Press release

Thousands of potentially fraudulent banking copycat websites reported in 2023, Which? warns

More than 2,000 suspected banking copycat websites were reported in 2023 alone, new Which? research has found, as the consumer champion calls for new legal duties to force domain registrars to do more to prevent these scams appearing in the first place 
7 min read
Press Team

Banking copycat websites masquerading as real banks in a calculated attempt to part unsuspecting consumers from their hard-earned cash has been a persistent scam for a number of years. 

The consumer champion teamed up with the DNS Research Federation (DNSRF), an Oxford-based non-profit that does data-driven policy research on domain namesand internet governance, to find out just how widespread the issue is. 

Which? asked DNSRF to check industry blocklists - lists of websites that have been reported as hosting illegal content. The consumer champion provided DNSRF with a list of the major UK banking brands, and it scoured a specialist phishing blocklist for sites reported in 2023 that had the names of those banks somewhere in their web address.

The DNSRF found that more than 2,000 URLs containing our specified UK bank brands were reported to a phishing blocklist in 2023. The affected banks were Barclays, HSBC, Halifax, Lloyds, Monzo, Nationwide, NatWest, Santander and Starling. 

The majority of the sites look like blatant attempts to lead bank customers astray. DNSRF also examined another blocklist, run by Scamadviser.com. In this case, it extracted data on URLs containing the specified bank brand names which had a ‘trustscore’ of less than 50 out of 100. 

ScamAdvisor’s trustscore is calculated based on 40 different elements, such as who owns the website, whether the contact details are hidden, where the website is hosted and what technology is being used. More than 2,000 URLs for potential banking copycat websites were also found on ScamAdviser. 

Across both blocklists, the words Santander and Barclays appeared most often. In recent years, the consumer champion has repeatedly warned about phishing scams using Santander branding, and anecdotally this bank is a particularly popular target for impersonation by fraudsters.

The data is experimental and inexact as it is impossible to count every copycat banking website from last year. For example, TSB had to be excluded from all the results as this proved a common string of letters that generated many false positives for websites which were unrelated to banking scams.

It is also impossible for Which? to view and check if the sites were genuinely fraudulent or confirm that they were impersonating the banks in question, as they have already been taken down by the web hosting companies or scammers themselves.

However, it is also possible that this is just the tip of the iceberg and many copycat websites have been missed, because they are not on blocklists. Some sites may only be active for days or even hours before their content is wiped and the site abandoned. 

The consumer champion also asked more than 1,200 Which? members in January 2024 how much they knew about copycat banking sites. When asked if they had ever unwittingly entered their details into such websites, two per cent thought they had, while a further three per cent were unsure. These figures may seem low, but fraudsters work at scale, sending thousands of texts or emails, only needing to ensnare a few victims to make it a worthwhile endeavour. 

The vast majority of our respondents were able to identify that strange or unofficial-looking web addresses, poor spelling and grammar were hallmarks of a scam site. However, AI text generators will soon reduce the number of typos - making this a much less reliable way to spot scams.

However, only one in four (27%) knew that you could use a domain lookup service such as who.is to see when a site was registered. Doing this would allow consumers to spot a brand-new website masquerading as a long-established bank. 

Which?’s research clearly shows that domain registrars have a much bigger role to play in the fight against online fraud. To set up a copycat website, fraudsters need to use a domain registrar and to take one down, consumers and businesses need to contact a web hosting company. Many companies operate as both and yet the industry continues to self-regulate. 

Which? found that the approach to reports of scam sites is not uniform and varies enormously between companies. Some quickly remove copycat websites, while others do not even respond to reports. The UK government is currently consulting on new powers to seize domains being used for criminal purposes. 

With limited time to introduce legislation before the next election, Which? is calling on the next government to place a duty on domain registrars to prevent scammers from setting up these fraudulent websites. 

Rocio Concha, Which? Director of Policy and Advocacy, said:

“It’s hugely concerning that thousands of banking copycat websites were reported in a single year - potentially leaving millions of consumers exposed to fraudulent content online. 

