2,000 Reported in 2023 Alone:
Experts Warning of Scammers Imitating Banking Websites

As part of the research into copycat websites, Which? and DNSRF consulted phishing blocklists, which are “lists of websites that have been reported as hosting illegal content”.

Typically, if you attempt to access a blocklisted website, your browser should show a warning instructing you not to proceed as the site is deemed unsafe, and you may have your details stolen. However, with high numbers of fake domains being set up all the time, it is likely that not all of the fraudulent websites can be picked up and warnings issued.

The phishing blocklist returned over 2,000 URLs which copied or contained the names of the following UK banking brands:

• Barclays
• HSBC
• Halifax
• Lloyds Banking Group
• Monzo
• Nationwide
• NatWest
• Santander
• Starling Bank

Another blocklist returned a similar number of URLs for the same list of banks “with the addition of Clydesdale Bank”. Barclays and Santander featured in both lists most frequently.

These websites are made by the scammers to look and respond similarly to the banks’ genuine sites, and the URLs may be difficult to distinguish from legitimate bank landing pages. Examples of fake URL formats include:

• help[bankname].net
• my[bankname]-suspend-login.com
• [bankname]-payee.added.com
• secureportal-[bankname]net.com
• [bankname]bnk.biz

Others included more subtle domain changes such as:

• Replacing the lowercase letter ‘L’ with a capital letter ‘I’
• Changing the suffix, e.g. from .com to .biz, .org or .net

Santander, Barclays, Lloyds, HSBC and NatWest all confirmed to Which? that they actively “employ tools to monitor for sites maliciously impersonating their brands, and issue takedown requests when they find evidence of such sites.”

While these fake websites can be extremely convincing and imitate the bank’s actual website effectively, there are some giveaways to look for that can identify a fake site. Scam Adviser, a page set up to help consumers spot and report online scams, outlines its top tips for spotting and avoiding scam websites:

• Check the small print, e.g. T&Cs. The scammers may not have had the time or inclination to make these appear genuine, and so they might have filler text, spelling mistakes, or refer to other brands entirely.
• Double-check the domain name. Does it have spelling mistakes? Is the suffix consistent with the bank’s website if you use a search engine to find it?
• Check the domain age – i.e. how long the website has been live – Scam Adviser has a tool for this.
• Is the website secure? Does the URL start with https://? This doesn’t guarantee the site is legit, but not having it is a red flag.

If in doubt, do not proceed. Contact your bank directly using the details in your latest statement or on the back of your card.

The usual aim of imitation websites such as these is to gather sensitive information from bank customers to then access their accounts or utilise them in further scams by impersonating the bank with the details gathered, which might include:

• Usernames
• Passwords
• Customer IDs
• Answers to security questions
• Passcodes
• Contact details
• Date of birth
• Card details

This technique is known as ‘phishing’ and relies on victims accessing and interacting with malicious links that they believe to be genuine, usually sent via text or email. The scammers are then armed with the necessary information to access the victim’s accounts or contact them directly. They will pretend to be from the bank, with all the sensitive information that victims would expect a legitimate bank representative to know.

When an individual willingly makes a payment or authorises a transaction from their bank account for what they believe to be legitimate purposes – but which is actually part of a scam – this is known as Authorised Push Payment (APP) fraud.

In many cases, the scammer coaches the victim through the transaction process to bypass any further security measures and authorisation steps that the scammer cannot bypass on their own. By the time the victim realises the transaction was fraudulent, the scammer disappears, and both the scammer and the money are virtually impossible to trace or recover.

It is extremely important to advise the police and your bank straight away. You can also report any suspected scamming activity to Action Fraud, the National Fraud and Cyber Crime Reporting Centre: if you have lost money, that may lead to a criminal investigation by the police.

Many victims are unaware that banks in the UK have a duty to apply due diligence when managing their customers’ accounts. In addition to robust security checks and data protection measures, banks should have processes to highlight and act on any ‘red flags’ such as vulnerable customers, regular and high-value payment transfers, payments overseas, or other unusual or out-of-character transactions.

If there is a dispute between a bank and a customer who has lost out to a scam, then a complaint can be made to the Financial Ombudsman Service (FOS). FOS will examine the circumstances of the fraud and the bank’s response. The investigation will consider that banks are – or should be – more familiar with fraud than the customer, so they should do what they can to protect them, including stopping suspicious transfers, freezing accounts or collaborating with other banks.

The specialist APP fraud team at TLW Solicitors has experience of successfully dealing with FOS claims, even when initial complaints have been rejected.

We understand the time limits to be followed, the information needed and the claims and appeals processes. The team will also deal with any complex legal arguments and defences the bank may raise. The combination of our experienced team and digital case management systems means that we proactively pursue your claim and aim to get the best possible results.

Sarah Spruce, Legal Director and head of the APP Fraud claims team at TLW Solicitors, says:

“Life is increasingly fast-paced and non-stop, so we may not always stop to check if an email or text message is really what it claims to be, and this is what these scammers want and rely on.

When you are entering your sensitive financial or personal information, be sure that the site you are accessing is legitimate, even if you have been instructed to do so urgently (this is also likely a red flag).

It is good to see that the main high-street banks are aware of and tackling the problem, but if you have been affected by a scam bank website and your bank refuses to refund, speak to my team today.”