Image source, Metropolitan Police
Image caption, Police raid a property in connection with suspected fraudsters
By Tom Symonds
Home affairs correspondent, BBC News
Detectives have begun contacting 70,000 people suspected of being victims of a sophisticated banking scam.
The Metropolitan Police is sending text messages to mobile phone users it believes spoke with fraudsters pretending to be their bank.
Met Commissioner Sir Mark Rowley described an “enormous endeavour” in gathering evidence after the discovery of an online fraud network.
There have been more than 100 arrests so far, and one man has been charged.
People who receive a text message in the next 24 hours will be directed to the Action Fraud website to register their details as officers build cases against suspects.
Sir Mark told BBC Radio 4’s Today programme the Met was contacting mobile numbers that were connected to the fraudsters for longer than a minute, suggesting a fraud or attempted fraud had taken place.
The scam involved fraudsters calling people at random, pretending to be a bank and warning of suspicious activity on their account.
They would pose as employees of banks including Barclays, Santander, HSBC, Lloyds, Halifax, First Direct, NatWest, Nationwide and TSB.
The fraudsters would then encourage people to disclose security information and, through technology, they may have accessed features such as one-time passcodes to clear accounts of funds.
As many as 200,000 people in the UK may have been victims of the scam, police said, with victims losing thousands of pounds, and in one case £3m.
The 70,000 people being contacted are connected to calls made by individuals known to police, Sir Mark said, and their evidence could be used to prosecute cases.
Genuine messages from police will be sent on Thursday or Friday, detectives said. They said the messages would direct victims to the Metropolitan Police website which would ask people to register with Action Fraud. Any other texts should be regarded as fraudulent themselves.
The mammoth cyber fraud operation began when police in the Netherlands bugged a website that allowed fraudsters to make anonymous phone calls from spoof numbers, posing as bank employees.
The iSpoof website, which has since been taken down by the FBI, crucially allowed scammers to access one-time passcodes and passwords, detectives said.
One-time codes, often delivered through text messages, have become a standard security measure for most online banks in recent years.
Det Supt Helen Rance, from the Met’s Cyber Crime unit, said victims would not have known the phone call was coming from iSpoof.
“The person on the other end of the line can be very convincing,” she said.
“This is an absolutely devastating crime for so many people. They must be worried, I really feel for them,” she said.
Fraudsters paid between £150 and £5,000 a month in bitcoin to use the iSpoof service, contacting, at times, 20 people a minute, primarily in the USA, UK, Netherlands, Australia, France and Ireland.
So far, police believe £48m may have been stolen by criminals using iSpoof. This figure is likely to rise. Those behind the service are allegedly earning £3.2m and living “lavish” lifestyles.
A notice on the website says that it has been taken down by the FBI.
Det Supt Rance said the investigation remained active.
Image source, Metropolitan Police
Image caption, The iSpoof website was taken down by the FBI following the Met investigation
Police believe 59,000 potential suspects may have used the iSpoof service, but are prioritising those in the UK who have spent at least 100 Bitcoin to get access, believing they were anonymous.
Early in November they raided an address in east London and arrested a man alleged to be behind iSpoof.
In other raids, 120 people thought to have used the service for fraud have been taken into custody.
Det Supt Rance warned other criminal “enablers” will have taken over to provide services to fraudsters.
“Undoubtedly they will go to another website,” she said.
A 34-year-old man, Teejai Fletcher, has been charged with making or supplying articles for use in fraud and participating in the activities of an organised crime group.
He will appear at Southwark Crown Court on 6 December.
What to do if you become a scam victim
Call your bank directly, checking its website for the correct number to ring. If the fraud involved any of your personal information, consider signing up for a Protective Registration with fraud prevention organisation Cifas, which costs £25 for two years.
Change your passwords for any accounts that have been compromised due to fraud – and any that use the same password. Set up two-factor authentication wherever possible to provide another layer of protection.
Being scammed can take a huge toll on mental health. Mind and Victim Support have confidential helplines that provide support to consumers who have been hit.
Do you believe you’ve been scammed by fake callers? Have you received a notification of fraud from the police? Share your experiences by emailing [email protected].
Please include a contact number if you are willing to speak to a BBC journalist. You can also get in touch in the following ways:
If you are reading this page and can’t see the form you will need to visit the mobile version of the BBC website to submit your question or comment or you can email us at [email protected]. Please include your name, age and location with any submission.