“Consumers who are just trying to bank online should not have to shoulder the responsibility of reporting scam sites and chasing domain registrars to take them down.

“Domain registrars have a much bigger role to play in the fight against online fraud. With an election just around the corner, the next government must make fighting fraud a national priority, and place new legal duties on these companies to prevent scammers from setting up these fraudulent copycat websites.”

ENDS 

Notes to editors 

The results are based on an online survey of 1,202 members of the Which? Connect panel conducted in January 2024.

Right of replies 

Which? approached Santander plus the ‘big four’ UK banking groups – Barclays, Lloyds, HSBC and NatWest – to ask them how they approach the problem of copycat websites.

A Barclays spokesperson said: 

“The protection of our customers’ funds and data is our highest priority. We use a number of controls to detect and request that malicious websites are taken down via the domain registrar. We also invite customers to share details of any suspicious sites or pages via the reporting routes detailed on our website.

 “Our security team works round the clock to keep customers safe and we offer a wide range of resources to help people spot fraudulent websites and scams. Customers should never disclose their debit card PIN, full telephone banking passcode, full online banking membership number or login details to anyone. If a customer thinks they have been a victim of fraud or notices a transaction on their account that they do not recognise, we encourage them to contact their bank immediately and report the case to the police through Action Fraud.”

A HSBC spokesperson said: 

“Protecting customers and their money online is an absolute priority for us, so we continually monitor for malicious domain registrations and hosting activity, taking any appropriate enforcement action in a timely manner.We would encourage all customers to visit our Fraud and Security Centre on a regular basis, to keep up to date on the latest scams, warnings and advice!”

Liz Ziegler, Fraud Prevention Director at Lloyds Bank said:

“We recognise the threat posed by fraudsters attempting to impersonate our brands. This problem isn’t unique to us, unfortunately all major companies are targeted by organised crime groups.“Protecting our customers from fraud is our priority, and we use the latest technology to actively search for fake websites, as well as responding to intelligence received from third parties. We take the appropriate steps to have fake websites removed, where necessary working with partners across law enforcement, the finance industry and tech sector. 

“However, it’s important to understand that this process is complex, and the options available to us can be limited. This is why it is vital that tech firms do more to crack down on the criminals using their platforms to impersonate trusted brands.”

NatWest Group said it employs Netcraft, a specialist takedown provider to guard against copycat websites, as well as working directly with internet service providers (ISPs) TalkTalk and BT Group because they are both willing to block bad domains on their networks.

The bank explained that, in most cases, it can’t act purely on the basis of a domain registration containing its brand name, as it may have a legitimate purpose. But the bank will carefully monitor such sites and act to remove them as soon as they go live if they show signs of malicious intent.

NatWest told us it goes further by driving the takedown of scam crypto and investment sites targeting people in the UK, therefore protecting all internet users and not just their own customers. It told us this amounts to about 15,000 sites taken down per month, but this has reached 37,000 at its peak.

Santander said:

“Protecting our customers from fraud and scams is a key priority for everyone at Santander. We have a range of measures to keep customers safe, including sophisticated tools to detect and take down fake Santander websites. We know that in many cases these scams start with an SMS phishing text providing a fake link for customers to follow, we’re working with telecoms companies to prevent these at source and would urge customers to never click on links in a text or email purporting to be from their bank or another trusted organisation.”

About Which?

Which? is the UK’s consumer champion, here to make life simpler, fairer and safer for everyone. Our research gets to the heart of consumer issues, our advice is impartial, and our rigorous product tests lead to expert recommendations. We’re the independent consumer voice that influences politicians and lawmakers, investigates, holds businesses to account and makes change happen. 

As an organisation, we’re not for profit and all for making consumers more powerful. The information in this press release is for editorial use by journalists and media outlets only. Any business seeking to reproduce information in this release should contact the Which? Endorsement Scheme team at endorsementscheme@which.co.uk.