UK’s largest fraud operation takes down ispoof site linked to 200,000 victims

The largest ever UK fraud operation has brought down a phone number spoofing site used by criminals to scam thousands of victims out of millions of pounds.

Members of UK law enforcement were part of a global operation to take down ispoof.cc, a website described by police as an online fraud shop.

They worked with Dutch law enforcement who managed to wiretap website servers in the Netherlands to secretly listen to phone calls.

At one point, up to 20 people per minute were targeted by callers using the site’s purchased technology. The criminals – who discovered the site from ads posted on the channels of the encrypted messaging app Telegram – used the site to buy the technology that allowed them to mask their phone number.

This meant that they could trick victims into thinking they were contacted by their bank and get them to pass on personal details that enabled the scammers to steal money.

One victim alone lost £3m, with an average loss of £10,000 for the 4,785 people who reported being targeted by Action Fraud. There are thought to be many more potential victims.

Of the 10 million fraudulent calls made, 40% were made in the US, 35% in the UK, and the rest were spread across different countries.

Around 70,000 UK phone numbers dialed by criminals who have used the site will be alerted by the Metropolitan Police via SMS on Thursday and Friday and asked to contact law enforcement.

Metropolitan Police Commissioner Sir Mark Rowley acknowledged it was “slightly bizarre” that potential fraud victims are now being contacted about crime via text message, but encouraged people to check the official police website if contacted.

He told BBC Radio 4’s ‘Today’ programme: ‘There is something slightly bizarre about this which is why we are encouraging people to actually go to the Met Police website and there they will find the shortcuts and links to report this.

“Don’t reply to any messages with some sort of unclear shortcuts and stuff like that. Visiting official websites is the best way to do this. But we want to hear from you because the people we message in the next 24 hours have been victims of fraud or attempted fraud and we can rack up all these crimes against the people we arrested.

So far 120 arrests have been made in the UK: 103 in London and 17 outside the capital. These include alleged site administrator Teejay Fletcher, who was arrested in east London earlier this month and is facing criminal charges.

Police said Fletcher, who is alleged to be a member of an organized crime group, lived a “lavish” lifestyle. The site is said to have made over £3 million in profits.

Sir Mark said the number of potential victims in the UK was “extraordinary”, adding: “What we are doing here is trying to industrialize our response to organized crime’s industrialization of the problem.”

Ispoof was created in December 2020 and at its peak had 59,000 users, allowing them to pay for criminal software using Bitcoin, with charges ranging from £150 to £5,000 a month.

British police began investigating the site in June 2021, settling on ispoof as the largest crime-based site in the country.

Detective Superintendent Helen Rance, who leads cybercrime for the Met, said: ‘By eliminating ispoof we have prevented further crime and stopped scammers targeting future victims.

“Our message to criminals who have used this website is that we have your data and are working hard to locate you, no matter where you are.”

Commenting on the Met’s moves to contact defrauded victims, Erfan Shadabi, a cybersecurity expert at data security firm Comforte AG, said: “This is a move in the right direction and bittersweet news for victims, and a cautionary tale for banks and all customers. It is good practice for banks and any organization involved in any type of financial transaction to provide clear notice to customers outlining how important information, such as bank details, will or will not be provided.

“Best would be for any notice of change of bank details to be personally confirmed and supported by an original letter from the relevant banking institution. Furthermore, a client should therefore notify the relevant company immediately should such an email or telephone call appear fraudulent was received.

“Banking is all about trust, but with a growing attack surface it is nearly impossible to prevent breaches and similar fraudulent activity. The most important thing financial organizations can do is protect customer data and make sure their accounts are not are affected, with their privacy protected whenever a breach occurs.”

Reflecting on the Met’s preferred text messaging medium for contacting victims, Javvad Malik, lead safety awareness advocate at safety awareness training company KnowBe4, said: ‘It’s good to see police are taking the lead and is actively trying to contact potential victims.However, the irony here is that people who receive text messages claiming to be from the police may very well believe that the message itself is a scam, particularly if it includes a link.

“For this to be effective, the police need to manage the campaign carefully and give clear instructions on what is expected.”

Sign up for E&T News email to get great stories like this delivered to your inbox every day.

#UKs #largest #fraud #operation #takes #ispoof #site #linked #victims

Leave a Reply

Your email address will not be published. Required fields are marked *