Thousands defrauded in £48m hoax which let scammers impersonate high street banks

Hundreds of thousands of Britons have been defrauded in a multi-million-pound scam via a website that allowed criminals to pose as high street bank representatives.

International scam website iSpoof was taken down in the UK’s biggest-ever fraud operation by the Metropolitan Police, codenamed Operation Elaborate. More than £48 million was taken from victims as a result of the platform, the force said.

More than 200,000 potential victims in the UK alone have been directly targeted through the website, which allowed scammers to pose as high street banks including Barclays, Santander, HSBC, Lloyds, Halifax, First Direct, Natwest, Nationwide and TSB.

At one stage officers found that almost 20 people a minute were being contacted by scammers hiding behind false identities using the site which launched in December 2020.

The biggest loss to a single victim was more than £3 million while every victim lost £10,000 on average.

Have you potentially been scammed through iSpoof? If so, contact thomas.kingsley@independent.co.uk

The platform enabled criminals to appear as if they were calling from banks, tax offices and other official bodies as they attempted to defraud victims. They would then attempt to trick people into handing over money or providing sensitive information such as one-time bank passcodes.

iSpoof allowed users, who paid for the service in Bitcoin, to disguise their phone number so it appeared they were calling from a trusted source. This process is known as “spoofing.”

Some criminals paid up to £5,000 a month for the subscription service, with free trial offers for new members.

The Met said the platform was well advertised through Telegram channels drawing in over 59,000 user accounts.

In the 12 months to August 2022 around 10 million fraudulent calls were made globally via iSpoof, with around 3.5 million of those made in the UK. Of those, 350,000 calls lasted more than one minute and were made to 200,000 individuals.

The alleged site administrator Teejay Fletcher, 35, was arrested in east London on 7 November and is facing criminal charges. Fletcher, who is alleged to be a member of an organised crime group and was remanded into custody, was living a “lavish” lifestyle, police said.

More than 100 people have now been arrested in the UK on suspicion of fraud in connection to the investigation, with the majority of them based in London.

Scotland Yard’s cybercrime unit worked with international law enforcement, including the FBI in the US and authorities in Ukraine, to dismantle the website this week.

Working also with Cyber Defence Alliance, the Metropolitan Police was able to detect iSpoof’s colossal activity and track hundreds of suspects.

Investigators infiltrated the site and began gathering information alongside international partners through wire taps allowing detectives to hear conversations where criminals tricked vulnerable people.

Detective superintendent Helen Rance, who leads on cyber crime for the Met, said: “By taking down iSpoof we have prevented further offences and stopped fraudsters targeting future victims.

“Our message to criminals who have used this website is we have your details and are working hard to locate you, regardless of where you are.”

Commissioner Sir Mark Rowley said: “The exploitation of technology by organised criminals is one of the greatest challenges for law enforcement in the 21st century.

“Together with the support of partners across UK policing and internationally, we are reinventing the way fraud is investigated. The Met is targeting the criminals at the centre of these illicit webs that cause misery to thousands.

“By taking away the tools and systems that have enabled fraudsters to cheat innocent people at scale, this operation shows how we are determined to target corrupt individuals intent on exploiting often vulnerable people.”

The Met’s cyber and economic crime units also co-coordinated the operation with Europol, Eurojust and Dutch authorities.

The website server contained a treasure trove of information in 70 million rows of data. Bitcoin records were also traced.

Because the pool of 59,000 potential suspects worldwide is so large, investigators are focusing first on UK users and those who have spent at least £100 of Bitcoin to use the site.

A wave of UK arrests followed with details of other suspects passed onto law enforcement partners in Holland, Australia, France and Ireland.

There are more than 70,000 numbers that have been contacted via iSpoof that the Met has linked to an identified suspect.-

Eurojust president Mr Ladislav Hamran said: “As cybercrime knows no borders, effective judicial cooperation across jurisdictions is key in bringing its perpetrators to court. Eurojust supports national authorities in their efforts to protect citizens against online and offline threats, and to help see that justice gets done.”

Europol executive director Ms Catherine De Bolle said: “The arrests send a message to cybercriminals that they can no longer hide behind perceived international anonymity. Europol coordinated the law enforcement community, enriched the information picture and brought criminal intelligence into ongoing operations to target the criminals wherever they are located.”

Commander Nik Adams, from the City of London Police, said: “As national lead force for fraud, we have coordinated activity across the country with other police forces and Regional Organised Crime Units (ROCUs) to provide a co-ordinated response to support the Metropolitan Police Service with their action and help make this operation a success.

“Collaborative and proactive operations like this to tackle fraud are vitally important in clamping down on criminals and preventing innocent members of the public from being targeted for their hard-earned money.”

Fletcher was remanded in custody and is next due to appear at Southwark Crown Court on 6 December.

The Met, which has worked closely with the Cyber Defence Alliance and UK Finance, is asking anyone who believes they were contacted as part of a scam where a number was spoofed to report this online via Action Fraud.