/ Technology

Watch out for phone scammers as ‘vishing’ soars

Red phone

More than half of Brits have been hit by phone scams in the last year. Do you know how to spot a cold call scam? Here’s Craig of Financial Fraud Action UK on the growth of phone scams and how to avoid them.

£55,550, £1,850, £440, £99,500, £17,400, £700 – these are just some of the amounts I’ve heard people losing due to phone scams, also known as vishing. I’d like to be able to tell you that these scams are rare and this is only money that has been lost over a period of many months or years. The reality is these are sums which have been lost by ordinary people over just the last two weeks alone.

What’s more, the problem is getting worse. Our research at FFA UK shows that the amount lost to phone scams has tripled over the last year, with at least £24m finding its way into the pockets of criminals.

What your bank will never ask you

In order to beat these slick, professional and highly organised fraudsters, we need people to be fully aware of the things you should never, ever do on the phone, no matter who asks. That’s why an unprecedented Joint Declaration of the UK banks, Building Societies and Card Issuers has been launched which clearly sets out the requests you’ll never get over the phone from them.

There are key things you’ll never be asked to do over the phone, except by a criminal. This includes revealing your four digit PIN, agreeing to transfer money into another account, or handing over your bank cards or cheque book to a courier – even if they claim to be from the bank or the police.

The Joint Declaration, which is available on our website, has been the cornerstone of our campaign and has appeared as part of an advertising push in the national newspapers. I would encourage as many of you as possible to read it, as well as to think about whether you have friends, family members or neighbours who may not yet know about this growing threat.

Hang up if you’re unsure

As well reminding people of telephone ‘no-nos’, we’ve also been urging members of the public to hang up the phone if they aren’t satisfied about the identity of a cold caller. If you’re caught in two minds and can’t figure out if a call is genuine or not, take the person’s name and then call them back on a number you trust – like from the organisation’s official website.

But be careful when you ring back – fraudsters are able to keep the line open for a full two minutes after you put down the phone which means when you pick up the receiver again, you could be talking to the same person or their accomplice. So use another phone, or put the receiver down for five minutes and that way the line will definitely be clear when you come to make a new call.

Stay a step ahead of scammers

We’re often asked: ‘How do these scams work?’. The truth is that there’s no specific scam that criminals always use. In fact they deliberately vary their tactics so that people don’t become wise to their tricks.

So while recently many of the scammers call up their victims pretending to be from the fraud department of a bank and convince them to hand over details, in three, six or 12 months from now, the fraudsters may be trying a completely new ruse. But by reminding yourself of the phone requests which you will never be asked by a legitimate organisation, you’ll always be a step ahead of the fraudster, regardless of the type of scam they deploy.

Which? Conversation provides guest spots to external contributors. This is by Craig Jones, Head of Communications at Financial Fraud Action UK. All opinions expressed here are Craig’s own, not necessarily those of Which?.


Whenever I received calls from the Indian fake Microsoft employees, I pretended to be a novice PC user and deliberately made myself sound like a technophobe and rather stupid. I followed their instructions and read out any generic information from my PC (e.g. standard logs from Event Viewer). Every few minutes, I manually made my mobile phone ring, and asked them to hold while I take the call. I muted the scammer while I did this. I let them hold for 5 or 10 minutes, and whenever they asked whether I was still there, I unmuted them and told them that I was. While they were on hold, I got on with other things so they didn’t waste my own time. When they asked me to go to a remote access provider such as LogMeIn or GoToMyPC with an access code, I put them on hold again (with another fake incoming call on my mobile) and I phoned the support department of the remote access provider. I explained that I’m an experienced IT professional on the receiving end of a scam and I gave them the scammer’s access code so they could block his account; they were very grateful. I then went back to the scammer and told him that his code didn’t work. He then tried another remote access provider and we repeated the whole process again, wasting more of his time and blocking more of his accounts. When I’d had enough, I told them that my internet connection no longer worked and they must have broken it. Eventually they got bored, particularly after I put them on hold for longer and longer, and then they always hung up. One even threatened me with legal action for wasting 90 minutes of his valuable time.

