Or, why it's really important to dial the correct phone number. Or, alternatively, how to have people willingly hand over personal details to scammers.

Nuances of the UK phone system

Two thing conspire to make this possible in the UK;

Overdialling

The UK phone network supports 'over-dialling', that is if you were calling 07700900123 and you dial 077009001234 the additional digit, 4, is ignored and the call is connected as you expect

Local Dialling

If you are in a local area (e.g. 01632) you can dial the local number without the leading area code. e.g. for 01632 9601234 you would simply dial 9601234.

What number does your bank use?

Consider M&S Bank, which has the number 0345 9000 900. This is one example, but chances are your bank's number starts with 0345 or 0300.

Missing 0s

A missing 0 when dialling it could end up with a lot of missing zeros on your bank balance.

Consider instead of dialling 03459000900 you lived in the (ficticious) 01632 area code and accidentally missed off the leading 0.

You will have effectively dialled 016323459000900. This number is too long, so you've actually dialled 01632 345900 – remember, the additional digits are just discarded – which could be assigned to anyone.

"Sorry, wrong number"

For some time I had a local number ending 345 9000, and I have had around 15 calls per month for people looking for M&S Bank.

I apologise and most of the time they go away - however the odd one asks if I'm sure I don't work for M&S (yes, I am), or yells abuse at me (because obviously it's my fault they can't dial a number properly) and I've even had accusations of being involved in fraud.

The response I give to that is "If I was trying to defraud you I'd have answered the phone Good Afternoon, M&S Bank not Hello followed by Sorry, I think you've got the wrong number)

"Good Afternoon, M&S Bank"

Of course, conversely, this proves that people are gullible (and not very accurate when it comes to dialling numbers)

If someone genuinely believed they've called their bank you could likely ask them anything for 'security' and they'd probably tell you. And, the scammers are getting better I've even seen IVRs used by fake 'banks' as part of clever scams.

Man-in-the-Middle Attack

Ultimately, they could simply take 01632 345900 and divert it to the genuine 0345 9000 900 number, but adding call recording and DTMF capture along the way.

The hacker would then have a recording of your call with the bank, together with any keys pressed (how many times have you been asked to enter your full account number, telephone banking PIN, date of birth etc?) in a nice machine-readable format.

How easy is this to achieve in the real world?

Let's look at Barclays Lost and Stolen card number;

0345 945 4545

So, to get misdialled calls to this number you would need to control 345 9454 in as many local areas as possible;

Excluding fixed line operators - there are 386 number ranges in use that would let you 'hijack' a misdialled 0345 number, these are split between 78 CPs (Communications Providers).

In practice setting up an account with 78 providers just to get some numbers is impractical, but just 9 providers would give you 141 of them (36% coverage by code) and three or four would still give you some major cities.

Of these, quite a few offer simple online signup, for example; aql has 26 ranges, 3C limited (trading as UKDDI) has 19, VoIP-Un Limited has 16 and Telcom2 has 14.

So, quite quickly you could acquire numbers such as;

  • 01553 345 9454
  • 01255 345 9454
  • 01293 345 9454
  • 01349 345 9454
  • 01436 345 9454
  • 01567 345 9454
  • 01726 345 9454

And anyone in those codes missing off the leading 0 (which happens more than you might think!) would reach you instead of Barclays.

What can be done?

Ultimately, very little – people should just take great care when dialling numbers and be aware of scams such as this.

Arguably overdialling serves no real purpose, it made sense when exchanges (and telephones!) were all analogue devices but with modern exchanges we could easily stop this misuse of numbering.

Additionally, with the proliferation of mobile phones etc, local dialling itself is of limited use (most people I know will dial the full number even when at home) - removing local dialling (as has already been done in some areas) also opens up many more numbers.

The simplest solution, would be to switch off local dialling, but I don't see that happening any time soon.

Until then, make sure you dial the right number.