Police today dramatically revealed details of Britain’s biggest ever fraud operation, in which officers brought down a website that criminals had used to scam 200,000 people in the UK out of at least £50m. sterling.
The Met will contact around 70,000 Britons in the coming days to tell them they may have been victims of iSpoof.cc, while more than 100 suspects have already been arrested.
The scammers paid a subscription to use a program that allowed them to appear as if they were calling victims at major banks, including Barclays, NatWest and Halifax.
Officers are now working to track down hundreds more suspects both in the UK and around the world, with the FBI, Europol and Eurojust also involved along with authorities in the Ukraine and the Netherlands.
Below we reveal how the website worked, how many people it may have scammed, and what’s next for the victims and criminals behind it.
Anyone trying to access the iSpoof website is met with a message saying it has been “seized” (pictured)
How did iSpoof criminals operate?
The website allowed users to pay between £150 and £5,000 in Bitcoin for subscriptions to hide their phone number to make it appear as if they were calling from a trusted source.
This process is known as ‘spoofing’.
The criminals posed as representatives of banks such as Barclays, Santander, HSBC, Lloyds, Halifax, First Direct, Natwest, Nationwide and TSB.
They then tried to trick people into handing over money or providing sensitive information, such as unique access codes to bank accounts.
Teejai Fletcher, a 34-year-old Briton from east London, is believed to have been involved in the operation. He was arrested last month and is in custody after being charged with fraud.
A total of 59,000 criminals have bought accounts since iSpoof was created in December 2020, netting £3.2 million for site owners while scamming unsuspecting victims of large sums of money.
The average loss for those who reported being attacked is believed to be £10,000.
The TikTok user posts a video with the caption “RIP all iSpoof users” earlier this month as dozens were arrested across the UK. There is no suggestion that the TikTok user was involved in the scam.
How many people were scammed through iSpoof?
At one point, nearly 20 people every minute of the day were contacted by scammers hiding behind fake identities using the site.
In total, 200,000 potential victims in the UK alone are believed to have been attacked, with many more around the world.
Most of the victims (40 percent) were in the US, followed by Great Britain (35 percent). Many people in Australia and other European countries were also attacked.
In the 12 months to August 2022, around 10 million fraudulent calls were made worldwide via iSpoof, of which around 3.5 million were made in the UK.
Of these, 350,000 calls lasted more than a minute and were made to 200,000 people.
Losses reported to Action Fraud as a result of calls and texts via iSpoof are around £50 million. But because the fraud is widely underreported, the total amount is believed to be much higher.
On a Telegram channel used by administrators and iSpoof users (pictured), subscribers were told to “change the last digit” when posing as a caller from a bank.
How did its creators market the site to criminals?
In a witty video advertising potential criminals on encrypted messaging app Telegram, iSpoof called itself ‘the number one phishing service’.
Alongside graphics of people working on computers, it read: ‘iSpoof was made by counterfeiters, for counterfeiters.’
Referencing the bank details the scammers expected their brands to type in during their calls, he adds: “Select the digits the targets type and see it on your dashboard.”
It continues: “Send fake SMS messages and much more… our state-of-the-art system handles robocalls with custom hold music and convincing background sound for the call center.”
He boasts that the scam technology works “both on Android and iOS,” and said users can sign up for free and pay monthly in Bitcoin to “remain totally anonymous.”
In a Telegram channel used by iSpoof administrators and users, subscribers were told to “change the last digit” when posing as a bank operator.
One message read: “Seems like some people are really stupid and don’t understand that most bank numbers are blocked and can’t be used… if your mind isn’t creative enough or your skill set doesn’t allow you to act without a specific number”. then you should pack your bags and get a job in a grocery store.’
He added: “If I find you complaining about caller ID without changing a last digit etc. or wasting our time, this may be a reason you are being banned from our service.”
How did law enforcement take down the site?
After a wave of Action Fraud reports were linked to iSpoof, the Met’s CyberCrime Unit began investigating the site in June 2021 under the name Operation Elaborate.
Investigators infiltrated the website and began collecting information together with Europol, Eurojust, the Dutch authorities and the FBI.
Police were able to identify the suspects by seizing the website’s server, which contained a treasure trove of information in 70 million data rows.
Bitcoin records were also tracked.
In the UK, more than 100 people have been arrested, the vast majority on suspicion of fraud.
What should I do if I have been scammed?
The Met plans to send mass text messages to 70,000 victims today and tomorrow asking them to call to testify.
Police also want anyone who believes they may have been scammed by the site to file an official report of the crime online.
This could pave the way for some money to be returned to the victims later on.
What will happen to the suspects?
Teejai Fletcher, who is believed to have been involved in running iSpoof, has been charged with fraud and will appear in court in two weeks.
Because the pool of 59,000 potential suspects is so large, investigators are targeting UK users first and those who have spent at least £100 worth of Bitcoin to use the site.
There have already been dozens of arrests and details of other suspects have been passed on to law enforcement partners in the Netherlands, Australia, France and Ireland.
Detective Superintendent Helen Rance, who directs cybercrime for the Met, said: “Our message to criminals who have used this website is that we have your data and are working hard to locate you, regardless of where you are.”
What can I do to avoid being a victim of fraud?
The Take Five campaign has provided some tips and advice to help spot fraudulent messages:
- A genuine bank or organization will never contact you out of the blue asking for your PIN, full password or to transfer money to another account.
- Only provide your personal or financial details to use a service that you have consented to, trust, and expect to communicate with you.
- Never automatically click a link in an unexpected email or text message.
- If you receive a request for personal information, please do not provide it. Instead, contact the company directly using a known email or phone number.