/ Money

Anyone can fall foul of a scam – and I’m proof of that

Phishing scam

One in 10 Which? members has been scammed in the past five years and with official figures showing that consumers lost a shocking £6.1bn to fraud in 2011, it’s clearly big business. I’ve found out the hard way.

I’ve worked at Which? for more than six years and I would say I’m pretty savvy when it comes to consumer issues. But that doesn’t mean I’m not susceptible to online scammers.

Indeed, only last week I found I’d become just another statistic in the world of the bank email phishing scam. Yes, I fell for the oldest trick in the book and my wallet was £240 lighter as a result.

Now, I know I shouldn’t respond to emails sent by my bank asking me to click on a link. And I know that when entering my personal details online I should make sure the site is secure (by checking it’s got a padlock sign in front of the web address). And, I also know that banks don’t ask you for these details via email. So, what went wrong? How was I so fooled so spectacularly?

Flurry of NatWest banking scams

Well, a number of coincidental events occurred to conspire against me that day. I’d tried to log in to my online NatWest account a few times and had entered the wrong password and PIN.

When I checked my emails I had one from my bank entitled: ‘Your account has been put on restricted status’. When I opened the email it went on to say that my online access had been ‘temporarily suspended’ and that this was due to ‘a number of incorrect log in attempts’.

As this happened to be true, I clicked on the link without thinking and began entering my online password and PIN. But then the alarm bells rang and before I’d entered all my details I promptly ceased what I was doing and closed down the page. But, it was too late.

£240 lost due to online phishing scam

That evening the fraudsters called NatWest pretending to be me, saying my card had been stolen and requested emergency cash. NatWest proceeded to give the scammers a PIN they could use in a cash machine whereupon they happily made a £240 dent in my bank balance.

When I filled up at the petrol station the following day I was told that my card was blocked (luckily I had just enough cash on me to pay for the fuel!). I contacted the bank and was informed that my account had been frozen.

After some further discussion, the fraudulent activity became clear. I was advised to make a claim for fraud, which to my surprise, has subsequently been turned down. I’m now in the process of appealing and do expect to have the money fully refunded.

Apart from the obvious financial loss my pride was also hugely dented. I felt really stupid especially as I work for Which?, and know about these things. Believe me, the irony is not lost on me. But it does just go to show that when your guard is down anyone can get scammed.

Have you been the victim of a scam? Did you report it and if so what response did you get?

Comments

Very sorry to hear your experience. Something similar nearly happened to me once but I stopped short just in time – I noticed the address code in the lower bar of the e-mail page that appeared as I hovered over the link and I hesitated long enough to realise it was not correct. It is so easy to be taken in by an unfortuitous combination of circumstances. My ISP’s e-mail filtering system is now much more effective and such a message would not drop into my in-box but go into the junk folder. My bank now puts my residential postcode on any e-mails it sends me with information about services – this is a further safeguard. I once requested the bank to improve the language used in their official e-mails to make it less casual; I noticed that the scammers were having difficulty composing literate English messages so anything the banks did to employ correct grammar, punctuation and sentence structure would minimise the risk of impersonation. I think there has been some improvement in this regard but we still have to be exceptionally wary – there are some clever criminals out there.

Maybe I don’t have complicated financial affairs but the only emails I can remember receiving from my bank have been to confirm appointments.

As John says, the standard of English betrays many scams. Most of those I have received are well known, with warnings on websites, but I have reported a few that are either new or not well publicised.

Amanda provides a good example of how, in certain circumstances, we can be less vigilant than usual. It does not surprise me that those who suffer frequent computer problems are easy to persuade that they have a problem with their computers and become victims of a scam.

I use NatWest online banking and had no idea what I would have done in Amanda’s position, where I could not log in. Having investigated, there is clear information on their website, but if that was not there I would phone the bank for advice, as I did when I was having a lot of trouble with a Halifax savings account.

Though I have never been victim of a scam, I think I have done something silly by placing a deposit on a car, which turned out to have been sold by another branch of a dealership. I cannot believe that I have been silly enough to have given a £300 deposit, via debit card, without getting something in writing. Normally I don’t have much sympathy with those who let themselves be cheated but I’m feeling rather humble at the moment.

john mccolgan says:
14 July 2012

Not a scam as such (debatable) but certainly immoral business practice. As a disabled person my door entry system buzzed. The caller identified themselves as “wishing to discuss changes at the local BT exchange that may effect my service” Suspecting all was not well (distraction burglaries etc) I refused entry and told them to write to me. Unhappy with this I called the police who attended within 4 minutes. They detained the 2 people. It turns ot they were representing Talk Talk and trying to sell phone and broadband services. Although not ACTUALLY saying they were from BT they certainly gave me that impression, BEWARE of these sharp practces. I have written to Talk Talk to complain.

jim says:
14 July 2012

This has just happened to me- The thing is i haven’t clicked any dodgy links or given out any info. In fact the card the fraud took place on is one I never use for withdrawing cash and don’t even know the pin of- It’s a joint account card just associated with housey direct debits and the occasional pizza delivery( no pin needed for that..) I only lost 60 pounds but both my cards have been cancelled and my online acount currently doesn’t work .

