139.The second step in the fraud chain is typically marked by interaction between fraudsters and their victims. Phone calls, texts, physical meetings or other means of communication may be used to convince a victim to handover money or data. These interactions lean heavily on social engineering techniques and often manufacture pressure, anxiety and stress to force an individual into a “hot state” in which they are more likely to transfer money to a fraudster, who will rapidly ‘cash out’ their stolen funds.
140.This chapter will provide an assessment of number spoofing, fraudulent websites and social engineering to analyse how digital fraudsters interact with their victims.
141.Number spoofing is used by fraudsters to convince their victims that they are calling them from a legitimate organisation. Overseas fraudsters are able to use technology to convince victims that calls are coming from UK numbers. This increases the likelihood that victims will buy into the scams and commit to transferring funds or data to fraudulent depositories. It often takes place following a smishing or phishing attempt.
142.Number spoofing is prolific in the UK. In 2021, Ofcom found that 8 in 10 (82%) people surveyed had been targeted with scam texts or phone calls, which were intended to convince them that they were from trusted organisations such as banks, the NHS or government departments.
Paul is a pensioner in his mid-70s who suffers from a history of heart attacks. His income outside savings is a state pension of £817. In February 2022, Paul fell victim to a sophisticated malicious misdirection APP scam that cost him £65,000. The fraud was conducted through smishing and number spoofing with the bulk of the interaction being conducted by phone.
“He was very well spoken and with a soft Scottish accent. He identified himself as ‘Clive’ and then said he needed to take me through some security questions … I had no doubt that he was who he said he was, and so I co-operated.”
Initially, Paul received a smishing text claiming to be from Royal Mail. Because he was expecting a delivery, Paul did not consider the text unusual and paid a redirection fee of £2.99 using his debit card. Two days later, he received a spoofing call claiming to be ‘Clive’ from his bank’s fraud department.
The fraudster then personalised the scam by confirming Paul’s local bank branch in his town’s shopping centre. Paul said that he took this as a subliminal confirmation that the scammer was who they said they were. The scammer then went on to use sophisticated social engineering techniques. He isolated Paul by instructing him to drive home and collect his passport. He then convinced Paul that he needed Paul to assist him in catching other alleged fraudsters at the bank, cutting him off further from reaching out for assistance.
The fraudster asked Paul to transfer money to ‘dummy accounts’ and for him to speak to the payment verification department via phone so that he could monitor the bank’s responses. The fraudster explained how to set up a shared call, and said he was recording the calls. By the end of this process, the scammer had moved £65,000 from Paul’s bank account into three ‘dummy’ accounts, controlled by the fraudster. The fraudster said that the police would be visiting Paul to receive a witness’s statement from him regarding fraud at Santander. When this didn’t happen and the criminal stopped communicating with him, Paul realised it was a scam.
“He also said there had been 14 attempts to fraudulently move money involving this bank branch in the past month and he was leading an internal investigation to discover who might be colluding at the bank, and he needed my help.”
Paul has now been fully reimbursed by Santander. However, the effects of the scam are longstanding.
“I feel that the scam of which I am a victim was extremely sophisticated—they played on my anxiety and this whole experience has left me feeling violated. It’s as if someone took control of my brain and manipulated me.”
In response to Paul’s experience, Santander said:
“Our dedicated fraud contact centre contacted Paul, but despite specific conversations around potential scams Paul chose to provide inaccurate information to us regarding the reason for the payments, which resulted in them being released… Santander had initially agreed to reimburse Paul 50% of the first payment, but not the second and third payment based on the interaction and questions asked by the Bank prior to them being sent. Upon receiving more information regarding the customer’s individual circumstances during the Financial Ombudsmen review, we refunded the customer in full, alongside paying 8% interest on his loss from the date of the transactions until the date of the refund and a further £500 compensation.”
