/ Money

My experience of an authorised push payment scam

With today’s news that more help is on the way for victims of bank transfer fraud, our guest, Michael Sleddon, shares his unfortunate experience.

This is a guest post by Michael Sleddon. All views expressed are his own and not necessarily shared by Which?.

My authorised push payment scam occurred in three distinct phases; in classic terms the hook, the set-up and the sting.

The ‘hook’ was facilitated by the landline. I was given a plausible story about a decoder box being upgraded, then had a phoney engineer appointment made – apparently the engineer would be carrying ID.

The ‘close’ was that I was to be offered a discount and, owing to age and loyalty, it would be back-dated. I was told they didn’t have up-to-date card details ‘because of data protection’. Reluctantly, I handed over my credentials.

The hook, the set-up and the sting

I was worried, so I contacted my provider to establish that it was a scam call, then called my bank on my mobile, going through identity procedure, cancelling my card and discussing a replacement.

I felt like I’d come within a whisker of fraud, when another landline call came through before I’d finished speaking with the bank – it was someone claiming to be from the bank’s fraud team. Little did I know, I was now at the ‘set-up’ stage of the scam.

This was one slick fraudster. He convinced me that the ‘A’ team were now on my case, and that Nigerian raiders were trying to access my funds so I’d need to transfer my money to a safe-haven.

I was extremely worried. It seems incredible now, but I was worried enough to carry out the fraudster’s instructions – he was inside my head. He even contacted the bank’s real fraud team on my behalf, putting me through after instructing me on what to say to ensure the transactions would go through.

By this stage I’d lost £9,000 and had another £8,000 frozen. He even added insult to injury, telling me that this bank account had made other accounts vulnerable, so I’d have to go through the same process with my other bank.

Another £11,700 gone, just like that.

He calmly instructed me to print a copy of the transactions, dictating the record of the transfers I’d made, including recipient amount and sort codes. He told me to take these to my local branch at a specific time, reassuring me I’d not lost a penny. The sting was complete.

Sleepless nights

When it dawned on me that I’d been scammed, I was in a hell of a state. I tried to contact my banks, but my accounts had been frozen and they couldn’t talk to me. I’d authorised the transfer, so the money was gone.

I was distraught after a sleepless night, visiting my branch first thing. I was passed on by fraud departments into long processes, and both banks generated a letter to confirm I’d been a victim of an authorised push payment scam.

The fraudster had moved my money into a ‘mule’ account – filling it, then emptying it within a couple of hours.

I was told they were not liable for my losses, and that I could contact Action Fraud if I wished. I authorised these transfers, so I carry the can, but I feel like banks should have procedures in place to prevent this from happening.

This is a guest post by Michael Sleddon. All views expressed are his own and not necessarily shared by Which?.

Two years ago, Which? launched a super-complaint demanding action on bank transfer fraud, after hearing countless stories from customers who’d lost their life savings. Sometimes called ‘authorised push payment’ scams, bank transfer scams happen when people are tricked into sending money to a fraudster from their bank to another.

A new voluntary code has now been produced by banks, regulators and consumer groups (including Which?) to tackle the issue of bank transfer scams. The new code will only be judged a success when victims targeted by these sophisticated criminals are treated fairly and reimbursed swiftly.

New plans published today will look to ramp up protection for bank account customers and reimburse them for losses – but only if they’ve acted responsibly and the banks involved shoulder some of the blame for the fraud.

Do you think the plans go far enough? Have you experienced authorised push payment fraud? Share your thoughts and experiences with us.



To lose this sort of money is awful. However, these techniques have been publicised and people warned about reacting to incoming phone calls of this kind. No help to Michael, but ensure you contact legitimate people at your bank by making the call yourself. If the bank has simply carried out the account holder’s instructions they are doing what they are supposed to, unless they are aware of the fraud being perpetrated. Con men of any kind are professionals who are practised in techniques than can defeat ordinary mortals, but that does not necessarily make someone else responsible for the loss.

The question of when to compensate depends upon the degree to which both sides have been negligent. The Payment Systems Regulator consulted on this in Nov 17 and published the outcomes in February 18. An interim code of practice was planned for this month. Which? tells us this has now been published. They are, apparently, part of the steering group helping in its development.


