Consumer champion Which? is calling for new laws to force domain registrars to do more to prevent scam banking ‘copycat’ websites appearing in the first place; after it revealed that over 2,000 of these suspected sites were reported in 2023.
For many years, banking copycat websites have been masquerading as real banks, hoping to trick unsuspecting consumers into sending their money to scammers. In response, Which? has joined forces with the DNS Research Federation (DNSRF), an Oxford-based non-profit that does data-driven policy research on domain names and internet governance, to find out just how widespread the issue is.
Which? asked DNSRF to check industry blocklists, listing websites reported to have hosted illegal content, in which it found that over 2,000 URLs contained UK bank brands. The affected banks were Barclays, HSBC, Halifax, Lloyds, Monzo, Nationwide, NatWest, Santander, as well as Starling.
Most sites appeared to be obvious attempts to lead bank customers astray. Across two blocklists, the words Santander and Barclays appeared most often. In recent years, Which? has repeatedly warned about phishing scams using Santander branding, a popular target for impersonation by fraudsters.
Rocio Concha, director of policy and advocacy at Which?, commented: “It’s hugely concerning that thousands of banking copycat websites were reported in a single year – potentially leaving millions of consumers exposed to fraudulent content online.
“Consumers who are just trying to bank online should not have to shoulder the responsibility of reporting scam sites and chasing domain registrars to take them down.
“Domain registrars have a much bigger role to play in the fight against online fraud. With an election just around the corner, the next government must make fighting fraud a national priority, and place new legal duties on these companies to prevent scammers from setting up these fraudulent copycat websites.”
Are these copycats just the tip of the iceberg?
Which? has warned that the data is inexact and that it couldn’t check if each site was genuinely fraudulent or intended to impersonate the banks in question, as web hosting companies or scammers themselves had already taken them down.
However, it is also possible that many copycat websites were missed, because they were not on blocklists. Some sites are only active for days or even hours before fraudsters wipe the content and abandon it.
The consumer champion also asked more than 1,200 of its members in January 2024 how much they knew about copycat banking sites. When asked if they had ever unwittingly entered their details into such websites, two per cent thought they had, while a further three per cent were unsure.
The vast majority of our respondents were able to identify that strange or unofficial-looking web addresses, poor spelling and grammar were hallmarks of a scam site. However, these signs may begin to appear less and less as scammers begin to utilise AI to reduce the number of typos and improve grammar.
Combatting copycats
Only 27 per cent knew they could use a domain lookup service such as who.is to see when the owner registered a site. Doing this can enable consumers to spot a brand-new website masquerading as a long-established bank.
Which?’s research highlights that domain registrars have a much bigger role to play in the fight against online fraud. To set up a copycat website, fraudsters need to use a domain registrar and to take one down, consumers and businesses need to contact a web hosting company. Despite the fact that many companies operate as both, the industry continues to self-regulate.
Which? found that the approach to reports of scam sites is not uniform and also varies enormously between companies. Some quickly remove copycat websites, while others do not even respond to reports. The UK government is currently consulting on new powers to seize domains used for criminal purposes.
With limited time to introduce legislation before the next election, Which? is calling on the next government to place a duty on domain registrars to prevent scammers from setting up these fraudulent websites.
