The UK’s biggest ever anti-fraud operation has brought down a phone number spoofing site used by criminals to scam thousands of victims out of money.
Around 70,000 potential fraud victims are set to receive a text today or tomorrow from the Metropolitan Police and will be asked to get in touch with the force.
The average loss among those who have reported being targeted to date is £10,000, with one victim losing £3million.
Here, i takes a look at how a global operation brought down the website iSpoof.cc and how potential victims can find out if they have been targeted.
Described by police as an ‘international one stop spoofing shop’, iSpoof.cc enabled fraudsters to appear as if they were calling from banks, tax offices and other official bodies in order to trick victims.
The website allowed users, who paid in Bitcoin, to disguise their phone number so it appeared they were calling from a trusted source, in a process known as ‘spoofing’.
Criminals using the websites posed as representatives of banks including Barclays, Santander, HSBC, Lloyds, Halifax, First Direct, Natwest, Nationwide and TSB.
iSpoof was created in December 2020 and at its peak had 59,000 users, with charges ranging from £150 to £5,000 per month.
The people behind the site earned almost £3.2million in one 20 month police, according to the Metropolitan Police.
How many victims were targeted?
In the 12 months until August 2022 around 10 million fraudulent calls were made globally via iSpoof, with around 3.5 million of those made in the UK.
Of these calls, more than 350,000 lasted more than one minute. These calls were made to 200,000 individuals, leading the police to believe there are more than 200,000 potential victims in the UK alone.
To date 4,785 people have reported being targeted to Action Fraud, the UK’s national reporting centre for fraud and cyber crime. The average loss among these people is £10,000, while one person lost £3 million.
There are likely many more victims across the world: 40% of calls were made in the United States, 35% in the UK and the rest were made across a number of countries.
How do I know if I have been targeted?
Around 70,000 UK numbers have currently been identified by the Met that have been linked to an identified suspect in the iSpoof sting.
These numbers will receive a text from the police on Thursday or Friday and will be asked to contact the force.
Those who are contacted will be encouraged to report any incident on the official Met website, and should not respond to any texts.
Speaking on BBC Radio 4’s Today Programme, Metropolitan Police Commissioner Sir Mark Rowley acknowledged it is “slightly bizarre” that potential fraud victims will be contacted via text.
He said: “So don’t respond to any texts with sort of dodgy shortcuts and things. Come through official websites is the best way of doing this.
“But we want to hear from you because the people we message in the next 24 hours have been victims of fraud or attempted fraud and we can stack all these offences against the people we’ve been arresting.”
Anyone who believes they were contacted as part of a scam where a number was spoofed can report this online via Action Fraud.
How did police bring down the site?
The Met’s Cyber Crime Unit began investigating iSpoof in June 2021 under the name of Operation Elaborate.
Scotland Yard co-coordinated the operation with Europol, Eurojust, the Dutch authorities and the FBI.
Investigators were able to infiltrate the site and began collecting information and tracing Bitcoin records. The Met said the website’s server contained a “treasure trove of information” in 70 millions rows of information.
The investigation has found 59,000 potential suspects, with investigators focussing first on UK users and those who have spent at least £100 of Bitcoin to use the site.
Sir Mark said: “Together with the support of partners across UK policing and internationally, we are reinventing the way fraud is investigated. The Met is targeting the criminals at the centre of these illicit webs that cause misery for thousands.
“By taking away the tools and systems that have enabled fraudsters to cheat innocent people at scale, this operation shows how we are determined to target corrupt individuals intent on exploiting often vulnerable victims.”
Have any arrests been made?
In the UK, more than 100 people have been arrested, the vast majority on suspicion of fraud. Details of other suspects have been passed onto police in Holland, Australia, France and Ireland.
Of the 120 arrests made in the UK, 103 were in London. These include alleged site administrator Teejay Fletcher, 35, who was arrested in east London earlier this month and is facing criminal charges.