1.3 (PSR) received responses from 21 organisations (which included the major UK retail banks, Which? and UK Finance), one Parliamentarian and ten private individuals. Consumer groups and many of the industry players were supportive or conditionally supportive of the introduction of a CRM (Contingent Reimbursement Model)* for victims of APP scams. We received a range of views from different stakeholders on the key elements of the model and how it should function.

1.4 Taking account of responses, we consider that an industry code, developed collaboratively by industry and consumer group representatives, that sets out the CRM’s rules is the most effective way to promote the interests of users of payment system services and reduce the consumer harm that APP scams can cause…….

We have set out an ambitious timeline for the steering group. We want it to produce an interim code by September 2018 that the Financial Ombudsman Service can start taking into account as a relevant consideration when determining consumer complaints about APP scams. The steering group – following a final round of consultation – should have the final code in place in early 2019”

*The CRM will involve deciding the “requisite level of care” that someone has to take when deciding the outcome of a complaint.

As Michael points out, fraud can be very sophisticated and convincing. We are advised to report cases to Action Fraud but the rate of success is not good: https://www.thisismoney.co.uk/money/beatthescammers/article-6200923/Shockingly-low-number-fraud-cases-successfully-cleared-up.html

My approach would be either to ask to caller to put the details in writing and post them to me (I would not give an address) or I would find out brief details and contact the organisation myself.

There’s a crucial hole in this story. For what purpose did the fraudster say that the victim needed to transfer money from their account? Bear in mind that it is implausible that a bank cannot move money between its own accounts. And in the knowledge that a scam was in progress, why did the victim act upon instructions on an incoming call, which could have been from anyone?

I wondered about the point where the victim states:

“another landline call came through before I’d finished speaking with the bank”

Now, here’s what immediately occurred to me. If I were ringing my bank to attempt to detect a possible fraud there is no way on Earth I would take another call on the landline while I was doing that. I’m also curious about the purpose of the call to the bank, which mentioned

“cancelling my card and discussing a replacement”

when neither action would have any effect on a possible transfer inaugurated by the victim.

There’s a major issue with all this, and that is that because a few very widely publicised frauds occur the banks will make it that much harder to transfer money for everyone. I know I’m being selfish, but I don’t want my bank paying out to people who’ve authorised vast payments because of someone calling them on the ‘phone. We’ve known about this for year – around 20 years, in fact.

The details are fuller here:

Barclays and HSBC

there are other shockers in the article.

The problem is the banks have to be very careful about customers claiming they’ve sent thousands to a person or sifted thousands to another account on the word of someone they’ve never met and who could just as easily be scamming the banks themselves. It’s not easy, I admit, but there has to be a point where people start to take responsibility for what they do with their own money. If the banks automatically refund everyone, then I predict a massive rise in bank scamming.

In the case of vulnerable people, then there needs to be someone who takes responsibility for their finances.

Those stories on the Daily Mail all have one thing in common – the victims were all called by banks or services they were already using.

I agree with Ian, automatic refunds will create a massive rise in bank scams.

He persuaded Mr Sleddon to transfer £9,000 to a ‘safe’ account before a second £8,000 payment was blocked by Barclays” – It should reasonably have occurred to anyone that a bank is capable of transferring money between accounts that it administers, and that it would never need to ask an account holder to do so on its behalf. There is no plausible reason that a bank would be unable to transfer money between its own accounts.

I suppose what makes me so frustrated is the willingness of people to believe someone whom they’ve never met and who calls them out of the blue. I always attempt to change the context.

Assume I’m walking down the high street and someone I’ve never met claims to be from my bank’s fraud department or the Police. They claim they want to alert me because a scammer ring is operating and they think my funds may be at risk.

Firstly, I know for sure that if I do absolutely nothing whatsoever my money is secure. We know our bank deposits are guaranteed by the government to £85,000 per person per Bank, so the safest course of action is to do nothing.

Secondly, I’d want evidence that this bloke or woman is who they claim to be. The safe way is to call my bank on a mobile. Or call 999. Either way, that’s almost certainly the last we’ll see of them.
Is that being unreasonable?

