More than 2,000 suspected banking copycat websites were reported in 2023 alone, new Which? research has found, as the consumer champion calls for new legal duties to force domain registrars to do more to prevent these scams appearing in the first place.
Banking copycat websites masquerading as real banks in a calculated attempt to part unsuspecting consumers from their hard-earned cash has been a persistent scam for a number of years.
The consumer champion teamed up with the DNS Research Federation (DNSRF), an Oxford-based non-profit that does data-driven policy research on domain names
and internet governance, to find out just how widespread the issue is.
Which? asked DNSRF to check industry blocklists – lists of websites that have been reported as hosting illegal content. The consumer champion provided DNSRF with a list of the major UK banking brands, and it scoured a specialist phishing blocklist for sites reported in 2023 that had the names of those banks somewhere in their web address.
The DNSRF found that more than 2,000 URLs containing our specified UK bank brands were reported to a phishing blocklist in 2023. The affected banks were Barclays, HSBC, Halifax, Lloyds, Monzo, Nationwide, NatWest, Santander and Starling.
The majority of the sites look like blatant attempts to lead bank customers astray. DNSRF also examined another blocklist, run by Scamadviser.com. In this case, it extracted data on URLs containing the specified bank brand names which had a ‘trustscore’ of less than 50 out of 100.
ScamAdvisor’s trustscore is calculated based on 40 different elements, such as who owns the website, whether the contact details are hidden, where the website is hosted and what technology is being used. More than 2,000 URLs for potential banking copycat websites were also found on ScamAdviser.
Across both blocklists, the words Santander and Barclays appeared most often. In recent years, the consumer champion has repeatedly warned about phishing scams using Santander branding, and anecdotally this bank is a particularly popular target for impersonation by fraudsters.
The data is experimental and inexact as it is impossible to count every copycat banking website from last year. For example, TSB had to be excluded from all the results as this proved a common string of letters that generated many false positives for websites which were unrelated to banking scams.
It is also impossible for Which? to view and check if the sites were genuinely fraudulent or confirm that they were impersonating the banks in question, as they have already been taken down by the web hosting companies or scammers themselves.
However, it is also possible that this is just the tip of the iceberg and many copycat websites have been missed, because they are not on blocklists. Some sites may only be active for days or even hours before their content is wiped and the site abandoned.
The consumer champion also asked more than 1,200 Which? members in January 2024 how much they knew about copycat banking sites. When asked if they had ever unwittingly entered their details into such websites, two per cent thought they had, while a further three per cent were unsure. These figures may seem low, but fraudsters work at scale, sending thousands of texts or emails, only needing to ensnare a few victims to make it a worthwhile endeavour.
The vast majority of our respondents were able to identify that strange or unofficial-looking web addresses, poor spelling and grammar were hallmarks of a scam site. However, AI text generators will soon reduce the number of typos – making this a much less reliable way to spot scams.
However, only one in four (27%) knew that you could use a domain lookup service such as who.is to see when a site was registered. Doing this would allow consumers to spot a brand-new website masquerading as a long-established bank.
Which?’s research clearly shows that domain registrars have a much bigger role to play in the fight against online fraud. To set up a copycat website, fraudsters need to use a domain registrar and to take one down, consumers and businesses need to contact a web hosting company. Many companies operate as both and yet the industry continues to self-regulate.
Which? found that the approach to reports of scam sites is not uniform and varies enormously between companies. Some quickly remove copycat websites, while others do not even respond to reports. The UK government is currently consulting on new powers to seize domains being used for criminal purposes.
With limited time to introduce legislation before the next election, Which? is calling on the next government to place a duty on domain registrars to prevent scammers from setting up these fraudulent websites.
Rocio Concha, Which? Director of Policy and Advocacy, said:
“It’s hugely concerning that thousands of banking copycat websites were reported in a single year – potentially leaving millions of consumers exposed to fraudulent content online.
“Consumers who are just trying to bank online should not have to shoulder the responsibility of reporting scam sites and chasing domain registrars to take them down.
“Domain registrars have a much bigger role to play in the fight against online fraud. With an election just around the corner, the next government must make fighting fraud a national priority, and place new legal duties on these companies to prevent scammers from setting up these fraudulent copycat websites.”
