A recent Which? Money investigation found that a legitimate-looking text message from a bank or credit card company could easily be a scammer in disguise…
Text spoofing scams are on the rise. These are fraudulent messages that appear to be from your bank or another legitimate-looking business.
Sharing his experience on Reddit, cannonrange explained how he nearly fell for a very convincing scam text that appeared to be from his bank…
‘It was a busy day at work, as usual. In the middle of a consultation, my phone rang (very professional, I know), and as I was expecting a call from another client, I answered it. Turned out it was an automated message about Barclays, so I cancelled the call.
‘An hour later, during lunch, I got a text from ‘BARCLAYS’, asking me to verify recent unusual account activity. Funnily enough, this has happened in the past a few times – Barclays flags accounts at the drop of a hat, and I’ve had my card blocked three times in recent years, for no more than innocent, if eclectic, activity.
‘This text told me to expect another text from a five-digit number. Said text followed shortly after. It asked me to reply if I didn’t recognise one ‘39.94 GBP payment to Catering and Leisure Supp, UNITED KINGDOM’.
‘It was in very clean, polite language, with good punctuation and no spelling errors. Plus, a reasonable amount of cash was cited – enough to make one care, but not enough to trigger serious, internalised red flags.
‘Not thinking too deeply, and lacking morning tea, I replied to say ‘no’ (‘I don’t recognise it’). This triggered a reply to say that [they] would call me shortly, or I could instead call 03XX XXX XXXX (a legitimate Barclays number) if I couldn’t receive calls.
‘Having nothing better to do during lunch, I was going to make damn sure someone wouldn’t fund their function’s catering on my wallet. Before I’d cut and pasted the number into my dialler app, I conveniently received a call, saving me the trouble (and minutes).
‘I was then put through to a Barclays advisor, who confirmed my details for a few minutes, before telling me that I hadn’t made any such transaction, nor had my account been flagged. Rather puzzled, I thanked the chap, and hung up, thinking it was a bit weird.
‘About 10 seconds after I ended the call, I got a sudden, terrible inspiration. I checked the number that just called. It was the same as the automated call I’d received in the morning. I Googled it, dread rising. Nothing good. A shady number from Maidenhead; the top hit from ‘unknownphone.com’ had multiple negative reports.
‘Connecting the dots: these scammers called me, with a local geographical number, and connected me straight to the actual Barclays hotline, so I didn’t suspect a thing. They then listened in, as I gave my details to the rep for security confirmation. Classic man-in-the-middle attack. They now had a bunch of my personal info, and were ready to clean me of everything I own.
‘Realising this, I was stunned, and honestly a bit embarrassed. I’m usually very meticulous about my privacy and security, warning others of the same. But damned me if I wasn’t played for an idiot and exposed as a slacker!
‘So I called the actual Barclays hotline within five minutes, and got through to the fraud department. This new rep froze the account as we were talking and I got put through to a higher level of clearance.
‘Being a particular man, with a call recorder installed, I told them which details of mine I’d inadvertently leaked: Name, DOB, town of birth, phone number, Account #, sort code, one recent transaction.
‘Thankfully, none of these were mission critical and some are in the public sphere (the real money, apparently, is in the mother’s maiden name, or similar security questions – which are only needed for the highest clearance, unlike the account checking the first rep did.)
‘The account number was replaced with a new card. Unfortunately, someone has now profiled me, linking name, DOB, town of birth, phone number, and preferred bank.
‘Still I’ll have to live with it. It’s all relative, anyway – at least I wasn’t affected by the Equifax data breach.’
Cannonrange originally shared this story on Reddit and, with his permission, we’ve republished an edited version here on Which? Conversation. All views expressed are Cannonrange’s own and not necessarily those also shared by Which?
Have you or someone you know spotted or fallen for the same or a similar scam?