/ Scams

Scam alert: fake Barclays ‘unusual payee request’ text

We’ve been made aware of a scam text message targeting Barclays customers by directing them to a fake website. Here’s what you need to look out for.

Fake text messages posing as banks are nothing new – last year we saw a huge rise in the number of people reporting that they’ve received one purporting to be from Halifax.

But this one using Barclays to target victims features another twist to be wary of: it’s managed to successfully drop into people’s inboxes with the sender set as the bank itself:

These types of ‘smishing’ attempts work by rushing people into visiting a fake website, which can go on to request and steal sensitive information, such as bank details. In this case, its victims will alarmed to read that an ‘unusual payee request’ has been ‘flagged’ on their account.

Fortunately some web browsers, such as Chrome in the below example, will warn you that the site is illegitimate:

However, there’s no guarantee that everyone will receive a similar warning, and some may believe these convincing phishing sites to be genuine.

Spotting and reporting smishing scams

After reporting the fake text to the National Cyber Security Centre (report@phishing.gov.uk), we made Barclays aware of the text. It told us:

“We work closely with the telecommunications industry to support them on preventative measures. We have been, and continue to be, part of an ongoing industry-wide trial to combat ‘smishing’ activity.

The SMS SenderID Protection Registry allows businesses using SMS to register and protect the message headers used when sending text messages to their customers. Over the last two years, the working group has seen a significant drop in fraudulent messages being sent to UK consumers of participating merchants.

We urge customers to pay close attention to the warnings we provide when making payments as these are designed to help protect them against fraud and scams”

Barclays also said that it will never send a text and ask you to click on a link.

If you think you may have handed over your card details to scammers, you should let your bank know what’s happened immediately.

Guide: How to get your money back after a scam

If you’re not sure if contact from a bank is genuine, get in touch with it directly via its official channels to verify the correspondence before you take any action.

Have you received this fake Barclays text or others purporting to be from different banks? Let us know in the comments, and help spread the word to warn friends and family.

Comments
Dr S E Blackall says:
4 May 2021

Just received a text supposedly from HSBC saying I’d made a payment to Mr Jones and asking me to click on a link, but I’m not an HSBC customer. I looked up the phone number on a reverse ID site and it told me it was a private number. Clearly a scam

I have just received a text saying “HSBC FRAUD ALERT” followed by details of an alleged payment I have made to Mr C Jones for £240.00. Link is to ‘security.hs-review-newpayee.com’

[Moderator: this website appears to be a scam website. We’ve retained the URL to help you identify it, but we’ve redirected the link to our guidance on how to spot fraudulent website. ]

Ray says:
1 July 2021

Dear “Moderator”. You haven’t redirected that link. It’s still going to the scam website (which, fortunately, appears to have been taken down).

Thanks for the flag Ray. Should you click on the link that NJH is referring to, you should be directed to this page: https://www.which.co.uk/consumer-rights/advice/how-to-spot-a-fake-fraudulent-or-scam-website-aUBir8j8C3kZ, not to the URL as listed. You can of course copy the text of the link into your browser and access the site that way, however we would advice caution in doing so.

We’re conscious that searching for verification on whether the text of the suspicious message and URL is a scam brings a fair number of people into Which? Conversation. For this reason we retain the text of any potentially scam or misleading websites to help people identify ones they may have received, while making them aware of the risk and highlighting further guidance to help you when you may encounter a potentially dodgy website or message in the future.

Denise Galvan says:
10 May 2021

It is impetarative that we all join forces and stip these scamners

Anthony North says:
12 May 2021

I would just like to have an email address to which I could send details of scams. Several organisations have a ‘phishing’ email address, but, instead of having to remember each one, a single national email address could be used; including the telephone numbers from which messages seem to have come.

Alan Cooper says:
12 May 2021

Have received similar messages to the Barclays one purportedly coming from Lloyds and also HSBC

Pluto says:
16 May 2021

This itself appears to be helpful & genuine,BUT HOW CAN WE EVER TRUST OR RELY ON ANY SAFETY OR ASSURANCE IN THESE DAMN FRAUDSTERS WHICH ARE MOE TEXTED SAVVY THAN US ????

Pluto – Just ignore and delete any texts or e-mails you get about anything to do with banking. Banks never communicate in that way.

Kate Brown says:
2 July 2021

I had one of these purporting to be from HSBC at *exactly* the same time that I was trying to send money to a new perfectly valid payee. I thought there was something very fishy about this and am pursuing it through HSBC complaints.

In January I received a text from a mobile number which called itself LLOYDS ALERTS: you added a new recipient MRS CLAIRE LOWELL on 18-01-21 at 15.56. If this was NOT you Block the payee here:
manage-allpayees.com.
As I have never banked with Lloyds, this was obviously a fake. (The capital letters shown above were in the original text.)

In January I also received a another text, this time allegedly from HSBC.
A New Payee request was created from an unrecognised device. You can Authorise or Cancel this request via: https://hsbc.request-verify.com/payees/
I do not hold any accounts with HSBC.

In April I received another text from Lloyds:
Confirmation you setup a new recipient on 01/04 at 13.29pm from your account.
If this was NOT you please visit: https.//lloyds-mobilesession.com/uk

Brians – The “if this was not you” scam attempt is a classic example of the false jeopardy trick that panics people into complying with the scammers’ demands and leads to the loss of money from their bank accounts.

No bank would send a text to a customer’s mobile phone concerning the operation of their bank account. Any communication from a bank will include security checks and account identification details.

In May I received a text allegedly from NATWEST.
You have successfully set up a new payee MRS A JOHNSON on 17/05 at 16.57PM. If this was NOT you please visit: https://natwest-onlinemanage.com/
Once again I have never banked with Natwest

On 29 May I received another text, this time not from a bank but allegedly from the CENSUS:
There is missing information from your application. Failure to update your details may result in a £1000 penalty. Visit: http://census.myinfo-ref.co.uk.

Anura J says:
8 July 2021

I just received a message from Amazon – sent to both my Kindle (a total surprise) and my email address – saying that a payment for a Kindle book I purchased yesterday had failed and I should use the link provided to verify the card so the purchase could go ahead. TBH I was reasonably sure the message was genuine – the name of the book was correct and they addressed me properly, but I’d already received the book by WiFi link so I thought it all a bit odd and given how clever scammers are these days I ignored the link and went straight to the website – which is my usual practice anyway. There I found that the payment did indeed need to be verified and the message was genuine.

I find it extremely worrying that any company would use a link in this way – it just adds veracity to scammers that use the same tactics to defraud people. I do not know why this payment failed – the card in question is never used anywhere but Amazon so there really shouldn’t have been a problem, but I have noticed a tightening of security procedures lately with all the banks I use and this isn’t the first query I’ve had recently. Sign of the times I suppose and I guess I’m probably more relieved than irritated that my banks are working for their money but really, Amazon should have known better!