It frustrates me how many people mistakenly blame the sending bank, when they were not at fault and simply followed instructions to send a payment. Any blame lies with the receiving bank, for allowing a bogus account to be opened by a fraudster, or with a mule who allows their genuine account to be used for criminal activity.

Which? publish an online article today that includes:
New plans published today will ramp up protection of bank account customers, and reimburse them for their losses – but only if they’ve acted responsibly and the banks involved shoulder some of the blame for the fraud. However, those who’ve lost money from an APP scam where neither they or a bank is at fault won’t be immediately covered by the reimbursement scheme – mainly because banks don’t think its fair that they should pick up the costs.

Read more: https://www.which.co.uk/news/2018/09/more-help-for-payment-scam-victims-but-some-will-still-be-out-of-pocket/ – Which?

I agree with this.

And today I am asked by Which? to vote on:
The banks say it’s not fair for them to pay out if it wasn’t their fault. Do you think banks should reimburse blameless victims of fraud? Yes No ”

I have to ask, if the banks is not at fault, why should they “pay out”. It is not they who pay out, but all their customers in the end. The customer who is duped has a responsibility for their actions; they are not necessarily blameless if they have instructed their bank to transfer money; they are an involved party.

Were all victims automatically compensated we’d. I guess, soon be hearing of banks being defrauded by sophisticated claimants, or at least people taking a less careful attitude to parting with their money if someone else will always reimburse them. So I voted No.

I tried to vote NO and got
This page can’t be displayed
.Make sure the web address https://whichcouk.bsdnet is correct.

The Conversation team are still in possession of my old e-mail address but if I had been asked to vote I would have abstained until I had investigated the whole story behind a ‘blameless’ victims case.

Banks have sophisticated legal advisers working in their favour, skilful enough to be able to interpret the facts. Scammers are often ex bank employees, equally as sophisticated inasmuchas they pick out and target their victims who they consider to be most vulnerable.

Never forget your bank knows more about you than you realise. It’s in their own interests to assess all your spending habits, the money you earn, how and where you earn it, how much you save, do you take unnecessary risks, your marital status, your family, your personality, are you easily fooled or too trustworthy, do you have a cavalier approach to money generally and much much more.

With all this information about you the scammers will target and pick a time to randomly phone you when off guard, maybe at the end of a hard day when you are tired hungry and stressed out and not able to think as clearly as you would earlier in the day, especially after a glass or two of your favourite tipple.

It’s easy to apportion blame when you haven’t been approached by one of these sophisticated but deviant
bank robbers who, by first undergoing a form of evil transition that enables them to dehumanise and objectify others that then justifies their malevolent actions and enjoy, without any guilt or shame their easily gained rich pickings.

My sympathies lie with Michael Sleddon in this instance.

Beryl, the same applies to someone who has their pocket picked, is mis-sold a product, overcharged when their guard is down…… Tricking people out of money happens in many different ways, and always has.

Beryl, there’s a lot in what you say. And I admit I’d forgotten that the banks know you quite intimately and it would only take a bent banker to appear on the ‘phone as though they knew you and were legitimate.

Malcolm, who would, in their right mind, carry their life savings in their back (or front) pocket or their handbag?
Much safer under the mattress perhaps?

Ian, there are a few ex bank employees who have been given ‘the chop’ for one reason or another, but you never hear about them because a banks reputation is sacrosanct.

It seems to me that with the billions that have been invested into fintech (over a very long period – remember when Santander promised we’d all be banking through our set-top boxes by 2003?) identity verification in banking should be a long way beyond where it is now.

If I can get an Uber and have the numberplate, name, location and trust rating of a driver before they arrive, or use an app like Yoti as a digital, paperless proof of a passport/driving licence, backed and verified by a secure link with the DVLA and Passport Service, then why aren’t banks insisting on ringing me only through their app over VOIP wherever possible? Why can’t I expect identity confirmation when making a payment through my online banking, ideally including verified ID and an approximate GPS location? I mean, I need ID to open an account, why shouldn’t that be baked into the service in return? Yet again, most banking tech seems to have fallen behind other services.

Nothing will ever be perfect but all of these things are already entirely doable and could be immensely beneficial to banks in an environment where trust and security are increasingly under threat.

