Millions of people get phone calls from scammers and wonder who is at the other end.
Now we know: rather than someone in a call centre far away, a “bright young man” living in a lush flat in London has been unmasked as the mastermind behind so many of these calls.
Tejay Fletcher’s trial exposed how criminals with a simple website bypassed police, phone operators and banks to facilitate “fraud on an industrial scale”, scamming victims out of £100m of their hard earned cash.
Fletcher, 35, who ran the website iSpoof.cc, was jailed for 13 years and four months earlier this week following his arrest in 2019 in what is the biggest anti-fraud operation mounted in the UK.
The website allowed criminals to disguise their phone numbers in a process known as “spoofing” and trick unsuspecting people to believe they were being called by their bank or other institutions.
Fletcher’s luxury lifestyle
When police arrested Fletcher and raided his home, a rented east London apartment with views of the Royal Victoria Dock and the City skyline, they found riches including a £230,000 Lamborghini, two Range Rovers worth £120,000 and an £11,000 Rolex.
There was also a money counter, jewellery, and an Audemars Piguet watch which appeared to be fake.
It was a far cry from the early years of his life, which he spent in a succession of foster homes, according to his lawyer.
The son of a single mother who “simply was unable to cope”, his pathway to criminality was lined with stolen cars and the consumption of cannabis, Southwark Crown Court heard.
In 2020, he co-founded iSpoof.cc, which he built into what he called “the most sophisticated client spoofing platform available”, allowing scammers to change the number or identity displayed when they made calls so they appeared to be calling from a trusted organisation, often a bank or a bank’s fraud department.
After he earned nearly £2m in profits, police finally caught him and brought down the site.
His website was used for a large proportion of fraudulent activity in the UK – but copycats have since taken its place, and others are still falling victim to these types of scams, experts have warned.
How victims were scammed
The number of people using iSpoof swelled to 69,000 at its peak, with as many as 20 people per minute targeted by callers using the site.
More than 10 million fraudulent calls were made using iSpoof in the year to August 2022 – 3.5 million of them in the UK, the prosecution said. More than 200,000 victims in the UK – many of them elderly – lost £43m, while global losses exceeded £100m.
For a basic subscription fee of £150 a month, users got a set number of minutes to make automated bot calls using the website or app version. They could then pay extra for additional features, leading to packages worth hundreds, even thousands of pounds a month.
Users could only pay via Bitcoin – a currency favoured by many criminals because it is more difficult to trace payments.
Often, victims would get an automated call prompting them to confirm a transaction on an account.
The website allowed them to intercept one-time passwords, which were “ironically” introduced by banks to increase their security measures, noted John Ojakovoh, prosecuting.
iSpoof offered scammers extra features that allowed victims to type in a telephone pincode after being prompted to do so by an automated call.
Users could also pay for the ability to monitor calls live, or place calls pretending to be from an establishment that had old card details on file and wanted new ones.
Scammers could control what the automated call would say to recipients and access tools such as voice recognition.
As part of its marketing, iSpoof promised users security and anonymity. They were told call logs and IP addresses were not stored, so their “tracks were covered”.
Typically, scammers would already have some bank details about their victims, often obtained through the use of smishing – bulk fake texts sent to people – or purchased elsewhere online.
The Telegram channel
iSpoof had a channel on Telegram, a social media platform, which it used to communicate with its customers and promote itself, the prosecution said.
The Telegram channel also displayed advertisements from companies selling bank details.
Fletcher would use it to conduct “market research”, running polls to find out which features users wanted most.
Other posts “encouraged” scammers to defraud people, the prosecution said. In a post in January 2022, Fletcher wished customers a “Happy New Year”, writing: “All back to work, back to getting that bag. Make this year special, stack those Satoshis [a reference to the supposed inventor of Bitcoin].”
Fletcher was not particularly tech-savvy, but he used a website called freelancer.com to hire programmers to make the “building blocks” of the site. A programmer even warned him that she believed what he was asking her to do was illegal and could land her in jail, messages seen by prosecutors revealed.