143.When spoofing happens, scammers make it appear that a phone call or text is coming from a trusted telephone number, for example that of a delivery company. Scammers are able to do this because of the telephone identification protocol, SS7. This tells the network what ‘presentation number’ or ‘calling line identification’ (CLI) a user is calling from on both mobile and landline phones. Fraudsters can steal this presentation number. SS7 is a core part of 2G and 3G networks and is still used in telecoms networks globally.
144.Prof Hao used the analogy of a letter to describe how number spoofing works:
“First, number spoofing is always possible. From the day the telephone system was designed you could modify the caller ID … You can think of it as posting a letter. You write the receiver’s address, and you can also write the sender’s address on the envelope. You can arbitrarily write a sender’s address. It is your choice. Sometimes, if you post a letter from home, for example, you may want to write a different sender’s address because you want the receiver to return the letter to a different address, maybe to your work address.”
145.The UK is particularly vulnerable to the international trend of number spoofing. Brian Dilley, Group Director of Economic Crime Prevention at Lloyds Banking Group, said that the inability for telecoms companies to block international scam calls and fraudulent number spoofing was the largest fraud vulnerability for the bank. Part of the high degree of susceptibility seen in the UK may be a product of the historical pattern of communication between service provider and their customers. Transpact.com, an escrow service company, said:
“Individuals and businesses have been ‘groomed’ by UK banks and UK utilities to receive a phone call from the bank/utility and for the bank/utility to ask the call recipient to divulge confidential information … to prove the call receiver’s identity. This is disastrous practice, as neither an individual (nor a business) can know whether they are being called by the genuine bank/utility or by a fraudster impersonating them.”
146.This process, conducted by many different types of companies from broadband operators to energy companies, has had the effect of ‘grooming’ customers into divulging information when asked by a person who claims to represent a trusted authority via telephone, despite the fact that they do not have to identify themselves in any meaningful capacity. While there are some legitimate uses of this practice, we believe that it should be phased out in favour of a more effective solution.
147.Spoofing technology is readily available to fraudsters. Police Scotland’s DCI Stevie Trim told us about the availability of number spoofing applications provided by multiple companies. DCI Trim said: “From my experience, a lot of these are independent companies. There are spoofing apps that people can download. They were originally used to play jokes: I could put in a phone number and pretend to my mum that I was from a particular organisation.”
148.Action to tackle number spoofing is made much harder by VoIP technology. Prof Hao argues that the ability to falsify your CLI is getting easier because of “the deregulation of the market, more and more telecommunication companies use VoIP-based technology. With those kinds of companies, the service is in the cloud, so it is much easier to modify a number.”
149.For example, as well as online messaging, WhatsApp (see Chapter 2 and 3) permits calls through the use of VoIP, although it blocks attempts to register an account on WhatsApp using a VoIP provider specifically. Meta recognises that WhatsApp only has a “limited ability to identify when a call or message is originating from a location that differs from the country code assigned to the registered phone number, using identifiers like a user’s IP address for example.” This leaves it open to abuse.
150.All voice calls, regardless of the use of encryption, are undermined in their ability to mitigate number spoofing by the design of their service. Adrian Gorham told us: “voice calls which are, by policy and technical design, ‘any-to-any’ so can be originated by any customer in the UK/internationally to any customer in the UK and cannot be subject to prior filtering by content”
151.Action to tackle and prevent scam calls is listed in Action 1 of the Telecommunications Fraud Sector Charter. The Charter sets out measures including implementing enhanced call blocking solutions, working with Ofcom and the Information Commissioner’s Office (ICO), as well as data sharing on the sources of scam calls with law enforcement, banking and the industry. According to the CCSG, this work is “on track.”
152.Ofcom has taken several steps to tackle number spoofing. In October 2021, Ofcom asked phone networks to block internet calls coming from overseas if they pretend to be from UK numbers. When TalkTalk implemented the measure it claimed to see a 65% reduction in complaints about scam calls. Different operators are now rolling out their own solutions to this issue. EE has launched new firewall technology to block international scam calls that use a UK CLI and claims to have blocked up to a million a day since its inception in July 2022, benefitting BT, Plusnet and EE customers.