@adam-gillett, I think it would be worth asking the PSR (?) for an explanation of why confirmation of payee has not happened before, and why it seems not so simple or quick to implement. We can all have our views on what we want, what should be done, and what should have been done in the past,and you may have an expert view on this. But I’d like to see explanations from those directly involved in the problem.

Adam – I think you ought to consider the volume of payments that the Banks deal with, and that VOIP is not necessarily going to be answered or available. For every technology layer added the ungodly devise new ways to circumvent them.

Humans are the weak spot and the constant divorcing of people from physical actions and time for considered thinking really are not helpful at all. Yes they should be better educated about doing nothing hurriedly with the Banks but lots of media keep pushing convenience as the thing to go for.

Btw perhaps if the Banks took a slice of each correct payment [Uber charge 20%] then they could go to extremes in staffing and security, and cover the bad payments …..

I am not bank friendly but I am realistic. Certainly mule accounts and account opening are huge weakspots and the Banks have been having an easy ride in these respects. However the conduct of major organisations like Facebook selling members telephone numbers, and like many others with major security breaces should indicate to anyone that the electronic frontier is badly policed and potentially dangerous.

Hi Patrick,

I agree that there isn’t a magic bullet, and it’s likely that criminals will always find ways to circumvent even the best of protections. However, much of what I suggest is extremely marginal in cost, and much harder to circumvent than current systems. I agree that individual responsibility and care come into it, but there are small step changes like these that can be implemented to add safeguards. As an analogy consider the ‘governor’ device used in passenger lifts, invented by Elisha Otis. It cost a little more to install, but it also worked in the vast majority of cases – and the trust in the system itself was increased, driving custom.

Education and personal responsibility – absolutely. But it’s also on the banks to get the with the times and upgrade their defences wherever possible.

@adam-gillett, are you asking the PSR to comment on this? I’d like to see why such simple solutions (if they are) are not implemented. Which? have been involved with the PSR consultations so presumably have an insight into the complexity or otherwise of improving a system.

As NFH has suggested, so long as banks allow dodgy people to set up accounts for collecting money rather than for normal domestic purposes, or they fail to check the activities and transaction traffic of ‘mule’ accounts, then I feel they have a moral obligation to accept partial responsibility for such fraudulent activity. The receiving bank is the negligent one here. Surely any account which is filled and emptied within the day should be under suspicion, the more so if it happens frequently.

We need to make people understand that if they receive an unexpected call about money they must treat it as suspicious until they have verified it. We also have to resist the temptation to take the bait that has been put on the hook by the fraudster. Easier said than done perhaps, but the banks have a role to play in educating their customers in how to avoid getting caught. This goes against our natural instincts, but learn how to do it we must.

A few rules across all banks to help fight fraud and aid recovery of stolen funds:

Close all empty accounts.

Any money being put into new or previously unused accounts has to remain there for a week. Software should be able to identify test deposits.

Any money heading out of the country? Get confirmation before releasing it. A text to say ‘Your money is going to Nigeria, is this correct? We are holding it for confirmation” Some historical questions from both sides should be able to confirm the right people are talking to their banks.

Photo ids for every bank and building society account. We need a system shared by all the financial institutions so you can walk into any of them to have your photo taken. Phase 1 – all new accounts and those that do not have regular income and outgoings. No money can be withdrawn without a photo id.

Financial institutions have to start working together to fight fraud.

Why “close all empty accounts“? Just because you can’t think of any the many genuine reasons for why an account might need to remain at a zero balance for an extended period does not mean that genuine reasons don’t exist. And you also don’t explain how empty accounts are part of the problem.

You also wrote “Photo ids for every bank and building society account“. All banks already require photo ID in order to open accounts, but the problem is fraudsters supply false photo ID, and banks have no easy way of spotting them, not least as they do not have the ability to check databases of issuing authorities. And there are dozens of issuing authorities, particularly when you consider that national identity cards and passports are issued at a local level in many other EEA countries.

I’d like to thank Michael Sleddon for sharing his unfortunate experience and commiserate him on the outcome.

With the full benefits of 20/20 hindsight, it is easy for us to all say “we’d never fall for that”, but, as humans, we are all capable of making mistakes, if our luck runs out.

