The scam Social Engineering – Bank Impersonation Scam

Value and volume: The number of bank staff impersonation cases seen in H1 2021 is up 171% since H1 2020. In H1 2021 £84.7m of losses were seen to this type of scam alone.

How the scam works

1.       The customer receives a cold call from a fraudster impersonating Santander (or another bank) staff telling them urgent action is required.

2.       The customer is told that their money is at risk and there's been fraudulent activity on their account.

3.       They are told that to stop the transactions leaving their account, they'll need to hand over codes from their security device or authenticate requests using their mobile app. 

4.       The fraudster is actually using these codes to make payments from the customer's account.

5.       The criminals try to legitimise the request by getting the customer to check the telephone number they’re calling from, but this can be spoofed to look like a genuine number.

How to protect your business

If anyone contacts you or one of your colleagues out of the blue and tells you your business or corporate account is at risk, you should hang up the phone and contact us directly. Never share a token code with anyone, not even a Santander employee and never use the mobile app to authenticate a transaction you’ve not keyed yourself. It’s also important not to rely on callerID to validate a caller. If you’re at all concerned, hang up and contact the company directly on a publicly available number. If you think your business or employer has been the victim of an impersonation scam, report it to the bank immediately via your usual channel of communication.

Chris Ainsley, Head of Fraud Control, Santander UK

“When it comes to impersonation scams, these fraudsters are very convincing. They use panic tactics to get people to take action quickly and without thinking.

“We’re seeing more and more cases, where fraudsters sound genuine, purporting to be from the bank and are able to convince accounts teams to part with online banking tokens or use their mobile banking app to confirm a transaction, without realising that actually they’re sending the company’s money right into a fraudster’s account instead. Now more than ever, it’s so important to take the time to educate your staff, remind them of the risks and to ensure they never share online banking codes with anyone, not even a bank employee. If you don’t, your business risks simply never seeing the money again.”

How to protect your company

·         The key to protecting your company from these frauds is to ensure all payment processing staff within your business are aware of these important messages:

o         Never share a token code with anyone, not even a Santander employee.

o         Never use the mobile app to authenticate a transaction you’ve not keyed yourself.

o         If you’re asked to do either of the above, this will be fraud.

·         If anyone contacts you out of the blue and tells you your account is at risk, you should hang up the phone and contact us directly.

·         Make sure your business has robust payment processing procedures and controls, including dual authorisation and payment authorisation limits.

·         It’s important to have a mechanism to keep all staff up to date with fraud trends and advice.

·         Visit the Santander website for more information.

·         If you think you may have been a victim of fraud or a scam, report it to your bank immediately. You can also report to Action Fraud, either by calling 0300 123 2040 or online at www.actionfraud.police.uk.

Case study 
Jenny received a call on the business landline from someone pretending to be from Santander. After initially being suspicious, she was told that she could double check it was Santander by letting them call her on her mobile, which showed the genuine Santander contact number. 

Jenny was reassured and advised by the caller that a payment had been set up on the company account and that she needed to urgently provide ‘authorisation’ to decline the payment and stop it debiting.

At the caller’s request, she shared a security code to stop the payment. The caller found further payments that also required authorisation to decline, and Jenny carefully followed their advice and provided the requested information a number of times. 

In fact, the caller was not from Santander, rather a criminal who had used deception to persuade Jenny to take urgent action. The information disclosed by Jenny actually enabled rather than prevented transactions on the company’s account. The caller ID on her mobile had been spoofed by the criminal to add legitimacy to the request.