/ Money

Improving protections for victims of APP fraud

We’ve been campaigning to improve protections for victims of authorised push payment (APP) scams for more than four years – here’s our progress so far, and our concerns.

Our campaign has resulted in hard won benefits for people – including the landmark Contingent Reimbursement Model Code introduced in 2019.

This voluntary set of guidelines was the first document to set out formal protections for APP scam victims. It committed signatories to improve fraud protections and provided guidance on how victims should be treated and reimbursed.

Authorised push payment (APP) – or bank transfer – scams are scams where a person is tricked into making a payment to someone who they think is a legitimate recipient (could be a business, a formal body like a bank or a solicitor, or an individual), but who turns out to be a scammer.

It was thanks to Which?’s super-complaint in 2016 that the Code was introduced, and it currently covers the vast majority of the industry. Since its creation we have kept a close eye on how signatories have interpreted and implemented it to make sure that it is working for victims.

Although the Code was introduced in May 2019, APP scams continue to be a major issue today with the latest figures suggesting that around 350 people fall victim to them every day with hundreds of thousands of pounds being lost. In the first six months of 2020 more than £200m was stolen.

Is the Code being undermined?

We have become increasingly concerned over the last 18 months that banks signed up to the Code are interpreting and implementing it in a way which is undermining its effectiveness.

Thanks to the work of our policy, investigations, and Money Helpline teams we have been able to identify numerous ways and hundreds of examples where banks are letting down victims. These include:

🔸 Banks relying on having shown a victim a warning before they made an online payment, despite not producing any evidence that these warnings work

🔸 Banks not properly assessing whether a victim was more susceptible to being scammed (for example due to a pre-existing mental health condition or going through bereavement), or not taking into account evidence provided to them by the victim

🔸 Banks treating victims as fraud experts and expecting them to have taken unreasonable steps to question the scammer or verify who they were paying

Reimbursement rates of victims also remain worryingly low, at an average of about 45%. Figures published by the regulator last year suggested that some firms’ full reimbursement levels have been in the single figures.

Industry has been able to get away with this haphazard implementation of the Code due to the lack of proper regulatory oversight. In our view, the PSR’s approach has been slow and has lacked the decisiveness that is needed for such a potentially life-changing issue.

Implementation of the Code

The evidence that the voluntary Code isn’t working as it should be has been well known for well over a year, yet the PSR has continually looked to others – particularly industry – to bring forward solutions and to fix the issues, rather than making the tough decisions itself.

It handed the day-to-day running of the Code over to the Lending Standards Board, an industry-funded group with no formal regulatory powers. And it has failed to set out a clear, decisive regulatory framework and direction of travel to move us towards a system of mandatory protections.

Last month, the PSR published its latest call for views on APP scams which again suggested that the industry needs to improve, but failed to give a clear indication that swift changes would be forthcoming.

There are some promising ideas in there – particularly around publishing transparent data on the reimbursement rates of firms, but the pace of action – publishing this document followed by another consultation in the autumn – is causing harm to victims who desperately need certainty and support.

We will continue to work constructively with the PSR on this issue. It is vitally important, however, that they work quickly and decisively to create a mandatory set of protections for victims which can replace the voluntary Code.

If they need more powers in order to do what is needed then the government needs to give these to them as quickly as possible. 

We want to continue to build our understanding of how victims are being failed by the current system. If you’ve been a victim of an APP scam and need support or would like to share your story, please let us know in the comments.

If you’ve prefer to do so privately we can be reached via Which? Conversation’s mailbox here.

Janet Keefe says:
11 March 2021

I have recently had “scam” phone calls!
Subscribers phone my land line from their mobile claiming I have called them!( they are returning a missed call)
I have nit called these people!It appears my number had been cloned and is being use by someone and is called”spoofing”. I would be unaware, but that these”irritated “people phone me to ask why I called them!!Begs the question ,does my account get charged for this??
My phone provider(sky via BT) had not heard od spoofing and the FCA dint know what to do about it!!!
Do you know , please?

Hi Janet,

We’ve seen make examples on here of scammers giving faked UK caller ID numbers, to conceal their real location (e.g. India).

So if any scammers have been faking your landline number as a cover, then you may find that some of their potential victims are calling you, to try and reach the scammers.

