Any phone number advertised to customers is also advertised to scammers, making them vulnerable to spoofing. Banks can protect their inbound numbers so that scammers can't copy them, but not all have done so, Which? Money reveals.
is a valuable tool for scammers: by manipulating caller ID to show a number that matches the one on the back of your debit card, for example, they stand a much better chance of convincing you to part with your life savings.
To help tackle this, Ofcom has worked with the banking industry body UK Finance to identify a list of 'do not originate' (DNO) numbers - in short, those that are never used for outbound calls.
But not every bank is making use of this scheme, making life far too easy for scammers.
Firms can submit their inbound-only numbers to the DNO database, which is shared with phone networks so they can block attempts to spoof those numbers before they reach you.
Numbers used for outbound calls to customers aren't eligible for DNO, so these can't be protected.
The majority of banks have since signed up but Which? can reveal that The Co-operative Bank and Nationwide are notable exceptions (although both plan to join).
Update: The Co-operative Bank confirmed to Which? on 10 June 2021 that it has now signed up to the DNO scheme.
Banks can also shield their customers from spoof SMS text messages, thanks to the SMS SenderID Protection Registry, developed by the Mobile Ecosystem Forum (MEF).
Bank of Ireland UK, Barclays, Danske Bank, First Direct, HSBC, Lloyds Banking Group, Metro Bank, Nationwide, NatWest Group, Santander, Starling, and TSB are all members.
However, The Co-operative Bank is yet to sign up and has no plans to do so. AIB UK, Tesco Bank and Virgin Money told us they're in the process of signing up. Monzo didn't confirm its status to Which?.
Even if your bank is using these schemes, your phone network may not be signed up, which means spoofed calls and texts will get through to you regardless.
We asked Ofcom to confirm which phone networks are using the DNO list, but it told us this is classed as sensitive information.
MEF told us that the four main mobile networks (EE, Three, O2 and Vodafone) have signed up for the SMS Registry, but a small number of 'Tier 1 aggregators' (effectively the SMS providers that act as the link between your bank and your mobile network) are yet to join.
In April, Ofcom told BBC Radio 4's Money Box programme that despite the progress made to tackle number spoofing, 'there's no silver bullet that will solve the problem overnight'.
Which? agrees that, for now at least, it's safest not to trust caller ID.
It's often near impossible for customers to tell legitimate messages apart from a scam. It's vital that businesses do more to improve customer communications, and they must be clear about what they will and won't do.
As a minimum, we want businesses to protect their message headers and phone numbers through the SMS SenderID Protection Registry and DNO database.
We also want banks to stop including website links and phone numbers in text messages:
If other banks stopped including numbers and web links in messages - and clearly communicated this to customers - it would make phishing scams much easier to spot and help to build consumer trust in businesses.
Magazine subscribers also get access to tailored 1:1 guidance from the Which? Money Helpline.