Back to the main subject of this conversation, if I ever receive a call from a fraudster who wants to collect my bank or credit card, I shall similarly appear to cooperate, giving them false responses such as a PIN or any other information they might ask for. I shall then call the police so that they can arrest the fraudster who comes to collect my card. However, as I no longer have a landline, my chances of being targeted are now rather low. If more victims proactively help the police to catch the fraudsters in the act, then the fraudsters will quickly find their tactics to be too high risk to continue.

I have not had any problems, probably because I never give information by phone unless I have made the call.

If I receive a call from a bank or other company that I use, I terminate the call, look up the phone number and call them. If it is a company that I don’t use, they get a lecture about making nuisance calls.

Craig makes a good point about waiting before receiving a call and calling back.

I had a right go at my bank once for calling me and then requiring me to go through their security questions, even though I only had the person’s word for it that they were from my bank. I told them they were incredibly irresponsible, particularly as they were checking on a potentially fraudulent transaction.

I wonder if anyone still does that though? Maybe they’ve learned.

I am likewise very suspicious when my bank or card issuer phones me, unless I’m expecting the call about an ongoing matter. However, I do find that most financial institutions have a means of proving, when challenged, that they are calling from the financial institution. I won’t advertise in public what those methods are, but they were enough to satisfy me.

In some cases, they don’t even need to prove who they are. For example, American Express once phoned me because their systems had identified the same fraudulent transactions on my card and other customers’ cards. I confirmed that they were not genuine transactions and Amex put a stop on my card and reissued it. I didn’t need to give any details during the call, yet Amex were able to achieve the objective of their call.

Gerry says:
10 December 2014

Beware of any calls that claim to alert you of fraudulent transactions, especially if they claim to be from ‘Verified by Visa’, ‘MasterCard Secure Code’ or some other generic organisation rather than a specific bank.

To get you worried, they’ll quote a series of high value transactions in far away towns and ask you to check that you have all your cards. The scammers hope you’ll be so distracted that you’ll overlook that they can’t tell you which card is allegedly involved.

Of course, they’ll ask you to call the number on the back of your card, and they’ll stay on the line.

David Shelstone says:
10 December 2014

As this is such a big problem then the BBA needs to quickly act, and stop banks from cold-calling customers (like the recommendation with links in emails).

If a cold-caller needs to take a customer through security, the bank needs to call the customer and ask them to phone them in 10 minutes on the office number (on the back of the card or statement), or pop into the local branch when convenient.

Once the process is in place every bank needs to write to every customer, and state that they will never ever cold-call and ask for security information.

Once the routine has been established and it is in everyone’s head then these scams will stop working.

I had one supposedly from Barclays bank fraud dept . I’m not with them. But I did call Barclays & ask to be put through to their fraud dept & told them. They didn’t seem too interested. However I have now solved the whole problem & don’t get any cold calls whatever. I invested in a phone that screens all calls. If the number is programmed in, then the call is accepted. If it is not then they must say something & only then will my phone ring. If they decline they don’t get through. If they speak then I can accept or decline the call & block it. Since I bought it not one single call I don’t want.

Gerry says:
11 December 2014

But why should innocent victims have to spend money on buying expensive hardware (special phones) together with higher telephone rental (Calling Line Identification) just to avoid being bombarded with nuisance calls? The problem is getting worse and worse: right now, I’ve just been interrupted by the umpteen hundredth ‘Microsoft Helpdesk’ scammer.

All the regulators (Ofcom, ICO, TPS) are utterly useless, and the telcos are laughing all the way to the bank.

The problem needs enforcement that’s several orders of magnitude greater than the mere pussyfooting we have at present. For example, directors of companies that act on sales leads made by others calling TPS numbers should be JAILED as well as being heavily fined, and Ofcom should instruct all telcos to provide CLI, Anonymous Call Rejection and Choose to Refuse free of charge (it costs them nothing). Similarly, ACR should also include options to block calls where the number is ‘Unavailable’ or made from specified countries (e.g. India), and calls with obviously faked CLIs (e.g. 001 000 000 0000) should not be transmitted across the networks.