His lawyer said he had initially set out to create a simple website, but his co-founder suggested ways the technology could be made more sophisticated, which spurred him on. In 2021, he and his co-founder “fell out” and Fletcher ousted him, replacing him with three other administrators that he appeared to be supervising. In one post, Fletcher was seen chastising another administrator for “not working hard enough”, the prosecution said.
When Fletcher assumed control of iSpoof, the profits received had a “meteoric rise” from 5 Bitcoin to 117, prosecutors said. Fletcher received 64.38 Bitcoin, worth just short of £2m.
How police cracked the case
Posing as iSpoof customers, police paid for a trial subscription in Bitcoin and tested the website. They traced the money they paid to iSpoof and eventually discovered that the “lion’s share” of the profits were going to Fletcher.
They obtained a copy of the website’s server, which revealed call logs that further incriminated Fletcher and the scammers using his website.
It turned out that Fletcher had deceived the scammers, too, when he claimed he was not storing any of their information, prosecutors said.
After his arrest in 2019, he initially pleaded not guilty. After seeing the evidence against him he changed his plea.
According to his lawyers, Fletcher wanted his victims to know he was genuinely sorry for the “misery” he had caused.
He suffered, and continues to suffer from anxiety and depression, which he sought counselling for prior to his arrest, his lawyer said.
Describing him as an “extremely bright young man”, his lawyer, Simon Baker KC, said: “It is extremely unfortunate that intellect was not channelled into gainful activities.”
Fletcher, who recently became a father, regularly donated some of his wealth to CYL, a charity, for projects to help young men with mental health issues, his lawyer said.
Before his arrest, he had been looking at setting up a business to provide buses for the charity, and had secured a drama school place before his arrest. His lawyer said this underscored the potential for his rehabilitation.
Brought to justice
Although Fletcher will remain behind bars, others are also being investigated. Some 120 suspected phone scammers have been arrested, 103 of them in London.
Chris Ainsley, head of fraud risk management at Santander UK, said it was “great to see criminals who carry out these scams brought to justice”, but warned: “The risk posed by fraud and scams remains ever-present.
“We continue to see thousands of cases where scammers impersonate official bodies, like a bank, the police or HMRC, spoofing phone numbers to convince and pressure the victims into acting.”
Jim Winters, director of economic crime at Nationwide, said iSpoof drove a “significant percentage of fraudulent activity” that banks were seeing at the time, and said banks now have more anti-spoofing controls.
He said most banks are now signed up to an anti-fraud list held by telecoms regulator Ofcom, known as the “do not originate” list, which records telephone numbers used by genuine firms or government departments to receive calls, but are never used for outbound calls. The list is shared with telecom providers and their intermediaries to help them identify and block scam calls.
These numbers – such as those found on the back of bank cards or listed as fraud helplines on a bank’s website – are most at risk of being spoofed. However, some banks have failed to include all relevant numbers on the regulator’s list, according to an investigation by Which?, the consumer group, last November.
Signing up to this list is not mandatory and Ofcom does not publish who is and is not on it, citing security reasons.
What’s more, adding a number to the list does not guarantee that all calls will be blocked, according to Ofcom. Not all telephone providers apply this list to their calls, and for those that do, technical limitations mean some calls could still sneak through.
Mr Winters said more companies, not just banks, needed to be added on to this list.
Social media companies like Telegram are also not held responsible for hosting content from scamming websites like iSpoof, according to sources in the banking industry, who want to see them bear more responsibility.
Despite their best efforts, Mr Winters said it would be unfair to lumber all police departments with the entire responsibility of policing fraud. Police spend just 2pc of their funding on fraud despite it representing 40pc of all crime, Which? found earlier this year.
Mr Winters said it was welcome that police were going after “kingpins” like Fletcher, who are behind such a large volume of these calls.
But Steve Goddard, a fraud expert at Featurespace, said number spoofing scams are still common, with criminals creating new versions of iSpoof.
He said: “It’s like a hydra: you chop one head off and two more will grow back.”
[ad_2]
Source link