153.In February 2022, Ofcom published a consultation on improving the accuracy of CLI data. The consultation set out plans to strengthen its existing General Condition C6, which introduced CLI measures—to require providers, where technically feasible, to identify and block calls with CLI data that is either invalid, non-dialable or does not uniquely identify the caller. It will provide guidance on what it expects providers to do to meet the new obligations. We understand that Ofcom expects to publish a statement on these plans in Autumn 2022.
154.The ‘Do Not Originate’ list is a key measure being used to tackle number spoofing. Created by Ofcom and UK Finance, the list details numbers that are allocated to financial institutions, but which are never used for outbound customer service calls. Huw Saunders, Director of Network Infrastructure and Resilience at Ofcom, told us that the list now comprises “over 12,500 numbers, which, if they are seen in the network, are known to be malicious or known to be a scammer and therefore should be blocked.” Saunders also added that from Ofcom’s perspective the list “has proven very effective”. When HMRC implemented the measure, it reduced the amount of phone scams spoofing genuine inbound HMRC numbers “to zero”.
155.Part 4 of the Data Protection and Digital Information Bill, which is currently on hold, is set to increase fines for nuisance calls and texts by extending the reach of the Privacy and Electronic Communications Regulations (PECR). Clause 80 will enable the ICO to investigate and act against organisations responsible for unwanted direct marketing. The PECR are not aimed at fraud and it appears that these measures will need to be directed towards fraudulent calls unless there is clear guidance that this should apply.
156.We have taken evidence that highlights how international best practice can be followed by UK regulators. For example, in 2022 the US Federal Trade Commission (FTC) took action against a VoIP service provider for facilitating the transmission of pre-recorded scam robocalls, many relating to the pandemic, several of which originated overseas and used spoofed numbers. The case was the FTC’s third action against a VoIP provider. The court action included an order permanently stopping the defendants from such illegal conduct, forcing them to introduce technology to block such calls and screen new customers, and included a suspended civil penalty of more than $3 million.
157.Also in the US, technology has been created termed ‘Stir and Shaken’ protocols which will enable networks to authenticate CLI numbers. At present, this cannot be implemented on EU phone networks and Ofcom says that UK providers cannot implement such technology until networks and the technology that supports voice services are upgraded. The Government is switching off the public switched telephone network (PSTN) in order to make all phone lines digital by December 2025. In practice, this means that landlines will be connected by broadband connections (like in VoIP) rather than copper phone lines. This means that CLI authentication likely will not be fully available in the UK until that point.
158.Number spoofing is fundamental to convincing victims that they are being contacted by a genuine, trusted authority. We endorse the valuable work being undertaken by Ofcom and the industry to tackle number spoofing, however efforts to address CLI spoofing must not be watered down or delayed.
159.Ofcom must expedite its work on number spoofing. It must ensure that technologies that prevent CLI abuse are rolled out as soon as possible, and take all available steps to require the mandatory use of these technologies immediately when possible. Updates to the core network should be made urgently to stamp out fraud, ideally prior to 2025. Where such reasonable steps are not taken, companies must face penalties.
161.Social engineering is the process by which criminals groom and manipulate people into divulging personal and financial details or transferring money. Fraudsters use social engineering to bring a victim into what Brian Dilley called a “hot state”. This is the point at which individuals stop thinking clearly and often feel rushed, anxious and mistrustful.
162.Highlighting the risks of romance fraud and the vulnerability characteristics of victims, the Online Dating Association said: “Fraudsters are extremely adept at emotional manipulation and recognising the signs of those who are vulnerable and easy targets.” For example, isolation, reduced digital literacy or mental health illness may contribute to higher levels of vulnerability.
163.Social engineering is not only successful against victims who are predisposed to scammers by existing vulnerabilities. Dr Konstantinos Mersinas, Senior Lecturer at Royal Holloway, explained that anyone can fall for social engineering saying: “The fact that security professionals might fall for social engineering attacks, and phishing, indicates that it is not a matter of knowledge or of providing the information.”
