Fraudsters buying 'trusted' websites for £5 to scam Britons out of millions
Web domains favoured by fraudsters can be bought for as little as £5 with no questions asked, a Telegraph Money investigation has uncovered.
Criminal gangs have bought up websites with similar addresses to those of household names, including banks, parcel firms and fund managers, to steal millions of pounds.
This newspaper was even able to buy a web domain used in a previous scam in which a pensioner lost his late wife’s £30,000 legacy.
It was possible to buy the domain credit‑suisseim.co.uk for £5, with no further checks, despite it being flagged as used for fraud by the City watchdog and the vendor describing the website as containing a “restricted phrase”. Credit Suisse is a giant Swiss bank with more than £1.2 trillion of assets.
Web security expert Richard De Vere of the AntiSocial Engineer said the purchases showed the ease with which criminals could access trusted digital shop fronts.
He likened the system to letting burglars wander the streets with crowbars unchallenged and caring only once they made off with a victim’s belongings.
Last year the vendor of credit-suisseim.co.uk, Namecheap, was singled out by the National Cyber Security Centre as the most popular host for phishing scams that impersonated government brands such as HM Revenue & Customs.
Telegraph Money attempted to buy a Royal Mail website from Namecheap, but was blocked from doing so. However, the website ParcelForceRedirect.com was purchased in seconds for £6.57 with no checks even though it contained a major Royal Mail brand. Namecheap had told this newspaper in March that it would restrict the use of “Royal Mail” after an industrial-scale SMS scam made use of its name.
Scammers have used similar websites when they have texted potential victims and pretended that they have a parcel they need to claim. They are then asked to enter personal details ultimately used to scam them. The domains are also used to generate legitimate-sounding email addresses.
It was in this way, using emails from credit‑suisseim.co.uk, that criminals were able to part one 74-year-old reader from £30,000 left to him by his late wife.
The reader, Richard, who did not want his surname to be used, said he was tricked by the legitimate-looking email address, together with branding and names stolen from the real Credit Suisse website. “There should be control over it,” he said, adding that there were far more checks when new company names were registered.
Sources at the NCSC said the Government relied partly on companies policing their own brands. However, they added that some businesses were better than others at taking fraudulent or imitation websites down.
The most effective course of action would be to fine domain name sellers and hosts that supplied fraudsters, Mr De Vere said. “They are ultimately the enablers to these crimes. In law they’re not doing anything wrong, although ethically they are the cause of these scams because they are the gatekeepers to these domains,” he said. “If they were 100pc efficient, these scams would disappear.”
He said a big weakness was that laws online had yet to catch up with those in the real world.
“If someone goes out to burgle a house and they’ve got screwdrivers and other kit, that’s going equipped. If you’ve got a history of fraud and you go and register barclaysonline.com, why is that not illegal?”
But in the digital world, “until you send that first email and try to scam that first person, you’ve done nothing wrong,” Mr De Vere said.
Senior police sources said that because it often took days to close such sites down, preventing them from being set up in the first place was key to fighting the gangs behind them. They are hampered by the fact that the criminals can operate from anywhere and it often takes victims days, weeks or even months to realise they have been conned.
Most large companies have bought domain names similar to the official ones to protect themselves and their customers. But the raft of new “top-level domains” – suffixes such as .xyz and .london – has made that an expensive and time-consuming operation.
Credit Suisse said it displayed clone fraud warnings on its website. “Where we have been made aware of these incidents, we have offered timely advice to the consumers affected, we have reported the cases to the National Fraud Intelligence Bureau and taken down fraudulent web domains used as part of these scams where possible,” a spokesman said.
At stake is trust in the entire internet, said Mr De Vere. “We are at a point where the number of scams is growing exponentially and they are damaging the internet and the use of the world wide web by legitimate businesses,” he said.
Frauds where victims were persuaded to send money cost Britons £479m last year, up from £456m in 2019. Less than half was refunded.
Namecheap said it “vigorously fights to combat online fraud of all kinds” but had to balance this with “the right to due process for everyone.”
It said Telegraph Money had been able to buy the Credit Suisse domain in part because the account used had been open for seven years and had never been reported in connection with any wrongdoing. However, Namecheap agreed that selling the domain was a mistake and said it would tighten procedures.
A spokesman added: “Since this domain was never registered with us before, our customer service representative mistakenly did not recognise the prior alleged abuse. As a result they did not follow protocol to escalate it to the appropriate department for a final review. This was human error and we have taken steps to ensure the correct procedure is followed in future.”
While it topped the NCSC’s abuse list for 2020, the company insisted it had made progress and its share of abusive website registrations had dropped to 15pc this month. The NCSC declined to comment.
As for its sale of a Parcel Force web address, the spokesman said: “Namecheap is a US-based company and our customer service department was probably not familiar with all brands associated with Royal Mail. However, we are constantly assessing and updating our banned keywords.”
Royal Mail said it worked hard to prevent and detect fraud, taking down 30,000 fraudulent domains in the past year and sharing intelligence with the police. A spokesman added: “This joint intelligence work has resulted in the arrest of eight suspected fraudsters in police raids.”
This newspaper has offered to transfer rogue web addresses to their rightful owners.
The Financial Conduct Authority, the City regulator, has added the Credit Suisse website to its list of clone firms. The list is public, but the FCA lacks the powers to ban websites or make companies act on its information. It declined to comment.
