Bank impersonation scams targeting businesses are on the rise again
- Number of attempted impersonation scams reported to Santander UK by its Corporate & Commercial Banking clients increased during Jan and Feb, with over 50 clients known to have been targeted in these two months in 2024 alone
- ‘Validate all requests made through unsolicited contacts by calling your bank directly’, ‘Check the phone number using the phone number on the back of your bank card’ and ‘Never use a phone number in an SMS message or which has been given to you by a cold caller’ – Santander UK provides tips how to keep your business safe from impersonation scams
- UK based logistics firm Consolid8 was targeted by scammers pretending to be their bank and instructed to ‘act now or lose £18,000’ by the criminals
The bank impersonation scam: Criminals call a business and pretend to be a bank employee, then trick the business’ staff member into giving them remote access to their device, their business’ online banking credentials and into authorising payments into criminals’ bank accounts. The scammers are often highly professional, and their impersonations of legitimate bank staff can be convincing, even to those who speak to their bank regularly.
The numbers: According to UK Finance data, a total of £76.1 million was stolen from people in the UK through impersonation scams in the first six months of last year. The number of attempted impersonation scams reported to Santander UK by its Corporate & Commercial Banking clients increased during January and February 2024 with over 50 clients known to have been targeted in these two months alone.
Chris Ainsley, head of fraud risk management at Santander UK said: “Impersonation scams are rampant and the criminals perpetrating these crimes can be particularly devious in their approach, using convincing but often aggressive tactics. Unfortunately, both businesses who speak to their bank regularly and those who don’t, can be the targets of this type of attack, so all should remain on high alert to this threat. Don’t trust people who make an unsolicited call to you and say they are from your bank, and make sure you validate any requests from cold callers by hanging up and contacting your bank using the phone number on the back of your bank card or your trusted relationship teams.”
Impersonation scam – how it works:
You receive a call or SMS on your mobile from someone purporting to be from your organisation’s bank, often from its fraud or security department. In some cases, the caller gives you a ‘case ID’ or ‘employee number’ as part of their effort to appear legitimate. The caller advises you that a ‘fraudulent payment’ has been made from your organisation’s bank account. They direct you – either over the phone or by sending you a link – to a fake website impersonating the bank so you can resolve the fraudulent payment issue. The caller either instructs you to install a remote access system onto your device or tells you to click on part of the fake website that, without you realising, installs remote access. Now the caller has access to your device, they instruct you to log into mobile banking and authorise transactions to their account, in order to stop the ‘fraudulent payments’ that they’ve claimed you’ve been a victim of. You then authorise the transactions, but what you are actually doing is authorising payment to the fraudsters’ accounts.
Case study
Russell is the financial director of UK based logistics firm, Consolid8. Over the course of a week, Russell and his team received several calls from a well-spoken and professional sounding person, claiming to be from Santander. The caller said Consolid8 had been a victim of fraud, and it would need to move money from its account to another provided by the bank impersonator as soon as possible, or they’d risk losing the money. Russell said that he’d check with his usual relationship manager as had heard of this type of bait before and was aware of what he needed to do to protect his business.
As the week went on, they tried to call him and several others in his business, each time becoming more aggressive and telling the logistics firm they needed to move the money and ‘act now’ or would lose £18,000. This type of behaviour made Russell’s team feel very uncomfortable. The scammer’s multiple attempts to fluster staff, which began politely at the beginning, and then became more pressured, were the red flag for Russell, who then informed his regular contact at Santander and was assured that this was not the bank calling and that they had been the target of a bank impersonation scam.
Russell noted that the scammer was hard to spot as they had a lot of information about the business and its banking arrangements and knew just what to say. However, as Santander had advised him previously that his bank would never be forceful about moving large sums of money, to not share personal details or act on phone calls, Consolid8 was better prepared and avoided becoming a victim.