164.Social engineering reduces the efficacy of counter-fraud warning signs. Attempts to fight back against social engineering may be undermined by the lack of trust created by the criminal. Brian Dilley told us that this often leads to the victim believing that the person trying to contact them genuinely is trying to help them because they have created a compelling narrative. TSB acknowledged that social engineering helps criminals circumvent warnings and public information campaigns created by stakeholders within the fraud chain:
“Given the scale of fraud in the UK and the sophistication of many scams, the technologies that are used, and the complex social engineering tactics used it is not credible to suggest that educating people about fraud is particularly effective … Fraudsters will always find ways to explain away a customer’s concern.”
165.Social engineering can prevent individuals from asking for help and it can leave victims with residual feelings of shame. Mike Haley explained this issue by its parallel with the experience of burglary and fraud:
“I could be burgled, and everyone would have sympathy for me. I would not feel shame or embarrassment about it, and other people would have some empathy. With a fraud, there is a degree to which people will feel ashamed and embarrassed to even speak about it. They feel, as do others, that they have brought it on themselves in some way, they were not very savvy, and they were taken in by social engineering.”
166.See Box 7 for Paul’s experience of being socially engineered to transfer £65,000 into a fraudster’s account. The fraud was predominantly based on the high degree of trust Paul placed in the fraudster.
167.In September 2021, Stop Scams UK a cross-sector industry body, launched a pilot scheme called 159, a memorable short code phone service that connects the retail banking customers directly with their bank, should they receive an unexpected or suspicious call on a financial matter. Stop Scams UK told us that the average bank impersonation scam costs consumers more than £4,500. By spring 2022, 80,000 calls had been made to 159 and the service has now been expanded to accommodate other banks including the Co-operative Bank, the Nationwide Building Society, and TSB.
168.Initiatives like the 159 initiative are vitally important in shaking a victim out of the ‘hot state’. Stop Scams UK said that the initiative can help to “break the scam journey at that critical moment when the consumer is at most risk of being socially engineered and making a payment.”
169.Education is a central component of helping people recognise and response to social engineering. Brian Dilley said that whilst attaining reliable metrics for studying the success of awareness messaging is challenging, education is “the first line of defence” because it can help a victim to understand when to hang up the phone. More information regarding consumer education can be found at paragraph 402.
170.Social engineering is a cruel tactic used by fraudsters to manipulate their victims. It has longstanding impacts on victims, who may find it difficult to trust organisations in future because of the tactics used by fraudsters to manoeuvre them into the ‘hot state’ in which they make a payment.
171.Financial institutions, whether banks or building societies, must be encouraged to participate in the 159 initiative, and should be mandated to provide information on the service to their customers if the initiative is extended beyond pilot stage.
172.Fraudsters incorporate fraudulent websites or domains into phishing messages to draw victims into the interaction phase of a fraud. Domain registration to set up a website is cheap and easy, often only costing between $10 and $30 a year. This enables some fraud to be carried out with relative ease. The ease with which fraudsters create these domains means that identifying and closing them down becomes a game of “whack-a-mole”.
173.Fake websites often link to real life scenarios or contemporary events that are exploited to help social engineering of victims. The COVID-19 pandemic provided a rich opportunity for phishing attacks. Texts often relocated victims to fake website pages about vaccinations or COVID-19 passes. Websites were designed to collect personal and financial information from victims. They offered vaccine booking appointments in return for a fee.
174.There are a number of ways in which fraudsters aim to spoof websites. For example:
175.Prof Hao’s research shows that fraudulent domain names often work best on mobile devices because users are less likely to notice that a website is different to the original on their phones because of the smaller screen size and user interface.
176.The use of fraudulent websites presents a significant challenge to counter-fraud agencies because domains can be made quickly with very few identity checks. Prof Hao said: “Often, phishing websites are short-lived. They do not last long, because it takes time for the activities to be detected. After a day or two, they get the fraudulent transactions and make enough money, and if it is detected and blocked, they just open another domain.”
