Who's really calling you? An investigation into the worrying rise of 'number spoofing'

Your phone can lie to you. When it rings, the caller display will show a number or name on the screen. It could look like the phone number on your bank statement, or even the back of your debit card, but that doesn't guarantee it's your bank calling. 

Instead, you could be talking to a fraudster, displaying a false number to make you think they're from your bank. It's a trick known as malicious number spoofing.

Telecoms regulator Ofcom told us it doesn't know how many maliciously spoofed calls there are in the UK each year.

But at Which? we've seen a marked increase in reports of these types of scams in 2019, and we're concerned about both the scale of the problem and how much victims are losing.

Here, we explain how number spoofing works and how you can protect yourself from getting scammed.

The real cost of number spoofing

Fraud cost the UK hundreds of millions of pounds in the first half of 2019, according to figures from banking association UK Finance.

£56.3m was lost to impersonation scams, where criminals posing as police, bank staff or other businesses tricked victims into sending them money. Of every £1 lost, just 30p was returned to victims.

Which? talked to several people whose lives have been adversely affected by number spoofing scams.

In April, Simon (not his real name) received a phone call from a man claiming to be from Santander's fraud department. He said a major computer virus was affecting certain banks and Simon's money had to be transferred into new accounts.

The caller's number matched the phone number on the back of Simon's debit card,so Simon followed the instruction to make four £10,000 bank transfers - his life savings.

Simon realised it was fraud a day later, when he read about a very similar scam in Which? Money.

After Which? intervened in the case, Santander reviewed it, taking into account severe health problems Simon was suffering from at the time, and decided to refund him the full £40,000.

Since Simon became a victim, most banks and building societies have signed up to an industry code to compensate bank transfer fraud victims who've done nothing wrong.

But it's likely some victims of number spoofing will have their refund requests refused, in cases where the bank believes the victim was at fault.

'I have at least 60 blocked phone numbers'

Which? member Charles Gibbs has blocked at least 60 landline and mobile numbers on his phone, all of which have been used to make suspicious calls.

'The calls are either a 'dead' line or a recorded message,' he says. 'The messages tend to say they are from BT and that there is a problem with my internet connection - but my phone and internet aren't with BT. I have also had calls stating they were from HMRC.'

Charles told us these kinds of phone call tend to come in 'batches' of two or three per day, before going quiet for a week or so.

He says there's no indication that the call is a spoof until he picks up the phone, and it is only because he is savvy to the kinds of scams taking place that he immediately hangs up and blocks the number.

'I did once continue a conversation with a man who said I had a problem with my computer, just to see how they worked,' he says. 'I didn't follow any of the instructions of accessing the web address he gave me - I worked in IT before I retired, so I knew I wouldn't do anything which would allow him to take control of my computer.'

Unfortunately, not everyone would have had this knowledge. And whilst it's possible to cut down calls by registering your number with the Telephone Preference Service, this is designed to stop legitimate companies calling you, not criminals.

Charles certainly isn't alone. We ran a straw poll on Twitter asking our followers if any of them had been the target of number spoofing, with 28% saying it had happened to them.

How do the scammers do it?

For the problem to have become so widespread, it's fair to assume that number spoofing has become the weapon of choice for lots of scammers around the world.

But how do they go about it, and why is has it become so popular?

'A caller ID can be spoofed easily, and for free, using software that is shared online,' explains Ray Walsh, digital privacy expert at proprivacy.com. 'Scammers start by finding the number they want to spoof, either online or via whitepages.

'Next, they enter that number into the software. Once the number is saved, any outbound call that is made via the software will register on the recipient's end as the spoofed number.'

As we've seen, the chosen number could be someone else's landline number, your bank's, or any other company.

'Using a recognised number massively increases the chances that a scammer will be able to engage with a victim, often using specially-written scripts that are designed to trick people into saying and doing things the spammer wants,' says Ray.

'Most often this leads to the victim parting with sensitive personal information, be it payment details in order to drain their bank funds, or amassing personal data that can be used in future phishing and hacking attempts.'

'Getting account login details is much more common,' says Sharif Gardner, head of training and advisory services at Axis Capital. 'Depending on how sophisticated the scammer is, they might start off innocuously, and then build up information from you.'

Impersonation scams are on the rise

• 8,117 -  Number of impersonation scams reported in the first half of 2019 
• £56.3m -  Money stolen by criminals using these scams 
• 30p -  Only 30p in every £1 lost is returned to victim on average 
• 54% -  Increase in losses compared to the first six months of 2018

Source: UK Finance, Fraud the Facts 2019 half year update  

In some cases, however, scammers won't even want your login information; just your voice can be enough.

'Personal information has gone beyond your login details now,' says Sharif. 'We're now in the realms of your voice being personal information, and it's valuable. Voice recognition is increasingly being used for phone banking, and AI systems are becoming better and better at mimicking human voices.

