In a calculated attempt to scam unsuspecting consumers, banking copycat websites are masquerading as real banks, says the consumer advice body Which?. It asked DNS Research Federation (DNSRF), an Oxford-based non-profit that does data-driven policy research on domain names and internet governance, to check industry blocklists – lists of websites that have been reported as hosting illegal content.
Which? provided DNSRF with a list of the major UK banking brands, and it scoured a specialist phishing blocklist for sites reported in 2023 that had the names of those banks somewhere in their web address. The DNSRF found that more than 2,000 URLs containing our specified UK bank brands were reported to a phishing blocklist in 2023. The affected banks were Barclays, HSBC, Halifax, Lloyds, Monzo, Nationwide, NatWest, Santander and Starling.
The majority of the sites look like blatant attempts to lead bank customers astray, says Which?. DNSRF also examined another blocklist, run by Scamadviser.com. In this case, it extracted data on URLs containing the specified bank brand names which had a ‘trustscore’ of less than 50 out of 100.
ScamAdvisor’s trustscore is calculated based on 40 elements, such as who owns the website, whether the contact details are hidden, where the website is hosted and what technology is being used. More than 2,000 URLs for potential banking copycat websites were also found on ScamAdviser. Which? is calling on the UK Government to place a duty on domain registrars to prevent scammers from setting up these fraudulent websites.
Rocio Concha, Which? Director of Policy and Advocacy, said: “It’s hugely concerning that thousands of banking copycat websites were reported in a single year – potentially leaving millions of consumers exposed to fraudulent content online. Consumers who are just trying to bank online should not have to shoulder the responsibility of reporting scam sites and chasing domain registrars to take them down.
“Domain registrars have a much bigger role to play in the fight against online fraud. With an election just around the corner, the next government must make fighting fraud a national priority, and place new legal duties on these companies to prevent scammers from setting up these fraudulent copycat websites.”
Comment
Steve Bradford, Senior Vice President EMEA at SailPoint, said fraudsters have never been so ruthless with their tactics. “But masquerading as official bank sites is part of a long list of ways to trick consumers – from using fake retailer websites that mimic real ones, to engaging in phishing on social media accounts and posing as customer service agents. Deception can happen through numerous tactics, so consumers need to be cognisant of the multitude of weapons in the cybercriminal’s arsenal.
“The best course of action is to think before you click. Scrutinise every email you get, even if you think it’s from a trusted organisation. Hover over links before clicking, and don’t enter information into forms without being totally sure that you’re not handing over the keys to your digital identity in the process.
“Setting up multi-factor authentication, using complex passwords and identity verification checks all help combat cybercriminals when they seek to gain account access. As best practice, all interactions online, particularly when entering bank details, should also be looked over with a sceptical eye. Such additional measures are vital to help safeguard data.”