177.New software makes finding and removing fraudulent websites even harder. Proxy servers can be used to guide users to websites that are blocked in other countries via domain hopping (the practice of relocating to new domains to prevent being penalised). An example of this kind of site is Unblockit. In addition, IP masking services disguise the IP address of the hosting server through software like Cloudfire. The Motion Picture Association told us that these pieces of software offer criminals the ability to evade shutdowns through ‘domain hopping’. It said:
“When enforcement activities are implemented—be it ISP blocking, search engine delisting or otherwise—Unblockit and sites like it simply move to a new domain.”
178.Action to tackle fraudulent domains is spearheaded by the NCSC. In 2021, the NCSC took down 2.7 million campaigns amounting to 3.1 million URLs. This was an increase on the 700,595 campaigns and 1.4 million URLs taken down in 2020. Overall, since the takedown service began in June 2016 it has taken down 3.7 million campaign groups (5.8 million URLs covering more than 2 million IP addresses).
179.The Motion Picture Association has argued that more should be done to tackle fraudulent domains by know your business customer (KYBC) checks. It suggested that a new KYBC obligation should be placed on online service providers such that checks “would require commercial entities to establish the true identity of their business customers as a precondition for selling, and receiving payment for, digital services.”
180.Will Semple suggested that KYC checks could help to prevent criminals registering new domains and encrypting the traffic between a web server and the customer’s browser. He said:
“They have to register a domain. Often, they have to register what we call an SSL certificate, which encrypts the traffic between the web server and the customer’s browser … my view is that it is too easy to register, and some simple know your customer-type techniques would probably introduce a major speedbump into the entire process. They would not stop it, but they would definitely make it harder for bad actors to carry out these activities.”
181.However, Prof Hao told us that this is more difficult than it sounds because domain hosts can only monitor traffic on a website and deduce whether it is likely to be fraudulent by the type of traffic it attracts. While it is possible to look up the owner of a domain, this is not common practice. In addition, Prof Hao said:
“Criminals never use their real identity; they always use a stolen identity to register the domain. They do not register it in the UK; they register it overseas. They use a stolen credit card to make payments, or bitcoin or an anonymous payment method.”
182.The Association of British Insurers said that there must be more effort to deter fraudsters from registering fraudulent domains given that “the issue moves so quickly that simply listing domains will always be outpaced by new domains emerging.” They argue that prosecution is vital to deter future fraudulent activity. However, Michael Skidmore, Senior Researcher at the Police Foundation, cautioned that policing these domains would be challenging because we are “dealing in this regard with quite technical and cross-border offenders.”
183.Will Semple argued that action against fraudulent domains must be cross-sectoral. Noting that “everyone has a role to play”, He identified eBay’s collaboration with PSPs, financial services institutions, software providers and domain name registrars as an example. The efficacy of this approach can be seen in the work of Stop Scams UK who said that through collaboration BT, TalkTalk and others had put online a URL Blocking Proof of Concept service that blocked 33,000 phishing domains as of February 2022. These partnerships must stretch to law enforcement.
The NCSC was launched in 2017 as part of the Government Communications Headquarters (GCHQ). Its role is to act as a bridge between industry and Government and it is the UK’s national authority on the cyber security environment. The National Cyber Strategy 2022 set out that the NCSC’s key priorities are to take direct action to reduce cyber harms, support the UK in protecting itself, provide technical input to government policy and regulation, provide UK sovereign capabilities, and to support growth in cyber skills and investment.
The NCSC has a key role in preventing fraud. In April 2020, the NCSC launched the Suspicious Email Reporting Service, inviting people to share suspicious emails or websites with firstname.lastname@example.org or by reporting directly online. Since the launch, the NCSC have shut down over 76,000 scams across 139,000 websites.
It works in partnership with the ASA on the Scam Ad Alert System; if a post is suspected of being fraudulent, an Alert is sent to the NCSC (and participating social media platforms), which scans the alert for URLs and remove the website if found to be malicious. The NCSC has a key role in taking down scams reported to the 7726 service (see Box 16).