'So, when you're spoofed and just hear a recorded message, scammers could just be aiming to record your voice recordings to get your voice on tape.'

Perhaps most worryingly is the fact that much of the number spoofing that takes place will never be punished.

'This is a borderless crime,' says Sharif. 'A lot of scammers have call centres set up in India and China. Scamming someone in the UK for £1,000 isn't enough to send the UK police over - the problem is too big and too widespread.

Conversely, Sharif says that if the criminals are based in the UK and spoofing UK phone numbers, the authorities are more likely to investigate if you report the call.

Number spoofing isn't necessarily illegal, and it has some legitimate uses.

For example, your credit card company could call you and go straight to your voicemail. It doesn't want you to be charged for calling it back, so it displays a freephone number on your caller display - even though that's not the number it's dialling you from.

A new scheme to tackle spoof calls

Earlier this year, Ofcom launched a scheme called 'do not originate', which is aimed at protecting phone numbers from some of the most spoofed organisations such as banks, HMRC and insurers.

Put simply, 'do not originate' applies to numbers from which no outbound calls are ever made. So if a bank prints a customer service number on the back of its debit cards, but never actually dials customers from that number, it could enrol that number in 'do not originate'.

The scheme is an instruction to phone networks. It informs them that no legitimate outbound calls are ever made from the number, and therefore calls appearing to be from this number should always be blocked.

Here's how do-not-originate works:

'Do not originate' was first adopted by HMRC back in April. Prior to the scheme's introduction, criminals had repeatedly impersonated the taxman, contacting victims and threatening them with fines and jail terms if they failed to pay fictional tax bills (you can listen to real audio recordings of those calls here).

HMRC told us the scheme had been hugely effective since being implemented: 'In the first month of the new controls, reports of spoofed calls fell by 25% compared with the previous month. By month two this had reduced by a further 23%.'

Not all banks are protecting their phone numbers

The 'do not originate' scheme was developed in partnership with UK Finance, the banking industry association, so we were keen to find out how many banks and building societies had enrolled their numbers.

We asked UK Finance which of its members had signed up, but it told us to approach banks individually, and expressed concern that 'listing which firms have yet to implement will only play to the fraudsters'.

We believe that banks that don't adopt 'do not originate' are responsible for playing to the fraudsters. However, we have chosen not to name the banks that have either failed to implement it, or failed to reply to our query.

We do know that Allied Irish Bank, First Trust, CYBG and Virgin Money, Barclays and Metro Bank have all submitted numbers to the 'do not originate' scheme.

'Do not originate' isn't a silver bullet. For example, fraudsters can simply spoof numbers very similar to the legitimate ones. However, the reduction in spoofed calls cited by HMRC suggests that 'do not originate' is highly effective.

And if a government department can adopt it, surely banks, with all the resources at their disposal, can do so too. We're calling on all banks to join 'do not originate' by the end of the year.

Why it could take years before spoof calls are stamped out

There is a longer-term tool in the fight against malicious number spoofing, called Secure Telephone Identity Revisited (STIR). The STIR standard will verify that a 'presentation number' (the number a call appears to come from) is valid and truthful, by consulting a database of numbers.

Intriguingly, Ofcom is exploring how blockchain, the technology powering cryptocurrencies such as Bitcoin, could be used to create an unhackable numbering database. Blockchain allows information (such as phone numbers) to be stored in multiple places simultaneously rather than in one centralised location, so it's effectively impossible to alter the record.

But there is a great deal to do before STIR or a comprehensive numbering database can be implemented.

The UK's first phone call was made in 1877 and the old copper network is only today being replaced by fibre, to enable internet-based calls.

All calls will need to be made over the internet, and the old phone network switched off, for STIR to work - something that's scheduled for 2025. But, Ofcom believes a partial numbering database and caller verification could be implemented by 'some time in 2022'.

While we wait, it's critically important that the institutions we rely upon use all the resources at their disposal to fight fraud - including the 'do not originate' scheme. So what's stopping them?

How can I protect myself?

If you receive a call claiming to be from your bank, the police, a government department or some other trusted source, and the caller is requesting personal or banking details, do not assume it's genuine.

1. Calmly put the phone down, and step away for five minutes. This gives you time to think rationally about what you were told.
2. Check the organisation's phone number independently - for example, by looking at a bill, letter or bank statement, or calling 101 for the police in a non-emergency.
3. Call the organisation using those details to check whether what you've been told is genuine.

You can find more information about scams and how to stay safe in our range of guides.

• Based on original reporting from Faye Lipson for Which? Money Magazine. The full investigation appeared in the November 2019 issue. You can try Which? Money today for just £1 to have our impartial, jargon-free insight delivered to your door every month.