London Metropolitan Police announces that it will text victims of largest UK scam scheme 

The London Metropolitan Police (Met) announced a huge win in countering fraud in the UK, with it busting a sophisticated banking scam that has a suspected 200,000 potential victims. This is obviously great news. What is not so great, is the way the force has announced its plans to communicate to 70,000 of the victims. The Met has made it very public that it will contact victims by text.  

By publishing its intentions and plan of action, the Met is opening a door of opportunity to more fraudulent texts and scam links. 

Phishing, Smishing, and Vishing 

This particular scam involved fraudsters impersonating bank staff on phone calls and ‘warning’ victims of suspicious activity on their accounts. In this way they could phish One Time Passcodes (OTP) and other authentication details from the victim and use them to bypass anti-fraud measures in bank systems. In this instance fraudsters utilised a criminal website called iSpoof to appear as official phone numbers of major banks and pose as employees in order to retrieve key information from consumers. Victims were asked to enter an OTP into their phones, which was then taken by the fraudsters to gain access to online banking and empty the accounts of up to twenty people per minute. Victims were targeted primarily in the USA, UK, Netherlands, Australia, France, and Ireland.  

These are classic tactics we see used in various smishing and vishing attacks to retrieve personal data points such as name and contact details. Once stolen, criminals are able to exploit this information to gain access to online banking accounts, or in more elaborate smishing scams. By creating the illusion that the SMS is specifically targeted to that individual the victim is more inclined to interact with the scam and consequently suffer a loss. 

The impersonation scam typology is a huge issue for the UK. According to UK Finance, £214.8 million was lost to impersonation scams in 2021. This was the largest category of Authorised Push Payment (APP) losses according to the research. 

The scale of UK scams 

£48 million may have been stolen by criminals in just this one elaborate scheme: evidence of the scale at which scammers operate. Clearly banks need to scale up their fraud prevention solution to keep pace. The failing here was to spot that customers were acting out of character. Too many legacy fraud prevention systems rely on basic rules that authorise payments based on Two Factor Authentication (2FA). But fraudsters realised this long ago, hence the rise in scams like this that actually take advantage of 2FA to circumvent the rules. 

To protect customers from scams, banks need to be able to accurately identify what is usual behaviour for customers, adjusting that over time as behaviours evolve, and be able to spot in real-time when a transaction is out of the norm for a customer – even if it appears that a customer has authenticated themselves. Featurespace’s unique approach to machine learning has been proven to accurately identify scams and stop fraud in real-time.   

Scammers’ next opportunity? 

The mistake made by the Met in this instance is to provide the specific dates on which victims will be contacted as part of their public communications. Fraudsters will use this as an opportunity to target their next victims by replicating the text from the Met. In my opinion we will now see an increase in smishing attacks, where victims are recipients of bogus texts pretending to be from the police but will ultimately fall victim again to a new scam. We have seen this previously in a variety of forms, where a link may look legitimate but has been spoofed. These links send the victim to an illegitimate site where they may be asked to hand over personal details. We saw this during the Covid-19 pandemic and more recently as frequent ‘attempted delivery’ text messages. 

Consumer education on scam spotting   

With a 70% increase in APP fraud losses during just a six-month period in 2021, it’s clear this problem is not going away. 

Now is the time to educate customers on key tell-tale signs on how to spot scams, but also how to report them. To achieve this, we need more effective collaboration between law enforcement, policy makers, and the private sector experts in fraud prevention. With a coordinated effort we can design the best education and communication programmes that make it harder for fraudsters to scam consumers, rather than opening the door to their latest schemes. 

Discover how government, law enforcement, and financial services can work together to stop scammers. Read the blog by my colleague, Steve Goddard: Action on UK Fraud with the Digital Fraud Committee