As a currently retired safety engineer, I’ve spent a fair amount of time studying the causes of accidents, including human errors by plant designers, managers and operators. From that experience, I know that always expecting people to only ever do the right thing doesn’t usually lead to highly safe plant and operators.

In the training courses that I used to run, we used to include some examples where designers or operators had opted to do things that, in retrospect, all look to be amazingly daft but which all must have seemed like good ideas at the time.

I’ve also found that there is a lot of common ground between good safety practice and good security practice. In these days of home banking, we can all easily move money with just a phone call, or, even worse, after just a few simple interactions on a PC screen.

I think there are a lot of ways in which banks could improve the procedures by which money transfers are enabled, to protect their customers from human error. To progress towards that, key first steps would be to end pointless debates about whose fault frauds are, then acknowledge and own the problems, so that improved safeguards can be provided.

I agree, particularly when trusting people are exposed to professional fraudsters. However, that does not make the banks automatically responsible. As you say, it requires actions to be taken to combat fraudsters and from the PSR reports this is recognised. I suspect problems lie with the number of institutions involved all with their own software, and the legal requirements on privacy of information. Obstacles that need to be overcome but nevertheless they are impediments to rapid progress.

We see the same sort of thing in computer hacking, don’t we? And other kinds of fraud. As soon as one bit of security is applied to deal with a problem the criminals will open up another avenue of attack. Those policing the system will always be a step behind.

We must not overlook the value of continually trying to educate the individual alongside improving security. Perhaps we should also consider restricting certain individuals’ ability to perform certain operations on their bank accounts without assistance, and certainly not instantly. Holding a transaction for 24 or 48h might allow second thoughts, or a second opinion, to change the decision.

Malcolm, I agree we shouldn’t just expect the banks to always carry the can here.

I like the idea of automatically delaying any transaction over a certain threshold and also the idea of subjecting them to some kind of process that would allow adequate thinking time between the first request for any large transfer and a final confirmation before it is paid.

Derek: very good points, and I was trying not to come over as someone who simply wonders how these things can happen.

What you were saying about similarities between good safety practice and good security practice I found interesting, and it’s clear the banks could improve their systems. But in a sense that merely shifts the focus of ‘blame’ onto them. The real blame is, of course, the fraudsters’ and perhaps another idea might be to ask the BBC and ITV to start to feature these sorts of scams in Corrie and East Enders which, I gather are watched by a very large number of viewers, and thus help elevate the issue in the public mind.

Perhaps a mass-mailing to everyone in the UK with a little ‘anti-fraud’ code, stressing “doing nothing is safe” when you’re contacted by someone you don’t know and asked to move money might also help.

However, I suspect we’ll not be able to save many from themselves. Panic will remain the fraudsters’ weapon of choice, along with ignorance and carelessness and I’m not sure the majority should be penalised for those who cannot or will not take clear advice.

Ian, I certainly wasn’t trying to make you look like a bad guy here.

In the often criticised field of Health and Safety, I think we have learned to focus our efforts on preventing accidents, because apportioning blame afterwards cannot undo any harm that has been caused. As an experienced motorcyclist, I was much more interested in avoiding injury than in asserting my “rights of way”, as seen by my world view and interpretation of the Highway Code.

I agree that panic is a factor in many scams, just as time pressure can be a factor in point-of-sale upselling. Also, both of those circumstances seem to use “hurt-and-rescue” selling techniques.

There are also many industrial situations where stopping work and then “doing nothing” (until cooler heads can prevail) is the safest course of action, if things start to do wrong.

Mass mailing everyone with anti-fraud guides would help, if folk read or listen to or watch them. Different forms of media could be used to target different demographics – for example the Archers could be used for the “country bumpkin” segment while FaceBook might reach those with smart phones and not enough to do.

I regularly receive emails from my banks regarding fraud, protecting my accounts, how they will contact me and so on. Presumably all those with online banking can be contacted and educated in this way. But is the information taken in? Are all account holders sufficiently aware to handle their accounts in a secure and responsible way? Hence I suggest some accounts might be restricted in the way they can be used unless a nominated person, perhaps,endorses an action.

