Which? is urging bank customers to watch out for fake text messages, after uncovering a new Barclays phishing website designed to steal online banking login details.
In this latest example of a fake bank website, fraudsters first sent texts that told recipients a fictional new payee 'R Davies' had been added to their account before inviting them to click a link if this wasn't authorised.
This led potential victims to a website that used images and wording copied from the real Barclays website, asking for login details including their membership number, card details and proof of identity.
At present, Which? is not aware of any customers entering their details on this fake site. Anyone who is concerned that they may have done so, should contact the Barclays fraud department immediately.
Watch out for this fake Barclays text
The text below, shared by a keen-eyed Which? member, has been doing the rounds.
We've also shared a similar fake HSBC text that was spotted a few weeks ago and shared on our social channels to warn others.
The fake Barclays text includes a link to a website that wouldn't immediately arouse suspicion in the average person, particularly one who was distracted by the content of the message.
In this example, the real domain is highlighted - https.//barclays.uk.detect-attempts.com/ - and the subdomain (barclays.uk) is being used to make it seem like a genuine Barclays site.
According to Whois.net, the website in question was registered on 7 May 2020. By the time Which? came across this site on 11 May, most web browsers had already identified it as malicious - with the notable exception of Internet Explorer - although the website was still live.
We immediately reported detect-attempts.com to both Barclays and the domain registrar (Namesilo.com).
The site, shown below, has at the time of publishing still not been taken down.
Criminals bet on the fact that texts such as the one involved in this scam look familiar - many banks do send messages like this, asking customers to confirm transactions for security purposes.
Last year, Barclays told Which? it has a Group-level policy that bans the use of phone numbers and URLs in any customer alerts or notifications, which was introduced following our annual online banking security test.
So, if you receive a text with a link or a phone number claiming to be from Barclays, our advice is to report it, then delete it.
Which? believes that other customers should know exactly what to expect when they receive a genuine message from their bank to make spotting fakes that much easier.
If a criminal uses your details to make unauthorised payments, these should be refunded by your bank under the Payment Services Regulations -as long as you haven't acted fraudulently or with 'gross negligence' (a high bar that goes beyond ordinary carelessness).
Your bank, and any other firm holding your financial details, should make it clear what it will NEVER ask you to do.
If you receive a message and you're concerned there really is a problem, give the organisation a call using a number you trust, not the number on the email. You'll find your bank's number on the back of your card.
Here are some other tips: