/ Money, Scams

Publishing our bank transfer scam dossier

A man looks worriedly at his laptop

Today Which? is submitting our report to the Lending Standards Board, sharing the experiences of consumers who have lost out to authorised push payment (APP) scams.

It is one year since the launch of the Contingent Reimbursement Model Code as a step forward in how to treat victims of authorised push payment (APP) scams. 

As you know Which? has campaigned hard for action on APP scams. As part of our super-complaint to the Payment Systems Regulator (PSR) four years ago we collected evidence from nearly 600 fraud victims who told us they had collectively lost over £5.5 million to bank transfer scams. 

We are pleased to see the code has led to more innocent people being reimbursed after falling victim to this type of scam. In the last full year before the code launched, just 19% of the amount lost by individuals was returned to them. In the first six months following the launch of the code, signatory firms reimbursed 41%. However, there are some glaring inconsistencies in how banks are treating their customers.

Today’s report captures some of the many experiences of consumers who have lost out to APP scams.  We hope that this will help inform the Lending Standards Board in their review of the code, and highlight what still needs to be done to protect consumers. 

Voluntary scheme

As part of today’s report we are also calling on the PSR to review whether a voluntary code is the best approach. 

We are worried that banks are failing to implement the code fairly and consistently, leaving customers scared, confused on what options are available, and unfairly out of pocket. 

According to the PSR, four of the eight signatory firms had fully reimbursed victims in 6% or fewer cases between May 2019 and February 2020. One firm fully reimbursed just 1% of victims, while a different firm had fully reimbursed 59% of victims.

Which? has had to intervene multiple times to help victims of APP fraud get reimbursed. 

We believe that banks, regulators, and the government must work together to make the code mandatory and ensure that strong standards on reimbursement are introduced.  

What to do if you’ve been scammed

If you think you have been scammed, you should contact your bank or card provider immediately. You should also contact the bank where your money was sent, as they may be able to stop the transaction.

Read our advice on what to do if you’re the victim of a APP or bank transfer scam.

Register for scam alerts

Which?’s free scam alert service will help keep you informed on the latest scams.

Do you feel enough is being done to help victims of these scams? Have you had an experience of attempting to get reimbursed on a bank transfer scam? Let us know your thoughts and experiences in the comments.


A percentage of customers are not as computer literate as others and are therefore vulnerable. If even the knowledgeable can be scammed, it’s up banks to ensure the account payee is the same name as the payee claims to be. Alerts now come through via the payment portal to say who you are setting up the account for and an algorithm checks the payee’s name is the same. I don’t mind the extra stages, as it means I am paying who I genuinely want to pay. And if I am paying a tradesman, I don’t ask for their bank details in an email. Either ask when they attend, or ring them.

John says:
22 August 2020

I got scammed my bank said it was a scam they stopped my money going out of my account they saved me £20.000 but they didn’t stop my £100.000 coming out of my account that was the same scam but a different account why did they not pick up omit

Susan Francis says:
23 August 2020

If a voluntary code is followed then it might as well be mandatory. If it is ignored then it needs to be mandatory.

Angela Mcleana says:
24 August 2020

All financial institutions have a responsibility to protect peoples money. They are the ones who should be keeping one step ahead of the scammers. They already use our money to make more for themselves and the interest rates are well below what they should be. The customer loses out every time.

A couple of weeks ago I got a phone call from what sounded like an Indian call centre. I kept asking the caller to repeat herself as what she was saying was unclear, but she did say APP several times. After several times of asking, she cut the call.

I reported a post the other day that didn’t look right as it sung the praises of what looked to me like a scam.

The above post from Riley Nathan appears to be another one and I have reported that one also.

Is this a new scam and are we all going to get calls from a very ‘helpful’ Greg?

Alfa – I reported one the other day – probably the same one as you did – but forgot to check whether it had been taken down. I was also suspicious of Riley’s comment and reported it. It doesn’t matter whether it is genuine or not – so long as it is promotional it contravenes the guidelines of this site and should be removed in my view.

I am still trying to work out how eToro [presumably a US-based intermediary] makes its money from buying stocks and shares free of commission unless it takes a cut on the investment returns.

It is indeed extremely unfortunate that a highly intelligent investor like Riley could be so badly duped by a regulated broker.