It also runs the Cyber Security Information Sharing Partnership, a public-private information sharing service that allows organisations to share cyber threat information securely and confidentially. In addition, under Action 2 of the Telecommunications Fraud Sector Charter, telecoms providers will share reported URLs and phone numbers linked to smishing with the NCSC. Under Action 7, the NCSC (along with the City of London Police and NECC) is required to appoint a telecommunications fraud point of contact. The Centre also provides guidance for individuals, SMEs, large organisations and public and private sector professionals as part of its Cyber Aware campaign.
We have heard that the NCSC fosters positive collaboration with the private sector. BT Group told us that it has worked with the NCSC on the development of its security education and advice for customers.Stop Scams UK is currently working on how it can better share data from its 159 project with the NCSC. Will Semple told us that “we see very strong leadership in our ecosystem from agencies such as the NCSC and GCHQ”, noting regular collaboration with eBay.However, we are concerned that collaboration with ISPs is lacking, particularly given their role in domain hosting and the creation of fraudulent websites.
We recognise that more can be done, particularly at a local level. Fighting Fraud and Corruption Locally, a working group connected to Cifas, told us that there should be better communication between local authorities, the police and the NCSC to encourage joint working at a local level. The National Anti-Fraud Network (NAFN) told us that while content to support businesses’ awareness of fraud is valuable, it should be more widely publicised and supported with a focus on local implementation.
184.Finally, we note the lack of current focus on the role that Internet Service Providers (ISPs) play in the fraud chain. ISPs supply individuals with access to the web and supply hosting facilities for websites. Dr Mersinas called for a collective effort that included getting “the technological giants, the ISPs and the platforms on board” and not relying on law enforcement efforts alone.” At the moment, membership of the CCSG does not include ISPs despite their role in domain hosting and the Telecommunications Sector Charter does not explicitly mention cooperation or data sharing with ISPs.
185.We understand that the Government is considering fraudulent domain names as part of its review of the Computer Misuse Act, including potential powers to seize internet domain names so that fraudsters cannot register a domain to “lure people down a fraudulent path”.
186.We also understand that the issue of fraudulent domains is not considered to be within Ofcom’s regulatory perimeter. Furthermore, it is arguably inconceivable to bring it within its territorial perimeter due to the overseas nature of this activity. We recognise that any efforts to bring this issue within Ofcom’s regulatory perimeter might result in domain hosts using overseas services.
187.Fraudulent websites have become a common means by which fraudsters can convince their victims that they are interacting with a genuine organisation or authority. At present, it is too easy to set up a spoof website. Domain hosts and ISPs have been left out of the debate on how to tackle fraud. This oversight has left them without due scrutiny. These services must be subject to the same stringent counter-fraud controls that should apply across the board.
188.The Government must clarify within whose regulatory perimeter domain hosts and other ISPs sit and explore whether bringing this issue within Ofcom’s regulatory remit would materially benefit its counter-fraud function. The responsible regulator should consult on new regulations requiring domain name providers to enforce greater KYC checks on those registering domain names, and on codes of practice to establish protocols that prohibit domains from being used if it is believed that the intention is to deceive users.