One important issue on this subject is the rate of new technological advancement and subsequent updates taking place at commercial, corporate and domestic level. Many people, (myself included) especially the elderly, struggle to keep abreast of these constant changes which leaves them more open to fraud by high-tech global scammers who deliberately target anyone who may not have the skills required to deal with such changes, which begs the question, are we becoming a nation of schizophrenic type thinkers that regard everyone they come into contact with, including those by e-mail or ‘phone, as highly suspicious, thereby creating a state of constant irrational fear and dread of every transaction made?

For example, I have recently changed my ISP and e-mail address and whilst notifying family and friends was relatively easy, contacting ordinary online domestic suppliers has been fraught with confusion and uncertainty, involving many ‘phone calls with their numerous automated button pressing instructions and procedures until you finally manage to engage in a conversation with a real person authorised and competent enough to deal with all the inevitable and necessary security procedures such as ID and account checks. Their websites will often include easy ways to change your home or delivery address but never seem to include any info about how to change your e-mail

I deduced from my own personal experience, a general reluctance and entropy to change ones e-mail address unless under pressure to do so, leaving you more vulnerable and open to fraud. Sometimes just changing a password is not always sufficient protection against these scammers as they are often insiders who have, or have had access to your personal information.

I suspect you mean “paranoid-type thinkers”, Beryl, but I take the point, although a certain degree of Paranoia is rather useful. It is, after all, how our ancestors survived.

Changing email should be a painless, if arduous, task since that capability should be under ‘My account” in every company with whom you do business. But I agree it’s not always that easy.

I agree with you about changing an email address Beryl. Apart from the problems you found – I hadn’t realised that part was so difficult – simply remembering everyone I needed to inform would be a challenge, particularly those organisations that make essential but very infrequent contact. Luckily I’ve kept my address for many years but losing it it would inhibit changing provider. For examples of the problems it causes, just look at the anger the sudden loss of Which.net caused.

Technology continually advances and we think we benefit from it. On-line shopping is convenient, saves money, opens up wider choices. Banking is far more useful than it used to be. But such advances do bring the disadvantages you mention, and I see no easy way round this other than keeping up with technology, or relying on others to do it for you. It is not new – we’ve had to deal with credit cards, boiler room shares, fraudulent adverts, and if we worried about everything that might befall us we’d seize up. A pragmatic approach is needed – how likely is it to happen? What are the chances of being involved in an air crash?

Paranoid schizophrenia is indeed a serious mental disorder characterized by a delusional state of mind leading to irrational thoughts and fear – not to be confused with a schizoid personality disorder or SPO, a personality disorder characterised by a lack of interest in social relationships, a tendency towards a solitary or sheltered lifestyle, secretiveness, emotional coldness, detachment and apathy. It is possible to have a combination of both bi-polar and either of the two schizophrenic type illnessness commonly referred to as schizo-affective disorder.

It is not unusual, if and when undergoing extreme stressors to experience a paranoid type thinking without developing the full blown illness but chronic stress can manifest in a variety of different complaints depending on the individuals ability to cope with it.

Living in constant fear of your lifesavings being snatched away at the. simple click of a switch or a press of an unscrupulous scammers button can lead to a type of paranoia similar to that experienced by sufferers of this dreadful disorder and an extremely unpleasant way to live by anybody’s standards.

The stats report 1 in every 4 people suffer some type of mental disorder. I don’t know what the air crash stats are Malcolm but .I suspect fewer people would take to the skies if it was even half that of the number of people with mental illness.

The Which? comment on the new proposals says:

But if neither you nor the banks involved in the transaction hadn’t done anything incorrectly, you won’t be refunded for the time being. This is because banks say they shouldn’t have to bear the cost of refunding fraud victims when banks weren’t at fault. Until a way of funding losses in this scenario is agreed upon, this group of victims will not get their money back.

Read more: https://www.which.co.uk/news/2018/09/more-help-for-payment-scam-victims-but-some-will-still-be-out-of-pocket/ – Which?

I’d suggest someone has always done something incorrectly. A bank may have applied inadequate security. The victim may have acted unwisely, even though they were fully taken in by the fraudster. I think to pursue a wish that whatever the situation the victim is always recompensed is both unfair on those who pay – it will be you, me and other bank customers – and dangerous, in that it can lead to less responsible behaviour knowing you can’t lose or, worse, open up deliberate deceit by the bank’s customer; for example collusion with a criminal scammer.