There should also be a much simpler and quicker way of reporting nuisance calls made to landlines, e.g. dialling 1-SPAM (17726) after receipt should automatically report the number and add it to the victim’s Choose to Refuse list.

With an election looming there’s never been a better time to campaign, especially as there needs to be no public expenditure (suitably heavy fines would provide all the income required for effective enforcement and blocking).

In the USA, the Do Not Call list works a treat: I had four Home Security calls within an hour on the day my phone went live (obviously Verizon had leaked by details), but after registering with Do Not Call they all stopped. Given the political will, the TPS could be made equally effective.

Yvonne McEwen says:
11 December 2014

I started to collect these numbers at 12:20 pm ( 01158285045 ) by 3:25 pm another ( 0800482433 ) . Today 11th December 14, at 12:10 pm this number came up ( 001622845392 )
followed at 12:27 pm yesterdays number 01158285045 ) . these numbers been coming up months now , I had one ask me about help to clear my store cards, another of recent car accident I never heard of these people insist on making lives a misery .

It is amazing that some people on this forum give actual names: I hope that these are just pseudonyms.
The scammers seem to read all the posts in the public domain and with a little research might soon be able to use this info for identity theft.

To preserve one’s identity be very privacy conscious.

Users of Which? Conversation are recommended to use a pseudonym. Some make the mistake of using the same pseudonym elsewhere.

marty says:
14 December 2014

Because of the growing number of phone scams, I almost gave up my landline.

[This comment has been edited to align with our community guidelines. Thanks, mods]

Gerry says:
14 December 2014

An app won’t work on a landline !

It’s a North American website where there are likely to be more nuisance calls to mobiles because over there it doesn’t cost more than calling a landline. In the UK, most nuisance calls are to landlines: nuisance calls to mobiles are rarer because the callers pays the surcharge, not the recipient.

Norfolk Trading Standards have just released a warning on two new cold-calling scams purporting to come from BT. In the first the caller states that telephone bills have not been paid, or the last direct debit has failed, and they then request immediate payment by credit or debit card. In the second. the caller states that an account is in credit which they are wishing to refund and they then request debit card details in order to process the refund.

IanD says:
1 February 2017

I’ve just spent 30+ minutes on the on the phone to 2 indian gentlemen. It appears that UK banks have been overcharging customers for the last 20-30 years, but the Government has instigated a refund. He asked me to verify my name and address and asked me to confirm my date of birth (I said 31/01/17). He then was able to tell me that in the next few days I would receive a cheque through the post – but he needed me to confirm which bank I would be paying in to. I told him that all he needed to do was put my name as the payee and I would take it along to the bank of my choice when I received it. This was too much information for him to take in so he passed the call over to another who asked how he could help me. He repeated the same story with me continuing to refuse to tell which bank I would pay the cheque into. After a while, de decided that I was not interested in this refund of £2000-3000 and asked me to hang up. However, upon further questioning he continued to talk for a long time – and then asking me to hang up. Eventually, he gave in and hung up for himself

I have had a ‘new’ phone scam today.
I had a phone call which claimed to be from BT. Apparently at least 5 hackers have been able to get into my computer. I was asked to do a netstat command on my computer which shows columns headed ‘Local Address’ and ‘Foreign Address’. Apparently, these are details of nearby and foreign hackers who have access and what the scammers want to do is get in and remove these from the system.
Basically, There was not 1 word of truth spoken by the caller.

billyb says:
14 August 2017

I noticed in the Daily Mail last week you were all for making the Banks pay compensation to people who fall for telephone banking scams. Why should they ? Thats like saying if i have an accident in my car, i should claim compensation from the manufacturer because they didn’t prevent it. Maybe we should all have our calls monitored 24/7 to stop it. Perhaps you should try and inform people more rather than telling people how to operate their smart phones or laptop. !!