Sky does provide some free call blocking tools (see:-https://www.sky.com/help/articles/dealing-with-nuisance-phone-calls-and-texts ) but if you want the facility to block all calls from unfamiliar numbers you’ll need something like a BT Call Guardian handset.

J. gardner says:
11 March 2021

Comforting to have Which as a safeguard

It’s in the interest of the banks to allow fraud in their drive to cashless and tightly controlled access to money/credit/cash(or not!)
Have never understood how the receiving account can’t be traced or any transferred large amount checked when a withdrawal is soon attempted. The seemed to find time to call 📞 you when you’re trying to use you’re (credit) card in unusual circumstances (tho less now maybe)… Their greed and people’s need means the guts have fleed (ok then, fled!) x

Ken Pickering says:
11 March 2021

I too have never understood why the recipients of fraud cannot be traced by the banks.

From my own experience with claims I have reported to the barclaycard, there is a lot of laziness to do work there

Mikec cee says:
11 March 2021

Reported our card being fraudulently used at Deliveroo in London. Phone number for order from Deliveroo.Nothingheard from them yet. If you deliver surely there is an address to follow up.Bank identified initial suspicion but took three replacement cards before the fraudulent use stopped.

As we are considering cases of fraud, it appears to be high time to call to account those companies that state the description of their goods as being FAUX = false = fake. Mayhaps there should be an option to pay them with faux (counterfeit) currency. Surely such statements equal a clear example case of intent to defraud.

I don’t understand why there is not more done to stop phone calls via none existent phone numbers. And why are phone providers not being made to block silent and none existent scammer phone calls without you having to pay extra for phone barring.

K BERRY says:
12 March 2021

Can BANKS help more and intercept the scammers !!! There must be away of preventing them by some kind of intervention that would require more verification or delayed pay out when large amounts of money are involved!

Edward Synge says:
13 March 2021

A minimum prison sentence of one year for any offenders.

But first, you have to catch and convict them.

And today does indeed look like a good day for our police to be reflecting on whether or not they are exercising good judgement as to the overall direction of their effort.

If this refers to the policing of gatherings – which it may not- I believe they are quite right to protect the health of the wider population. Covid kills, and spreads through close contact; those arranging mass gatherings know that and it is irresponsible, at the very least, to encourage and take part in them. There was adequate warning of that. There are other ways to give your views, ways that do not endanger the lives and health of others and set back the progress that responsible people have helped achieve.

The police cannot win in these troubled times and the Met is in a state of shock. On the one hand are the yo-yo-ing rules on lockdown [when is a vigil not a gathering?] and, on the other, coming to terms with one of their own in custody on kidnap and murder charges and unknown other officers who possibly turned a blind eye to acts of indecent exposure. Meanwhile the government is trying to make new laws to protect the police [Police, Crime, Sentencing and Courts Bill].

Bank fraud should be dealt with effectively by the bank’s internal audit and fraud inspectors. I too have wondered how criminals can appear to open bank accounts with apparent ease; it must require a certain amount of internal cooperation. What on earth could possibly lubricate that?

John, I very much agree that the police cannot seem to win in these troubled times.

Hence I do now think now is a very good time for them to be considering their objectives, methods and priorities. They may also need to consider if they have inappropriate institutional attitudes under which they are “always right” and any critics are “always wrong”.

As for the Met, at a time when they could be being congratulated for the swift detection and arrest of a prime suspect for kidnap and murder – in spite of that suspect coming within their own ranks – they have fallen prey to the media circus. This is thanks to footage of violence against women breaking out at what was supposed to have been a peaceful vigil in the week of both International Women’s Day and Mothering Sunday. As regards snatching defeat from the jaws of victory, they really do seem to have messed up big time.

There are times when the police make excuses and elect not to pursue some law breakers. For example, my local police do not put any effort into the investigation of burglaries that only involve outbuildings such as sheds and garages. I suspect many are now wondering why they chose to send so many officers to Clapham Common yesterday and what they expected to achieve there. As we know from today’s papers, their presence seems to have resulted in a breach of the peace. From the limited information that I have seen, I cannot say if that outcome was a direct result of poor tactical decisions by those police at the scene, or as a result of smart manipulation by others seeking to feed the media circus, or something else.

