Beware the scammers imitating bank websites

Thousands of lookalike websites are being set up to trick innocent customers.

We're often being asked to go onto our bank's website, whether to pay a bill or update our details. But we could be going to a website controlled by a crook.

We're found that more than 2,000 websites that appear to imitate UK banks were reported in 2023 alone.

These copycat websites play a crucial role in impersonation scams. Fraudsters use details, such as account numbers, collected from unsuspecting bank customers to later con those same people into sending them money, often by posing as bank staff.

Although banks attempt to get lookalike websites taken down, the number being registered, and sometimes inadequate response from the firms that register domains, means they're up long enough to find victims.

Here we reveal the scale of the copycat bank websites, how to spot one, and what needs to be done to stop them appearing in the first place. 

Sign up for scam alerts

Our emails will alert you to scams doing the rounds, and provide practical advice to keep you one step ahead of fraudsters.

Sign up for scam alerts
Sign up

Thousands of suspicious websites reported

To understand the scale of the problem of copycat bank websites, we teamed up with the DNS Research Federation (DNSRF), an Oxford-based non-profit that does data-driven policy research on domain names and internet governance.

We decided to consult industry blocklists. These are lists of websites that have been reported as hosting illegal content. If you attempt to view blocklisted sites you’ll typically see a stern warning on your browser not to proceed as the site is phishing or contains malware (software that can damage or steal data).

We provided DNSRF with a list of the major UK banking brands, and it scoured a specialist phishing blocklist for sites reported in 2023 that had the names of those brands somewhere in their web address (the URL) – to take one copycat example ‘helphsbc.net’.

We asked about AIB (Allied Irish Banks), Barclays, Bank of Scotland, The Co-Operative Bank, Danske Bank, First Direct, HSBC, Halifax, Lloyds, Metro Bank, Monzo, Nationwide, NatWest, RBS, Santander, Starling, TSB, Ulster Bank and Virgin Money/Clydesdale.

The majority of sites in the raw data look like blatant attempts to lead bank customers astray


The DNSRF found that more than 2,000 URLs containing our specified UK bank brands were reported to a phishing blocklist in 2023. The affected banks were Barclays, HSBC, Halifax, Lloyds, Monzo, Nationwide, NatWest, Santander and Starling.

And the majority of sites in the raw data look like blatant attempts to lead bank customers astray – mysantander-suspend-login.com and lloydsbanklnggroup.com, for example.

DNSRF also examined another blocklist, run by Scamadviser.com, from 2023. In this case, it extracted data on URLs containing our specified bank brand names which had a ‘trustscore’ of less than 50 out of 100. 

On ScamAdviser’s blocklist too we found more than 2,000 URLs containing the names of our specified brands. Copycats mimicked the same brands as in the phishing blocklist, with the addition of Clydesdale.

Here too, the raw data made it clear that many aimed to dupe customers, with names such as www.natwest.com, santander-payee.added.com, barclaysbnk.biz and secureportal-hsbcnet.com. Across both blocklists, the words Santander and Barclays appeared the most.

A scam site impersonating Halifax asking for your log in details
A scam site impersonating Halifax asking for your log in details

The drawbacks of our data

The data is inexact and experimental. For instance, we excluded TSB from all the results as this proved a common string of letters that generated many false positives – for example mattsbong.com – seemingly unrelated to banking scams. 

Moreover, it’s impossible for us to view and check the sites were genuinely fraudulent, as they’ve already been taken down by the web hosting companies or scammers themselves.

However, it’s also possible we’ve missed many copycat websites, because they’re not on blocklists Some sites may only be active for days or even hours before their content is wiped and the site abandoned. 

Under-reporting of fraud is an enormous issue worldwide, with the Global Anti Scams Alliance (GASA) State of Scams Report 2023 finding that 59% of victims didn’t report their scam experience to the police or authorities. 

It’s also unclear whether all web hosting companies are equally diligent at reporting sites to the relevant blocklists after being told about the sites by web users.

