Response to “industrialised” fraud is the largest anti-fraud operation ever in UK
International law enforcements agencies from Europe*, Australia, the US and Canada have shut down the iSpoof website whose software enabled fraudsters to disguise the number they were calling from. A notice on the now defunct website says it has been taken down by the FBI. Eurojust and Europol were also involved, with the UK’s Metropolitan Police coordinating activities.
Fraudsters operated by buying details of banking customers’ transactions from the dark web and disguising the number they were calling from so that people believed the calls were from their banks. The criminals typically said the victims’ bank accounts had been hacked then tricked them into disclosing their PIN and emptied their bank accounts.
Often victims were asked to enter a “one-time code” or password for their account on their phone, which the iSpoof server intercepted and passed to the fraudsters. This so-called two-factor authentication is seen by consumers and promoted by many organisation as being secure and foolproof.
The average theft is thought to be about £10,000 in the UK, although some lost far more, with one victim known to have lost £3 million.
Banks cited by the fraudsters in the UK included big high-street brands – Barclays, Santander, HSBC, Lloyds, Halifax, First Direct, NatWest, Nationwide and TSB.
The master criminal
Teejai Fletcher, a 34 year old who lives in posh flat in the Docklands in East London has been arrested on suspicion of setting up iSpoof which was launched in December 2020 and at its peak had almost 60,000 criminals using its subscription-based products.
It is believed that the server hosting the software was originally based in the Netherlands but moved to Ukraine.
Fletcher is charged with making or supplying articles for use in fraud, participating in activities of an organised crime group and proceeds of crime offences. He will appear at Southwark Crown Court in South London on 6 December. It is thought the website made £3.7 million in 16 months and that victims around the world have lost more than £100 million.
The police have arrested 120 suspected phone scammers around the UK – 103 of them were based in London. Arrests have also been made in Australia, France, Ireland and the Netherlands and the US.
The spoofing website was openly advertised on Telegram “made by spoofers for spoofers” and criminals paid from £150 to £5,000 a month in Bitcoins to access the software tools.
In the year up to August 2022 around 10 million fraudulent calls were made globally via iSpoof; about 3.5 million in the UK.
Appealing for victims to come forward
London’s police force, the Metropolitan Police, intends to text 70,000 people in the UK whose phone numbers were used by iSpoof scammers, asking them to come forward and provide evidence. The police think there could be up to 200,000 UK victims.
Sir Mark Rowley, Head of the Met, said this heralded a new era of policing cybercrime: “This operation is about getting to those who create that industrialisation of fraud, who sell the tools that enable your average criminals to become fraudsters and create tens of thousands of victims.”
He added: “We are trying to industrialise our response to the organised criminals’ industrialisation of the problem.”
Arrests are expected to continue across the globe.
The big breakthrough was when the Metropolitan Police found that their counterparts in the Netherlands had hacked iSpoof and were recording calls made through it.
*Police forces from France, Germany, Ireland, Lithuania, the Netherlands, Ukraine and the UK were involved in the investigation.