Are YOU a victim of Britain’s biggest ever fraud? How iSpoof criminals operate, how to avoid con and what to do if you think you’ve been scammed
Police today dramatically revealed the details of Britain’s biggest ever fraud operation, which saw officers take down a website that criminals have used to scam 200,000 people in the UK out of at least £50million.
The Met will contact around 70,000 Brits in the coming days to tell them they may have fallen victim to iSpoof.cc, while more than 100 suspects have already been arrested.
Scammers paid a subscription to use a programme that let them appear as though they were phoning victims from major banks including Barclays, NatWest and Halifax.
Officers are now working to track down hundreds more suspects both in the UK and across the world, with the FBI, Europol and Eurojust also involved alongside authorities in Ukraine and the Netherlands.
Below we reveal how the website worked, how many people it may have scammed, and what lies next for the victims and the criminals behind it.
Anyone trying to access the iSpoof website is met with a message saying it has been ‘seized’ (pictured)
How did iSpoof criminals operate?
The website allowed users paying between £150 and £5,000 in Bitcoin for subscriptions to disguise their phone number so it appeared they were calling from a trusted source.
This process is known as ‘spoofing’.
Criminals posed as representatives of banks including Barclays, Santander, HSBC, Lloyds, Halifax, First Direct, Natwest, Nationwide and TSB.
They then attempted to trick people into handing over money or providing sensitive information such as one time pass codes to bank accounts.
Teejai Fletcher, a British 34-year-old, from east London, is believed to have been involved with the operation. He was arrested last month and is in custody after being charged with fraud.
A total of 59,000 criminals bought accounts since iSpoof was set up in December 2020, making £3.2million for the site’s owners while they scammed vast sums from unsuspecting victims.
The average loss from those who reported being targeted is believed to be £10,000.
TikTok user posts a video with the caption ‘RIP to all you iSpoof users’ earlier this month as dozens were arrested across the UK. There is no suggestion the TikTok user was involved in the scam
How many people were scammed through iSpoof?
At one stage, almost 20 people every minute of the day were being contacted by scammers hiding behind false identities using the site.
In total, 200,000 potential victims in the UK alone are thought to have been targeted, with many more across the world.
The majority of victims (40 per cent) were in the US, followed by Britain (35 per cent). Many people in Australia and other European countries were also targeted.
In the 12 months until August 2022 around 10 million fraudulent calls were made globally via iSpoof, with around 3.5 million of those made in the UK.
Of those, 350,000 calls lasted more than one minute and were made to 200,000 individuals.
Losses reported to Action Fraud as a result of the calls and texts via iSpoof is around £50 million. But because fraud is vastly underreported, the full amount is believed to be much higher.
In a Telegram channel used by administrators and users of iSpoof (pictured), subscribers were told to ‘change the last digit’ when posing as a tele-caller from a bank
How did its creators market the site to criminals?
In a slick video to advertise to would-be criminals on encrypted messaging app Telegram, iSpoof branded itself ‘the number one spoofing service.’
Alongside graphics of people working at computers, it said: ‘iSpoof was made by spoofers, for spoofers.’
Referencing the bank details scammers hoped their marks would type in during their calls, it adds: ‘Pick up the digits the targets type, and see it displayed on your dashboard.’
It continues: ‘Send spoof SMS messages and much more… our state of the art system handles auto-calling with custom hold music and convincing call centre background sound.’
It boasts that the scamming technology works ‘on both Android and ios’ and said would be users can sign up for free and pay monthly in Bitcoin to ‘stay totally anonymous.’
In a Telegram channel used by administrators and users of iSpoof, subscribers were told to ‘change the last digit’ when posing as a tele-caller from a bank.
One message read: ‘Seems some people are very stupid and don’t understand the majority of bank numbers are blocked and cannot be used… if your mind is not creative enough or your skillset does not allow you to perform without a specific number then you should pack your bags and get a job at a grocery store.’
It added: ‘If I find you complaining about caller ID without changing a last digit etc or wasting our time this can be a reason you get barred from our service.’
How did law enforcement take the site down?
After a wave of reports to Action Fraud were linked to iSpoof, the Met’s Cyber Crime Unit began investigating the site in June 2021 under the name of Operation Elaborate.
Investigators infiltrated the website and began gathering information alongside Europol, Eurojust, the Dutch authorities and the FBI.
Police were able to identify suspects by seizing the website server, which contained a treasure trove of information in 70 million rows of data.
Bitcoin records were also traced.
In the UK, more than 100 people have been arrested, the vast majority on suspicion of fraud.
What should I do if I’ve been scammed?
The Met plans to send mass text messages to 70,000 victims today and tomorrow asking them to get in touch to give evidence.
Police also want anyone who believes they may have been scammed by the site to log an official crime report online.
This could pave the way for some money being returned to victims later down the line.
What will happen to the suspects?
Teejai Fletcher, who is believed to have been involved in running iSpoof, has been charged with fraud and will appear in court in two weeks’ time.
Because the pool of 59,000 potential suspects is so large, investigators are focusing first on UK users and those who have spent at least £100 of Bitcoin to use the site.
There have already been dozens of arrests and details of other suspects have been passed onto law enforcement partners in Holland, Australia, France and Ireland.
Detective Superintendent Helen Rance, who leads on cyber crime for the Met, said: ‘Our message to criminals who have used this website is we have your details and are working hard to locate you, regardless of where you are.’
What can I do to avoid becoming a fraud victim?
The Take Five campaign has provided some tips and advice to help spot fraudulent messages –
- A genuine bank or organisation will never contact you out of the blue to ask for your PIN, full password or to move money to another account.
- Only give out your personal or financial details to use a service that you have given your consent to, that you trust and that you are expecting to be contacted by.
- Never automatically click on a link in an unexpected email or text.
- If you’re approached with a request for personal information, do not provide it. Instead, contact the company directly using a known email or phone number.