Derek, I believe all those who chose to ignore the rules should know how Covid spreads in mass gatherings, and the consequences of infection – long term ill health an death for some. So deliberately flaunting the rules could cause great harm. Those attending seemed to have no concept of social responsibility nor social distancing and many appeared not to bother wearing masks.

So, I think those who attended were, at least, very irresponsible and suspect some may have chosen the occasion to foment an issue against the police.

I, like the vast majority, have undergone a year of severe restrictions in an attempt to contain the spread of Covid and, hopefully, defeat it and come out unscathed. 120 000 sadly have not. I do not want to see all that effort and self-sacrifice undermined by a group of irresponsible people.

We are in strange times; in normal times this kind of gathering would have no impact except to generate positive publicity. The police would not need to intervene. But in these abnormal times those who wanted to express their views on the murder could have found other ways to do it that did not put the health of others at risk.

I have no sympathy and feel sad that some, including the media, ignore the real danger posed by the gathering and, instead, demonise the police. If they had not intervened then there would be excuses for mass gatherings of others – as exampled disgracefully by the Rangers fans – and our attempts to halt Covid could be thwarted.

Malcolm, I actually agree with you about the importance of following the covid rules, even though there may not be a lot of accessible evidence to show that outdoor settings pose high transmission risks.

But I do also now see a lot of other folk, who no longer want to follow any of the rules and, from exposure to too much nonsense on social media, no longer believe anything that anyone tells them about covid.

I am not seeking to demonise the police in respect of what they did at Clapham Common. But, given that they are supposed to be highly trained and skilled law and order professionals, it is hard not to think that what they did was incompetent.

I cannot see what they were expecting to achieve by turning up in large numbers. Given the practicalities of the situation, I doubt that they actually did much more than expose their staff to the covid risks that the gathering may have been creating. If it is not safe for folk to gather outdoors in large numbers, those risks apply equally to both police officers and vigil participants. Sadly, I fear the police might not see it that way, because many of them have a culture of thinking that they are above the law and of thinking that rules do not apply to them.

What I would have done differently would have been to use women officers rather than men. Except when dealing with the men also present.

Malcolm, I agree that would have been a great idea.

Phil says:
15 March 2021

There were women officers present at Clapham Common.

Worth noting that vigils took place in numerous cities across the UK but only in London and Brighton did police decide they ‘no option’ but to wade in and start making arrests. Similarly no attempt was made to disperse the large gathering of Rangers fans in Glasgow last week.

Odd that.

Phil, those choices were indeed odd. I think what Malcolm was suggesting was the police should have used women as the majority of the force deployed to Clapham. Such media footage as I’ve seen suggested that the majority of officers were male.

Way back in 1999, I was a local volunteer at an international Harley-Davidson rally at Cheltenham Racecourse. During the meeting, some of our Ladies of Harley (LoH) members asked if we could organise a short rideout and photo call for them. I did the basic planning but realised it would look really daft if an LoH rideout had to be led and marshalled by men. Fortunately, the ladies were able to provide all their own ride leaders and marshals and so the rideout was run on that basis.

Hi guys, please can we get this back on to the topic of APP scams please – thank you

“Guys”??? I thought you moderators were “woke”? Please ensure you apply your own standards when posting. You should not draw conclusions from people’s nicknames.

Quite so. A bit of respect, please.

We all make assumptions.
The flood of comments, maybe promoted by social media publicity, seemed to have abated. Convos do tend to go down a branch line from time to time but do return when the main topic attracts sufficient interest and new material.
I am not sure what this latest revival sets out to achieve. It could be useful to see how much effect the introduction of confirmation of payee has had on the number of successful scams.

I notice that the Authorised Push-Payment [APP] scam is now being called Payment Redirection Fraud, which at least is a better description of what it is.

Apparently it is on the rise again with the imminent completion of many house sales and buyers having to transfer substantial funds to their conveyancers’ bank accounts. The criminals are getting inside the law firms’ e-mail systems and requesting clients to send their money to new accounts. Never take such action on the basis of an e-mail message – either talk to your conveyancer directly or get it in writing on the firm’s headed notepaper. Ideally, no firm would change their bank account [and they very rarely do so in practice] in the middle of a transaction as they would run parallel accounts

When I bought my present home I went to my bank to make the payment. Not everyone has one nearby these days.