A weak link in the fight against fraud

You might wonder why it is that anybody can register a domain that looks like a blatant attempt at impersonating a bank.

In the early days of the internet, domains were being registered at such high volumes that it was felt to be impossible to conduct detailed checks on those buying them. Therefore the domains industry operated – and continues to operate – on a first-come-first-served basis.

However, the volume of domains being sold has dropped significantly since that time, and it’s arguable that greater checks could be put in place today. 

To set up a copycat website, fraudsters need to use a domain registrar. To take one down, you need to contact a web hosting company. Many companies do both – and yet, at the time of writing, this industry continues to self-regulate.  

It’s an industry where consumers’ voices aren’t strong, even though it’s consumers who are badly hurt by rogue sites

The UK government is currently consulting on new powers to seize domains being used for criminal purposes.

One of the barriers to change has been the enormous complexity of the industry, which involves a plethora of domain registrars, resellers and hosting companies from the very large – such as GoDaddy – to the very small and obscure, many based outside the UK. 

We’ve seen examples of good practice, with scam sites swiftly taken down by hosting companies, and at the other end of the spectrum a total failure to respond to our reports.

Another issue is the lack of attention the industry receives. DNSRF founder Emily Taylor told us the web environment ‘is not sexy or trendy and so it gets forgotten’. 

Ultimately, she says, this means ordinary web users have been forgotten: ‘It’s an industry where consumers’ voices aren’t strong, even though it’s consumers who are badly hurt by rogue sites.’

The role of banks

We approached Santander plus the ‘big four’ UK banking groups – Barclays, Lloyds, HSBC and NatWest – to ask them how they approach the problem of copycat websites. 

All five responded, confirming they employ tools to monitor for sites maliciously impersonating their brands, and issue takedown requests when they find evidence of such sites.

NatWest Group was particularly candid, explaining that it employs Netcraft, a specialist takedown provider, as well as working directly with internet service providers (ISPs) TalkTalk and BT Group because they are both willing to block fraudulent domains on their networks.

The bank explained that, in most cases, it can’t act purely on the basis of a domain registration containing its brand name, as it may have a legitimate purpose. But the bank will carefully monitor such sites and act to remove them as soon as they go live if they show signs of malicious intent. 

NatWest told us it goes further by driving the takedown of scam crypto and investment sites targeting people in the UK, therefore protecting all internet users and not just its own customers. It told us this amounts to about 15,000 sites taken down per month, but this has reached 37,000 at its peak.

Lloyds Bank fraud prevention director Liz Ziegler hinted at her frustration with the domains industry, telling us the process of detecting malicious sites ‘is complex, and the options available to us can be limited. This is why it is vital that tech firms do more to crack down on the criminals using their platforms to impersonate trusted brands.’

Santander cautioned that ‘in many cases these scams start with an SMS phishing text providing a fake link for customers to follow. We’re working with telecoms companies to prevent these at source and would urge customers to never click on links in a text or email purporting to be from their bank or another trusted organisation.’

Barclays warned that customers should 'never disclose their debit card PIN, full telephone banking passcode, full online banking membership number or login details to anyone.'

Don't get caught out

To protect yourself when banking online, follow these tips:

  1. Use trusted details: It’s always safest to avoid clicking on links or calling numbers contained in emails, texts and instant messages. Instead, try to go direct by finding the authentic phone number and website on your bank card or statement. Contact your bank to query any unusual requests.
  2. Don’t ignore warnings: Pay attention to warning screens on your browser. Antivirus software can also warn you about suspicious websites and scan downloads. Find the best.
  3. Check a site’s birthday: You can use a domain lookup service such as Who.is to see when a site has been registered. A major bank wouldn’t have a website registered last month. These services will also show you an ‘abuse’ email address for reporting the rogue site to its hosting company. Scam sites can also be reported to the National Cyber Security Centre.

If you've been a victim of fraud, report it to Action Fraud (or call the police on 101 in Scotland).