Criminals have been mass-mailing emails that purport to be from Marks & Spencer Bank offering tempting savings bonds paying more than 7% interest.
If you click on the messages you go through to the website ms-fixedrates.com.
One savvy M&S customer who has one of their credit cards spotted that this was a clone M&S site and tried to alert the bank, assuming it would use its clout to get the site taken down and post a warning on the real website.
If only.
"I reported it via the chat service in the M&S app," says the customer, who asked not to be named.
"I sent the URL and told them that it was a criminal website pretending to be M&S. I was told to call the fraud team that was open 24/7.
"I called and was connected to a call centre in India. I explained the situation and the call handler said I’d have provide card details. I said this wasn’t necessary as it wasn’t about my account, I was trying to report a criminal clone of M&S."
Eventually he was told that the "24/7" fraud department shuts at 5pm.
He tried again the next day and after 20 minutes on hold to another number he gave up and went on the chat app again, at which point the situation goes from bad to worse.
The app told him: "We have check (sic) the link and found out that the link was genuine but offer is now not available."
This is wrong on both counts - ms-fixedrates.com is a clone site and at time of writing it was very much open to receiving money from anyone successfuly duped.
Aghast, the customer replied: "That is a very worrying and irresponsible response. You have just told me that a criminal website, pretending to be M&S in order to steal from the public, is a genuine M&S website."
He also alerted via Twitter the marketing company that was mass emailing the messages, US-based benchmarkemail.com, but got no response.
And he did the same for the company that was being paid to host the fake domain, Squarespace.com, but they also ignored him.
No wonder fraud is rife.
I had some better luck and the website is now down, but it shouldn't need the intervention of a journalist to achieve this. And, as the customer says, it should not be this difficult to report a fraud website to the company that's being cloned.
A spokesperson for M&S Bank told me that it takes customer security "extremely seriously", apologised that the clone website had wrongly been declared genuine in the app conversation, and said it uses state-of-the-art technology to deter and detect financial crime.
"More like state-of-the-ark technology," says the customer.
"It also seems that it’s not possible, or very difficult, to report this type of crime to M&S unless you are a customer. I don’t think I would have been able to speak to anyone unless I could provide a card or account number.
"If I was a member of the public, one of the thousands who presumably got this email, and had checked with M&S via the app about its authenticity, I’d undoubtedly be about to lose between £50,000 and £250,000 - the current stated investment level.
"M&S is not to blame for this scam, however its lack of warning to its customers is difficult to understand, never mind its endorsement of a website run by criminals impersonating them."
Apart from wanting it to be easier to report frauds, he wants the middlemen "enablers" tackled.
"As with all these clone scams, it’s far easier, cheaper and much less damaging to victims to stop them at source by forcing the enablers to act. The obvious enablers are the email marketer, the registrar and ISP. If they acted once it’s obvious that it's a clone then the emails would no longer link to the website and the website would also disappear. Prevention is better than cure."
investigate@mirror.co.uk