240 (Brian Dilley)
241 Written evidence from BT Group ()
242 Ofcom. ‘45 million people targeted by scam calls and texts this summer’ (20 October 2021): [accessed 1 November 2022]
243 Written evidence from Santander ()
244 BBC News ‘Why phone scams are so difficult to tackle’ (23 August 2021): [accessed 1 November 2022]
245 (Prof Feng Hao)
246 (Brian Dilley)
247 Written evidence from Transpact.com ()
248 (DCI Stevie Trim)
249 (Prof Feng Hao)
250 Supplementary written evidence from Meta ()
251 Supplementary written evidence from the CCSG ()
252 Home Office, ‘Fraud sector charter: telecommunications’ (updated 26 October 2021): [accessed 1 November 2022]
253 Written evidence from the CCSG ()
254 ‘Ofcom plans crackdown on fake number fraud’, The Independent (23 February 2022): [accessed 1 November 2022]
255 (Adrian Gorham)
256 EE, ‘EE takes a stand against scammers with latest international call-blocking technology’ (18 August 2022): [accessed 1 November 2022]
257 Ofcom, Improving the accuracy of Calling Line Identification (CLI) data: Consultation on changes to our General Conditions and supporting guidance on the provision of CLI facilities (23 February 2022): [accessed 1 November 2022]
258 (Huw Saunders)
259 Take Five, ‘Criminals exploit Covid-19 as fraud moves increasingly online’: [accessed 1 November 2022]
260 , Part 4, clause 80 [Bill 143 (2022–23)]
261 Written evidence by the FTC ()
262 Federal Trade Commission, ‘FTC takes action to stop voice over internet provider from facilitating illegal telemarketing robocalls, including scams relating to the pandemic’ (26 April 2022): [accessed 1 November 2022]
263 BBC News, ‘Ofcom asks phone networks to block foreign scam calls’ (25 October 2021): [accessed 1 November 2022]; BBC News, ‘Why phone scams are so difficult to tackle’ (23 August 2021): [accessed 1 November 2022] and Which?, ‘Digital Voice and the landline phone switch-off: what it means for you’ (7 October 2022): [accessed 1 November 2022]
264 Written evidence from Amazon ()
265 (Brian Dilley)
266 Written evidence from Online Dating Association ()
267 Written evidence from Liz Eden ()
268 (Dr Konstantinos Mersinas)
269 (Brian Dilley)
270 Written evidence from TSB ()
271 (Mike Haley)
272 Written evidence from Paul ()
273 Written evidence from Stop Scams UK ()
275 (Brian Dilley)
276 Allen & Overy, ‘Domain names, online fraud and UDRP proceedings’: [accessed 1 November 2022]
277 (Mark Steward)
278 Techradar, ‘Why criminals spoof your domain name’ (7 November 2019): [accessed 1 November 2022]
279 Mohammed Aamir Ali, Muhammad Ajmal Azad, Mario Parreno Centeno, Feng Hao, Aad van Moorsel, ‘Consumer-facing technology fraud: economic, attack methods and potential solutions’, Future Generation Computer Systems, vol 100 (2019), pp 408–427 (November 2019): [accessed 1 November 2022]
280 (Prof Feng Hao)
281 Written evidence from the Motion Picture Association ()
282 National Cyber Security Centre, Active Cyber Defence: The fifth year: [accessed 1 November 2022]
283 Written evidence from the Motion Picture Association ()
284 (Will Semple)
285 (Prof Feng Hao)
286 Written evidence from the Association of British Insurers ()
287 (Michael Skidmore)
288 (Will Semple)
289 Written evidence from Stop Scams UK ()
290 HM Government, ‘National Cyber Security Centre’: [accessed 1 November 2022]
291 Cabinet Office, ‘National Cyber Strategy 2022’ (updated 7 February 2022): [accessed 1 November 2022]
292 DCMS, ‘Major law changes to protect people from scam adverts online’ (8 March 2022): [accessed 1 November 2022]
293 Written evidence from the ASA ()
294 National Cyber Security Centre, ‘CiSP’: [accessed 1 November 2022]
295 Home Office, ‘Fraud sector charter: telecommunications’ (26 October 2021): [accessed 1 November 2022]
296 See National Cyber Security Centre, ‘New web tool to test your cyber risk as survey exposes 80% of British people fear online attacks’ (March 2021): [accessed 1 November 2022].
297 Written evidence from BT Group ()
298 Written evidence from Stop Scams UK ()
299 (Will Semple)
300 Written evidence from Fighting Fraud and Corruption Locally ()
302 Carphone Warehouse, ‘What is an Internet Service Provider (ISP)?’: [accessed 1 November 2022]
303 (Dr Konstantinos Mersinas)
304 Home Office’ Fraud sector charter: telecommunications’ (26 October 2021): [accessed 1 November 2022]
305 (Tom Tugendhat MP)