I’d really like to know the questions that are asked to verify the ID. Incidentally NATWEST flaged it up themselves (even though they gave the money…. dunno how that works) as they said the voice didn’t match my profile (I’m guessing foreign).

it’s not much money but it’s scarey- They said they’d refund the money, just got some forms to fill in. I also had the embarrassing experience at the petrol station!

@amamda, Hands up all those who haven’t read my comments on the 26th June on https://conversation.which.co.uk/money/natwest-glitch-bank-account-meltdown-payment-problem-advice/

warning of Natwest phsihing emails. [That I’d cut and pasted from Action Frauds twitter feed, they’re definitely worth following as is your local Trading Standards]

And I’m sure I posted a warning on another convo when the RBS fiasco broke warning of it being a scammers paradise, but I can’t find that post 🙁

The thing that annoys me about emails from legit companies is the fact that these days many companies outsource that stuff so when hovering your mouse over any links in the email they’ll point to a random collection of letters and out of principle I won’t click on them and in some cases have actually forwarded them onto the banks fraud email account warning of a fraudulent email. Is it really so difficult to have a routing page on the banks website which the email can point to [answer: no its not] that way people will clearly see the links going to the right address and therefore will hopefully never ever then click on a dummy address.

A fine example of what I’m referring to can be found in many Which Switch emails which were routed through prizewize dot nl when hovering your mouse over www dot whichbigswitch dot co dot uk or “personal page” .

Companies need to be trained to stop using scammer friendly methodologies.
Maybe Which? could start a campaign to tidy up emails like this. (starting with their own)

Good point on outsourcing. I ignored three recent emails however saying my internet domain would be suspended unless confirmed as clicking on links in random emails where the email address does not co-relate to the entity they say they represent – in this case ICANN is always wise. Was not wise here!
My internet service provider who hosts my website/domain had not told customers that from about a year ago once a year you will receive an email from these people with the funny name which sounds very dodgy but unless you click on the link your whole website/business goes down! Wow. Emails I sent out for work were not received. Emails to me were not received. Thankfully on a Saturday my domain hosting company were around and got it all back up for me but the dodgy looking original emails I had never in 20 years had by email requring confirmation of domain name were absolutely genuine!

You can’t win, can you?

Oh and I wouldn’t be surprised if there’s an O2 email scam doing the rounds at the moment either. Companies who fail to provide a reliable service just play into the hands of these fraudsters.

Please don’t assume that scams are necessarily the fault of the cardholder.

My credit card company informed me 6 years ago that there was a suspicious use of my card in Florida. I confirmed that I was in the UK (never having visited the USA). The several fraudulent puchases had been stopped, and the card cancelled. None of my other cards were affected.

Recently, by googling my mobile number, I discovered the full details of the above card published in a text file that had been “dumped” from a Russian web site (name ending in .ru). It also contained my then address, along with the delivery address and recipient’s name (a relative). This text file also contained 2 dates (again, from 6 years ago). When I checked the credit card statements, the dates corresponded to an internet purchase one evening with payment being accepted the following day.

As this file also listed similar details for 1000 other people and their credit/debit cards, I contacted the company (now under new ownership), and they admitted that the credit card details had not been properly secured at the time (under previous ownership). They promptly agreed to contact various search engines and any other relevant organisations to remove the offending internet file. However, the cache still left a trace, so I contacted them again, and they said they would recheck to see if the cache would be purged within another month or so. It now appears to have been purged. I suspect that the purchases in Florida and the above internet order were linked.

My efforts to report this matter to the Police and the Credit card company in the last 2 months met with no interest. I would recommend that everyone checks their telephone numbers/address/postal code on Google, Bing and DuckDuckGo. I would not suggest you directly check your card numbers in search engines on home computers – if it’s been hacked, you may have just given the hackers your credit card number.

A few years ago I noticed £3.75 was missing from my First Direct account – I had not clicked anything anywhere – I checked with First Direct and found the application was fraudulent – So I informed them – but a week later I found the same people had removed £350 from my account – I was livid because I had informed them. However they refunded the £353.75 and changed the card – I can only assume my card had been cloned in some way, Hasn’t happened again since – but I check often.

Jess says:
20 July 2012

I have recently fallen victim to exactly the same as you Amanda. Although only £120 was taken out of my bank, I only had £140. I am a recent graduate unable to find work and attempting to live off JSA. I had this £140 from a £75 gift from my grandma for passing my degree and the rest from selling my possessions on eBay. I am now being faced with charges from O2 and my laptop company as I am unable to make the payments this month. This will obviously push me further into debt and over my overdraught, probably resulting in bank charges from Natwest!

Natwests response? My fault. My problem. To them, it looks like a small amount has gone out of my own stupidity. Yes, I shouldn’t have opened the email, but that small amount was practically all I had!

I am appealing this, does anyone have any advice for this process?

