- Number of attempted impersonation scams reported to Santander UK by its Corporate & Commercial Banking clients increased during Jan and Feb, with over 50 clients known to have been targeted in these two months in 2024 alone
- ‘Validate all requests made through unsolicited contacts by calling your bank directly’, ‘Check the phone number using the phone number on the back of your bank card’ and ‘Never use a phone number in an SMS message or which has been given to you by a cold caller’ - Santander UK provides tips how to keep your business safe from impersonation scams
- UK based logistics firm Consolid8 was targeted by scammers pretending to be their bank and instructed to ‘act now or lose £18,000’ by the criminals
The bank impersonation scam: Criminals call a business and pretend to be a bank employee, then trick the business’ staff member into giving them remote access to their device, their business’ online banking credentials and into authorising payments into criminals’ bank accounts. The scammers are often highly professional, and their impersonations of legitimate bank staff can be convincing, even to those who speak to their bank regularly.
The numbers: According to UK Finance data, a total of £76.1 million was stolen from people in the UK through impersonation scams in the first six months of last year. The number of attempted impersonation scams reported to Santander UK by its Corporate & Commercial Banking clients increased during January and February 2024 with over 50 clients known to have been targeted in these two months alone.
Chris Ainsley, Head of Fraud Risk Management at Santander UK said: “Impersonation scams are rampant and the criminals perpetrating these crimes can be particularly devious in their approach, using convincing but often aggressive tactics. Unfortunately, both businesses who speak to their bank regularly and those who don’t, can be the targets of this type of attack, so all should remain on high alert to this threat. Don’t trust people who make an unsolicited call to you and say they are from your bank, and make sure you validate any requests from cold callers by hanging up and contacting your bank using the phone number on the back of your bank card or your trusted relationship teams.”
Impersonation scam - how it works:
You receive a call or SMS on your mobile from someone purporting to be from your organisation’s bank, often from its fraud or security department. In some cases, the caller gives you a ‘case ID’ or ‘employee number’ as part of their effort to appear legitimate. The caller advises you that a ‘fraudulent payment’ has been made from your organisation’s bank account. They direct you – either over the phone or by sending you a link - to a fake website impersonating the bank so you can resolve the fraudulent payment issue. The caller either instructs you to install a remote access system onto your device or tells you to click on part of the fake website that, without you realising, installs remote access. Now the caller has access to your device, they instruct you to log into mobile banking and authorise transactions to their account, in order to stop the ‘fraudulent payments’ that they’ve claimed you’ve been a victim of. You then authorise the transactions, but what you are actually doing is authorising payment to the fraudsters’ accounts.
Case study
Russell is the financial director of UK based logistics firm, Consolid8. Over the course of a week, Russell and his team received several calls from a well-spoken and professional sounding person, claiming to be from Santander. The caller said Consolid8 had been a victim of fraud, and it would need to move money from its account to another provided by the bank impersonator as soon as possible, or they’d risk losing the money. Russell said that he’d check with his usual relationship manager as had heard of this type of bait before and was aware of what he needed to do to protect his business.
As the week went on, they tried to call him and several others in his business, each time becoming more aggressive and telling the logistics firm they needed to move the money and ‘act now’ or would lose £18,000. This type of behaviour made Russell’s team feel very uncomfortable. The scammer’s multiple attempts to fluster staff, which began politely at the beginning, and then became more pressured, were the red flag for Russell, who then informed his regular contact at Santander and was assured that this was not the bank calling and that they had been the target of a bank impersonation scam.
Russell noted that the scammer was hard to spot as they had a lot of information about the business and its banking arrangements and knew just what to say. However, as Santander had advised him previously that his bank would never be forceful about moving large sums of money, to not share personal details or act on phone calls, Consolid8 was better prepared and avoided becoming a victim.
You can watch the full story of Consolid8’s experience with scammers here.
How to keep your business safe from impersonation scams
- Don’t share any passwords or security codes with anyone - not even a Santander employee.
- Never share your token code with anyone. These can only be used to authorise log in, account changes or payments, and Santander UK never asks you to use them to authorise a refund or stop a payment leaving your account.
- Don’t allow anyone to remotely access your devices.
- Never use the mobile app to authenticate a transaction you’ve not selected yourself in online banking.
- Never click on a link, download an app, or open an attachment related to your organisation’s mobile or online banking in response to a call or SMS asking you to do so. Santander UK will never ask you to do this.
- Never trust caller ID as contact numbers on phone calls and SMSs can be spoofed. Instead, validate all requests made through unsolicited contacts by calling your bank directly. Check the phone number using the phone number on the back of your bank card. Never use a phone number in an SMS message or which has been given to you by a cold caller.
- Ensure all your organisation’s staff keep up to date with fraud trends and advice.
- For more advice about protecting your business from fraud, please visit our Corporate & Commercial Banking website.
- Ends -
The information contained in our press releases is intended solely for journalists and should not be used by consumers to make financial decisions.
Notes to Editors
Santander UK is a financial services provider in the UK that offers a wide range of personal and commercial financial products and services. At 31 December 2023, the bank had around 19,800 employees and serves around 14 million active customers, 7 million digital customers via a nationwide 444 branch network, telephone, mobile and online banking. Santander UK is subject to the full supervision of the FCA and the PRA in the UK. Santander UK plc customers’ eligible deposits are protected by the FSCS in the UK.
Banco Santander (SAN SM, STD US, BNC LN) is a leading commercial bank, founded in 1857 and headquartered in Spain. It has a meaningful presence in 10 core markets in the Europe, North America and South America regions, and is one of the largest banks in the world by market capitalization. Santander aims to be the best open financial services platform providing services to individuals, SMEs, corporates, financial institutions and governments. The bank’s purpose is to help people and businesses prosper in a simple, personal and fair way. Santander is building a more responsible bank and has made a number of commitments to support this objective, including raising €220 billion in green financing between 2019 and 2030. At the end of 2023, Banco Santander had €1.3 trillion in total funds, 165 million customers, 8,500 branches and over 212,000 employees.