive information.

MEF told us that the four main mobile networks (EE, Three, O2 and Vodafone) have signed up for the SMS Registry, but a small number of 'Tier 1 aggregators' (effectively the SMS providers that act as the link between your bank and your mobile network) are yet to join.

In April, Ofcom told BBC Radio 4's Money Box programme that despite the progress made to tackle number spoofing, 'there's no silver bullet that will solve the problem overnight'.

Which? agrees that, for now at least, it's safest not to trust caller ID.

Banks must make it easier to spot scams

It's often near impossible for customers to tell legitimate messages apart from a scam. It's vital that businesses do more to improve customer communications, and they must be clear about what they will and won't do.

As a minimum, we want businesses to protect their message headers and phone numbers through the SMS SenderID Protection Registry and DNO database.

We also want banks to stop including website links and phone numbers in text messages:

  • Barclays and Danske Bank have already removed phone numbers and links in their SMS alerts.
  • Starling told us it doesn't include links in SMS alerts and that only one legacy message includes a phone number, which is being phased out.
  • TSB said its texts have no links and numbers are limited (although required for certain types of customer/product).
  • Tesco Bank said it includes phone numbers and hyperlinks in a small number of SMS messages sent to customers in financial difficulty, and these will never include links to bank login pages.

If other banks stopped including numbers and web links in messages - and clearly communicated this to customers - it would make phishing scams much easier to spot and help to build consumer trust in businesses.

First featured in June's Which? Money magazine

Each month we publish investigations, news and advice features covering all areas of money.

Magazine subscribers also get access to tailored 1:1 guidance from the Which? Money Helpline.

Join Which? Money today and take control of your finances.

More on this

Related articles

About Us

Which? Limited is registered in England and Wales to 2 Marylebone Road, London NW1 4DF, company number 00677665  and is an Introducer Appointed Representative (FRN 610689) of the following:


1. Inspop.com Ltd for the introduction of non-investment motor, home, travel and pet insurance, who are authorised and regulated by the Financial Conduct Authority (FCA) to provide advice and arrange non-investment motor, home, travel and pet insurance products (FRN310635). Inspop.com Ltd is authorised and regulated by the Financial Conduct Authority (FCA) to provide advice and arrange non-investment motor, home, travel and pet insurance products (FRN310635) and is registered in England and Wales to Greyfriars House, Greyfriars Road, Cardiff, South Wales, CF10 3AL, company number 03857130. Confused.com is a trading name of Inspop.com Ltd. 


2. LifeSearch Partners Limited (FRN656479), for the introduction of Pure Protection Contracts and Private Health Insurance, who are authorised and regulated by the FCA to provide advice and arrange Pure Protection Contracts and Private Health Insurance Contracts.  LifeSearch Partners Ltd is registered in England and Wales to 3000a Parkway, Whiteley, Hampshire, PO15 7FX, company number 03412386.


3. HUB Financial Solutions, for the introduction of equity release advice and an annuity comparison service, who are authorised and regulated by the Financial Conduct Authority (‘FCA’) to provide advice and guidance on financial products for those who have retired or are approaching retirement (FCA Firm Reference Number: 455713). HUB Financial Solutions is registered in England and Wales to Enterprise House, Bancroft Road, Reigate, Surrey RH12 7RP, company number 05125701.


4. Alan Boswell Insurance Brokers Ltd (FRN 301), for the introduction of non-investment landlord insurances, who are authorised and regulated by the Financial Conduct Authority to provide advice and arrange insurance contracts. Alan Boswell insurance brokers Ltd is registered in England at Prospect House, Rouen Rd, Norwich NR1 1RE, company number 02591252.


5.Stickee Technology Limited for the introduction of non-investment pet insurance, who are authorised and regulated by the Financial Conduct Authority (FCA) to arrange non-investment pet insurance products (FRN916665). Stickee Technology Ltd is authorised and regulated by the Financial Conduct Authority (FCA)  in England and Wales; 3rd floor, 1 Ashley Road, Altrincham, Cheshire, UK WA14 2DT Registered company number 06711740

 

Other financial services:


Mortgage service provided by London & Country Mortgages (L&C), Unit 26 (2.06), Newark Works, 2 Foundry Lane, Bath BA2 3GZ. London & Country are authorised and regulated by the Financial Conduct Authority (registered number: 143002). The FCA does not regulate most Buy to Let mortgages. Your home or property may be repossessed if you do not keep up repayments on your mortgage.


We do not make, nor do we seek to make, any recommendations or personalised advice on financial products or services that are regulated by the FCA, as we’re not regulated or authorised by the FCA to advise you in this way. In some cases, however, we have included links to regulated brands or providers with whom we have a commercial relationship and, if you choose to, you can buy a product from our commercial partners. 


If you go ahead and buy a product using our link, we will receive a commission to help fund our not-for-profit mission and our campaigns work as a champion for the UK consumer. Please note that a link alone does not constitute an endorsement by Which?.