Lorna Elwick says:
20 July 2012

I was surfing the net and I came across a link to someone who had discovered a cheap way of whitening her teeth and at the side of that page was an advert about getting a free delivery of some sort stuff to whiten teeth. I clicked “RUSH MY ORDER” , it didn’t ask for any details and I divulged absolutely no information. But from that click they got my bank details .Apparently, I had signed up for a regular, monthly amount of whitening agent. £70, then £44 disappearedfrom my account. I couldn’t get help from my bank because they said that only I could cancel the arrangement. There was paperwork with the product but I couldn’t see anything like a phone number. My husband found a name ACTIPRO and a phone number. After trying numerous times, he managed to cancel (he has POA over me)

Another thing that banks could do to help stop scams is not ask for security details over the phone when they call you. More than once my credit card provider has called me about a potentially dodgy transaction and promptly started asking to check my security. I think they should just say that there is a possible fraudulent transaction and ask me to call the number on my card.

RD Brunning says:
27 July 2012

My experience mirorred Amanda’s. I received a “Santander” email advising of changes to its website with links to view them. That didn’t interest me but as it had been sent to my work email address which I no longer wanted to be used I thought I’d use the link to delete it & register my private email on Santander’s web site. That was the scam because I had to input my security info to make the change which went straight to the crooks. They immediately emptied my current a/c plus the £1,000 overdraft facility. Santander didn’t even notice this was an extremely unusual & suspicious transaction & paid out in full, no questions asked!, even though I had never been in the red once during the many years of banking with them. My a/c was frozen for over a month, no access to any funds to pay STOs or DDs or pay any bills. Eventually Santander made a full refund but they were an absolute nightmare to deal with. I’ve since closed the a/c & opened elsewhere. The FSA told me banks were obligated to repay victims of scams unless they could prove you were negligent in giving your security info to others & neither Amanda nor I were negligent.

Jatroa says:
29 July 2012

A most annoying thing is legitimate companies that ring up and ask you to identify yourself with your date of birth, mothers maiden name, postcode etc, due to the Data Protection Act.

…..If you ask them to prove who they are, they are most affronted. And just hiw any people, maybe some untrustworthy, know this information by now?

The same thing in Tesco’s.. When you pay them with a note, they test it.

If you hold their change notes up to the light , or are slow in checking your change..again affronted.

As to credit cards frauds. I change mine every six months by saying that i have it and get a new number. It’s free and could prevent a fraud but you do have to do without your card for around 4 days.

If a company called me and asked for information, I say that I will call them back, which I do after looking up their phone number.

I deliberately use a credit card with a small credit limit wherever possible, just in case there is a problem. I have not had a problem in 40 years and the number has never changed.

Tina says:
1 August 2012

Amanda- I’ve just had the EXACT same thing happen to me with Natwest. I’ve just had £240 taken out of my account because I stupidly put my details into that email that looked like a legitimate Natwest email :(( I really hope I get my money back- I think the only difference with me is that it has been reported as a fraud case, they said they are investigating the matter but I just feel like such an idiot!!!

Jess says:
1 August 2012

Exactly what happened to me Amanda. The scary part was that the whoever sent the email knew that id been traveling. They’re refusing to give me it back, ive just got Ombudsman forms to fill out… lets see how it goes. If that doesn’t work, I will be closing my accounts with them.

Tina says:
4 August 2012

i’ve just received a letter form them refusing to pay it back as well! Did you have to complain to natwest first before you went to ombudsman service? this is such a pain….

Hopefully something like this http://epetitions.direct.gov.uk/petitions/36154 will help reduce people’s susceptibility of falling for a phishing email. If you do agree and sign it , you’ll need to click on the confirmation email they send

Just to prove my point about how legit companies don’t help the customer. I’ve just had an email from the Royal Mail. I can’t guarantee it is however as all the links in it route via list-manage dot com

I’ve forwarded to the Royal mail using the email address on their webpage as its not the same as the one in the email asking if its genuine. But I shouldn’t really have to should I. Just wish more would sign my petition.

Jess says:
4 August 2012

Yes Tina. you need to have a final letter from the bank, refusing to pay you back, then you can call the Ombudsman, they will send you forms etc etc

Do you poor souls who have been scammed still have the original email ? Suspect links and all ?

Jess says:
5 August 2012

Yep, sent it to natwest and a copy will be going to the ombudsman!

Louise says:
10 October 2012

Having read all the previous entries and hearing of similar scams, I thought I should share my experience of only last Monday. I very rarely remove cash from my account (April 2012 was my last) and I don’t subscribe to online or telephone banking. I was lodging some cheques at a local branch of the Nat West and casually requested a mini statement, to my horror £2750 had been withdrawn in amounts of £250 per day plus one emergency cash withdrawal..all via ATM!!! I immediately notified the bank and the card was very quickly cancelled. The amount has been re-credited to my account pending a full enquiry (I hope this remains the case). The fraud team told me that it appeared that an individual has registered for online banking to a mobile phone on my account…ashtonishing – as mobile phone aren’t EVEN registered to addresses (if SIM only) I questioned how this could possibly happen and they just questioned whether I had ever done online banking…I never have and confirmed to them that I now have no intention of doing so – I have had a block put on my account so that any future request to online bank will have to be confirmed by my attendance at a branch with photographic evidence…Hope it all turns out okay 🙂