Thousands of copycat banking websites reported in 2023, Which? warns
More than 2,000 suspected banking copycat websites were reported in 2023 alone, new Which? research has found, as the consumer watchdog calls for new legal duties to force domain registrars to do more to prevent these scams.
Banking copycat websites masquerading as real banks in a calculated attempt to part unsuspecting consumers from their hard-earned cash has been a persistent scam for several years.
Which? teamed up with the DNS Research Federation (DNSRF), an Oxford-based non-profit that does data-driven policy research on domain names and internet governance, to find out just how widespread the issue is.
Which? asked DNSRF to check industry blacklists – lists of websites that have been reported as hosting illegal content. The consumer champion provided DNSRF with a list of the major UK banking brands, and it scoured a specialist phishing blacklist for sites reported in 2023 that had the names of those banks somewhere in their web address.
The DNSRF found that more than 2,000 URLs containing our specified UK bank brands were reported to a phishing blacklist in 2023. The affected banks were Barclays, HSBC, Halifax, Lloyds, Monzo, Nationwide, NatWest, Santander and Starling.
The majority of the sites look like blatant attempts to lead bank customers astray. DNSRF also examined another list, run by Scamadviser.com. In this case, it extracted data on URLs containing the specified bank brand names which had a ‘trustscore’ of less than 50 out of 100.
ScamAdvisor’s trustscore is calculated based on 40 different elements, such as who owns the website, whether the contact details are hidden, where the website is hosted and what technology is being used. More than 2,000 URLs for potential banking copycat websites were also found on ScamAdviser.
Across both lists, the words Santander and Barclays appeared most often. In recent years, Which? has repeatedly warned about phishing scams using Santander branding, and anecdotally this bank is a particularly popular target for impersonation by fraudsters.
When Which? asked 1,200 members in January 2024 whether they had ever unwittingly entered their details into copycat banking websites, two per cent thought they had, while a further three per cent were unsure.
While the vast majority of our respondents were able to identify that strange or unofficial-looking web addresses, poor spelling and grammar were hallmarks of a scam site, AI text generators will soon reduce the number of typos – making this a much less reliable way to spot scams. Only one in four (27%) knew that you could use a domain lookup service such as who.is to see when a site was registered.
Says Rocio Concha, Which? Director of Policy and Advocacy:
“It’s hugely concerning that thousands of banking copycat websites were reported in a single year – potentially leaving millions of consumers exposed to fraudulent content online.
“Consumers who are just trying to bank online should not have to shoulder the responsibility of reporting scam sites and chasing domain registrars to take them down.
“Domain registrars have a much bigger role to play in the fight against online fraud. With an election just around the corner, the next government must make fighting fraud a national priority, and place new legal duties on these companies to prevent scammers from setting up these fraudulent copycat websites.”