| 7.5°C Dublin

How criminals used the iSpoof website to scam unsuspecting people out of millions


Stock image

Stock image

Stock image

The website iSpoof allowed criminal users, who paid for the service in Bitcoin, to disguise their phone number so it appeared they were calling from a trusted source.

This process is known as ‘spoofing’.

The London Metropolitan Police described the crime site as a ‘one stop spoofing shop’ and say it has been the UK’s biggest ever fraud operation.

One way in which criminals used the site was to send messages to people via text or email pretending to be from their bank, and that message will contain a link, which if activated will allow the criminal access to their bank account to see what recent transactions have taken place.

However, they need a code generated by the bank in order to set themselves up as a payee on the account.

To get this they ring the account holder pretending to be their bank, and tell them they suspect there has been fraudulent activity on their account.

They tell the account holder what their most recent transactions were, but then add some fake transactions to make the account holder believe that there has been a fraud on their account.

The startled account holder is told that the bank will send them a one-time code to rectify the situation, and the account holder is asked to read it back to the caller to ‘verify’ it.

Meanwhile, the fraudster, who has already requested to be set up as a payee on the account they are now accessing fraudulently, sends a message to the bank pretending to be the account holder seeking the code to add a payee to their account.

The bank sends that code to the account holder’s phone and then the account holder reads it back to the fraudster who thinks they are talking to the bank employee.

The fraudster then uses the code to set themselves up as a payee on the account and transfers funds to themselves from the account.

Daily Digest Newsletter

Get ahead of the day with the morning headlines at 7.30am and Fionnán Sheahan's exclusive take on the day's news every afternoon, with our free daily newsletter.

This field is required

The sophisticated scam relies on the account holder believing they are talking to their bank, and the bank’s computers believing that they are being contacted by their customer. But neither is aware that a criminal has set themselves up in between them.

The scammers hiding behind false identities using the site targeted almost 20 people every minute of the day in the UK alone, posing as representatives of banks including Barclays, Santander, HSBC, Lloyds, Halifax, First Direct, Natwest, Nationwide and TSB.

The average loss from those who reported being targeted in the UK is believed to be £10,000.

The Metropolitan Police said the exploitation of technology by organised criminals is one of the greatest challenges for law enforcement in the 21st century, and together with the support of partners across UK policing and internationally, it is reinventing the way fraud is investigated, and targeting the criminals at the centre of these illicit webs that cause misery for thousands.

The Met’s Cyber and Economic Crime Units co-coordinated the operation with Europol, Eurojust, the Dutch authorities and the FBI.

The Met’s Cyber Crime Unit began investigating iSpoof in June 2021 under the name of Operation Elaborate. Investigators infiltrated the site and began gathering information alongside international partners.

The website server contained information in 70 million rows of data. Bitcoin records were also traced.

A wave of UK arrests followed with details of other suspects passed onto law enforcement partners in Holland, Australia, France and Ireland.

Earlier this month the suspected organiser of the website was arrested in East London. He has been charged with a range of offences and remanded in custody.

Here, gardai investigating fraud have advised that people should be very wary of unsolicited messages from their banks which can arrive by SMS or email, and they should not click on links in such messages.

They advise that people use their own banking app to check transactions, and not the information of a caller alone.

They also advise that if a person gets a call purporting to be from their bank they should hang up and ring their bank themselves on a number they have looked-up independently and then seek to verify if everything is ok with their account.

Most Watched