The bank impersonation scam: Criminals call a business and pretend to be a bank employee, then trick the business’ staff member into giving them remote access to their device, their business’ online banking credentials and into authorising payments into criminals’ bank accounts.
Volume (Santander UK data): The number of attempted impersonation scams reported to Santander UK by its Corporate & Commercial Banking clients increased 100% during September, with over 200 clients known to have been targeted.
Chris Ainsley, Head of Fraud Risk Management at Santander UK said: “Impersonation scams are rampant and the criminals perpetrating these crimes can be particularly devious in their approach. Businesses should remain on high alert to this threat. Don’t trust people who make an unsolicited call to you and say they are from your bank, and make sure you validate any requests from cold callers by hanging up and contacting your bank using the phone number on the back of your bank card.”
Impersonation scam - how it works:
You receive a call or SMS on your mobile from someone purporting to be from your organisation’s bank, often from its fraud or security department. In some cases, the caller gives you a ‘case ID’ or ‘employee number’ as part of their effort to appear legitimate. The caller advises you that a ‘fraudulent payment’ has been made from your organisation’s bank account. They direct you – either over the phone or by sending you a link - to a fake website impersonating the bank so you can resolve the fraudulent payment issue. The caller either instructs you to install a remote access system onto your device or tells you to click on part of the fake website that, without you realising, installs remote access. Now the caller has access to your device they instruct you to log into mobile banking and authorise transactions in order to stop the ‘fraudulent payments’ from leaving your organisation’s bank account. You then authorise the transactions and your organisation’s funds are sent to the criminal’s accounts.
Case study
Adam (not his real name) is a signatory on his organisation’s Santander UK bank account. He received a phone call from a person who said they were “Daniel Robinson from Santander’s lower security department” who went on to give Adam a fake “reference number” and “employee ID”. The caller told Adam that the bank had stopped a large payment being made from his organisation’s Santander UK bank account, which had been traced to the IP address of a device inside a hotel in the Midlands. Adam followed the caller’s instructions to install the remote desktop app, AnyDesk, onto his device. The caller then made payments from Adam’s organisation’s bank account, each of which Adam authorised on his mobile at the instruction of the caller. The caller also asked Adam to authorise an additional text alert which the fraudster told him was “just for future notification”. He suggested Adam call 0333 339 6086 to verify the situation. When the call ended, Adam told his colleague, Anna (not her real name), who was suspicious. Anna called the phone number the fraudster gave Adam, reaching a person who said their name was “Aaron McCaulay”, who advised her that the call to Adam had been genuine and that the bank did ask customers to install AnyDesk on their device. Adam’s organisation was defrauded a five-figure sum by the criminals.
How to keep your business safe from impersonation scams
Don’t share any passwords or security codes with anyone - not even a Santander employee.
Never share your token code with anyone. These can only be used to authorise log in, account changes or payments, and Santander UK never asks you to use them to authorise a refund or stop a payment leaving your account.
Don’t allow anyone to remotely access your devices.
Never use a mobile app to authenticate a transaction you’ve not selected yourself in online banking.
Never click on a link, download an app, or open an attachment related to your organisation’s mobile or online banking in response to a call or SMS asking you to do so. Santander UK will never ask you to do this.
Never trust caller ID as contact numbers on phone calls and SMSs can be spoofed. Instead, validate all requests made through unsolicited contacts by calling your bank directly. Check the phone number using the phone number on the back of your bank card. Never use a phone number in an SMS message or which has been given to you by a cold caller.
Ensure all your organisation’s staff keep up to date with fraud trends and advice.
For more advice about protecting your business from fraud, please visit our Corporate & Commercial Banking website.
- Ends -
The information contained in our press releases is intended solely for journalists and should not be used by consumers to make financial decisions.
Santander UK is a financial services provider in the UK that offers a wide range of personal and commercial financial products and services. At 30 June 2023, the bank had around 19,400 employees and serves around 14 million active customers, 7 million digital customers via a nationwide 445 branch network, telephone, mobile and online banking. Santander UK is subject to the full supervision of the FCA and the PRA in the UK. Santander UK plc customers’ eligible deposits are protected by the FSCS in the UK.
Banco Santander (SAN SM, STD US, BNC LN) is a leading commercial bank, founded in 1857 and headquartered in Spain. It has a meaningful presence in 10 core markets in the Europe, North America and South America regions, and is one of the largest banks in the world by market capitalization. Santander aims to be the best open financial services platform providing services to individuals, SMEs, corporates, financial institutions and governments. The bank’s purpose is to help people and businesses prosper in a simple, personal and fair way. Santander is building a more responsible bank and has made a number of commitments to support this objective, including raising €220 billion in green financing between 2019 and 2030. In the first half of 2023, Banco Santander had €1.25 trillion in total funds, 164 million customers, 9,000 branches and 212,000 employees.
Media Enquiries
Lara Lipsey M: 07713 560 209 E: Lara.Lipsey@santander.co.uk
mediarelations@santander.co.uk