That’s suggests it is time for a new system to handle escrow payments. I have never been comfortable paying large sums of money for conveyancing, even to a solicitor.

You should only be able to pay the kind of money money involved in a property purchase into a pre-registered bank account, ideally managed by a regulated bank or building society and covered by the Financial Services Compensation Scheme.

Since most conveyancing also involves the payment of a money raised on a morgage, why can’t the deposit be payed to the lender and transferred to the vendor on completion, rather than involve an intermediary?

I share your thinking on this, Em.

In practice, in a conveyancing chain, the purchase money goes to the seller’s conveyancer so that they can use it to complete their client’s purchase – but that could all be accommodated [and probably much more safely] in the kind of arrangement you propose.

@chriswalker Hello, I have sent an email to the Which? inbox about how digital bank Monzo are handling my sister’s case (she fell victim to an APP scam just last week). We would both be very happy to exchange our experience for support – it’s looking rather desperate. Thanks

over the 3 weeks before xmas 2020, i was scammed by 3, 3rd party companies that hooked onto payments comming out of my bank account, they took every penny i had saved for presents, it was only when i spotted them and tried to stop them, at first my bank said it could do nothing, but an advice line that my bank and every bank can getting your money back and they did just that and saved my xmas, just sad it was cancelled, and then i had the nightmare in getting them delivered, dont believe those ads on tv as its not easy. has anyone seen a parcel drop off box.
3rd party scammers should be listed on line and on tv and radio, they are theives, they take, take and take again.
i believed we were going to stop scam calls well i get 30 plus per week, its gone down a bit from 70 to 100 per week, but they all need stopping what happened to the which? campain? (saw about anything spelt wrong, i am dislectic)

Peter Douglas says:
17 March 2021

We have recently been getting texts from ‘Loyds Bank’ saying our account is to be frozen and to phone the displayed number. We do not have an account at Loyds!

A. Co says:
17 March 2021

What or who is the “PSR” you mention in your on-line article?

PSR is the Payment System Regulator: https://www.psr.org.uk

@chriswalker – Hi Chris – Please could you explain PSR in your introduction? This question has be.en asked before

Cathy jukes says:
28 March 2021

I was scammed on February 3rd, this scam wasn’t HMRC, Post Office,DPD or any other we hear about,
This was a text via what’s app supposedly from my son, advising he’d changed his phone and number, I had no reason to believe this wasn’t the case. ( other reasons reinforced this was my son).Not going into a mass of detail but I have lost a large sum of money, I had been expecting my son may need a short term loan as he was moving house….there are more details that lead me to believe this was legitimate…and I transferred the money….. the bank won’t reimburse me as It said I ignored their warnings.

What warnings did your bank give you Cathy?

What did your bank do that makes them responsible for your loss?

Cathy, sorry to hear this but thanks for sharing.

I’ve heard of similar attacks that occur after hackers take control of a WhatsApp user’s account and then try to borrow money from the user’s contacts.

Sorry you’ve been stung, Cathy, and it’s good of you to relate your experience.

While I can understand why your bank will not reimburse you, they should have offered to try to trace the destination of the money with the cooperation of the receiving bank, which might possibly lead to identifying the fraudsters. Did they do that?

The message to others must be: Never take a change of phone number, address, or account details from an e-mail or other message. Get it direct from the person or organisation concerned by speaking to someone you know and can trust.

If you made the payment by internet banking, make sure the payee account details are no longer associated with or referenced to your son otherwise you might find yourself one day making another payment to the fraudsters [I hope your bank already gave you that advice or has corrected the records].

While banks can truthfully and honestly defend themselves by saying they have issued warnings [because they are there in the verbiage that accompanies the internet banking Faster Payments Service process] that overlooks the circumstances under which most people make a redirected payment.

It is often while under some sort of pressure or deadline, when taking notice of all the formal notices appearing on the screen is not the priority. That is what makes the scam successful.

These despicable scams are perpetrated by intelligent criminals who have hacked into people’s e-mails or social media traffic in order to tap into life change points [moving house, big purchase, personal emergency] and have taught themselves how to imitate the language and style of the subject so convincingly that even their own mother doesn’t spot it.