Santander impersonation text message scam resurfaces

November 2022 update

The below scam alert was originally published in May, but in the last few weeks we've seen a new wave of attacks.

Scammers are again sending text messages impersonating Santander, asking you to click a dodgy link to confirm a new payee or suspicious activity.

We’ve also seen numerous examples of Santander sender-ID spoofing, where scam texts display as being from ‘Santander’. 

If you receive a message purporting to be from Santander, treat it with caution and follow the steps below to ensure you don't fall victim to a scam. 

Fraudsters are posing as Santander in a series of dodgy text messages to trick people into giving away personal details.

Impersonation scams are on the rise, according to the finance industry trade association UK Finance there were more than 30,000 cases in the first half of 2021 with losses totaling £129.4m.

With this type of fraud, the scammer pretends to be from a trusted organisation to gather personal and financial details. 

Watch above as we explain how this particular Santander impersonation scam works and explain how to report phoney text messages and websites.

Sign up to free Which? Scam Alerts for the latest scams news and advice. 

Santander text scam

The scam begins with what appears to be a text message warning from Santander about so-called suspicious activity on your account. In the examples we found, the messages warn about adding a device or payee, a new card or logging in. 

The warning is an attempt to lure you into clicking a URL to notify Santander if it wasn’t you. 

As the video shows, there are big red flags that indicate the texts are dodgy. Namely, random URLs that aren’t Santander’s real website and sender IDs - the sender name that appears on a text - that show as mobile numbers, not ‘Santander’.

For the purposes of this investigation, we clicked on a dodgy URL to find out what happens next - though we always recommend you don't click on links in text messages.

The URL took us to a copycat Santander log-in page. We entered fake details to see what happened next and found this deceptive scam then sent us to the genuine Santander website, which is a very typical tactic to seem legitimate.

As we've seen time and time again, this appears to be a big data harvesting scam.

Santander confirmed the details the scam requested wouldn't be enough for scammers to access your account. Instead, criminals will harvest the data to use in a second scam later down the line. This is what happened when a scammer called up pretending to be my bank and tried to steal £1,000 following an energy company impersonation scam.

Sender ID and number spoofing

Unfortunately, if a text says it's from your bank or any other trusted company, it doesn't always mean it's authentic - we found one example that appeared to be from 'Santander'.

Thankfully, there are safeguards in place to prevent this from happening. Banks can now protect their numbers by signing up to the SMS SenderID Protection Registry. In 2021 we investigated the number of banks that had signed up, as well as the banks making it too easy for impersonation scammers, and found that some bank numbers are still vulnerable to number spoofing.

Santander, however, has been signed up to this registry since last year. But, there will always be instances where spoofing text messages manage to bypass the safeguards. 

The Mobile Ecosystem Forum (MEF) - the organisation that developed the SMS SenderID Protection Registry - told us, 'this could be because not every messaging aggregator is signed up to use the registry or because some fraudsters have exploited specific scenarios to get spoof messages through. 

'There are some handset specific scenarios that may allow a message to appear to have bypassed the safeguards too. Suffice to say we are working with the Mobile Networks to investigate these instances and to potentially put new measures in place.'

How to report a scam

• Texts - forward the message to 7726, a free scam text reporting service provided by phone operators. You can also report suspicious texts that appear to be from Santander to smishing@santander.co.uk. 
• Websites - report it to the National Cyber Security Centre. 
• Emails -  forward phishing emails to report@phishing.gov.uk

Stopping text message scams

When we reported this scam to Santander, it said:

'Treat links within text messages with extreme caution, particularly when they’re asking for personal information. Don’t be fooled into thinking you’re being contacted by your bank, the NHS, or the police, just because the text message crops up in a stream of previous messages from the organisation or based on the Caller ID. Criminals can still unfortunately spoof numbers to deceive people into thinking they’re being contacted by a legitimate organisation. 

If you do share your details and receive a call purporting to be from your bank telling you your account is now compromised and for you to move your money to another account - this is the hallmark of a scam. Hang up immediately and call your bank using the number on the back of your card or by dialling 159.'

Sadly scammers are constantly evolving ways to steal money from unsuspecting consumers. But businesses can do more to ensure their legitimate communication makes it harder for fraudsters. 

Which? is urging banks, delivery companies and other organisations to review the way they use texts to reduce the risk of impersonation by scammers. Our guide for best practice text message communication includes calls on businesses to:

• Protect SMS sender ID; the sender name displayed on the text
• Don't ask for personal information via text and partially hide any personal information necessary to include
• Don't include numbers for customers to call back
• Avoid links and generic URL shorteners

Have you spotted a new scam? Help our scams research by sharing the details with us using our scam sharer tool