Great minds think alike John !!!! It was probably the same one that I think has now gone.

I also searched etoro but didn’t find anything plausible but the above post is written in much the same way a scammer would talk.

I think a responsibility of moderation should be to look at comments like Riley’s and remove promoted companies unless they are known to be “good”. The danger, as with any scam, is people may be tempted to deal with them on the basis of an endorsement ( but badly written, a warning sign?) such as this, particularly when an individual is named. If I have done Riley a disservice I apologise.

Well, I suspect three of us have reported the post, yet it remains on view.

I’ve seen eToro adverts on YouTube.

Their homepage includes this small print:

“Zero-commission means that no broker fee will be charged when opening or closing the position and does not apply to short or leveraged positions. Other fees may apply. Your capital is at risk.”

The moneysavingexpert website contains many forum threads on eToro…

…including one that posted this critque:

“I was under the impression that some trading sites (NOT saying any specific companies!) operate in this manner:

0. Let you play with virtual money and then win big virtual rewards
1. Website owner buys a certain stock.
2. ‘Customers’ follow the website owners in and buy more of this stock.
3. Stock rises in value.
4. Website owners sell the stock. Make a gain.
5. Stock falls in value. ‘Customers’ still own the stock. ‘Customers’ are left holding a loss.

See also – ‘Bitcoin’ ! “

My partner got scammed out of 65k, she was about to buy a house and exchange contracts, she was emailing who she thought was her solicitor and she has corresponded to this email for weeks and anyway it was hacked and she sent details through confirming the large deposit, save to say her account got drained she has been crying non stop I don’t blame her it’s all her life savings worked so damn hard for it! Bank says they will let her know if she gets her money back, it was such a sophisticated scam anyone could had fallen for it, it was an email address coming from the solicitor, you reckon she get her money back? Her own solicitor has offered her 10k because he is crap scared he could be sued for not protecting there systems

Toq – Your partner’s solicitor’s firm could certainly be reported to the Solicitors’ Regulation Authority. Firms have been struck off for similar breaches of security and, given the number of well-publicised cases with a similar method, solicitors have been strongly advised to review their e-mail systems in order to prevent hacking. I think she should ask for more than £10,000. I would hope that her bank will accept that your partner was blameless in the commission of the fraud and restore the stolen money.

I have just been scammed in to selling something on ebay for someone on a 5% basis. they sent me a scan of their passport and i found their registered company online, est in 2003, all seemed legit. sold an item for £2,500 and now it hasn’t been delivered and they are AWOL. i now owe someone £2,500 that i do not have. the whole reason i did this was because i needed money. I am embarrassed and worse off than ever

I was scammed out of £7000 it’s greatly affected my mental health

We don’t believe that giving remote access to your device would be grossly negligent in these circumstances.

Read more: https://www.which.co.uk/news/2020/09/google-fails-to-stop-scam-ad-targeting-revolut-users-for-a-third-time/ – Which?

I would regard anyone who gives control and access to their computer and all the personal information it contains as irresponsible at least, negligent or grossly negligent, whoever might ask for it. If someone does not have the knowledge or capacity to operate online banking securely then they should have restricted access. This is something the banks need to address and perhaps introduce graded access depending upon their assessed abilities.

As regards its method of operation, that Revolut scam is very similar to a lot of fake tech support scams. I don’t think it has ever been suggested that Microsoft should be responsible for refunding scam victims there.

One victim lost £160,000 after clicking on an ad for an ‘Aviva’ investment scheme. Despite doing their due diligence to ensure the website was legitimate, they had been speaking with a fraudster, who assumed the name of a real Aviva employee, and only discovered they had fallen victim to a scam after spotting a warning on the FCA’s website.

I imagine (hope) there is more to this than meets the eye. At first sight it looks as though due diligence was not done very well to ascertain the authenticity of the website. They clearly knew there were other checks they could (should) make as they subsequently looked at the FCA warning list. But why part with £160 000 through a website rather than making direct contact with Aviva once the “offer” had been seen? If that is what happened. On the face of it this looks like irresponsibility on the part of the loser and compensating this sort of behaviour will only encourage others to take chances, knowing the only losers will be the responsible depositors at the bank.

But, as I say, there may be more to this that justifies the bank’s action. If, for example, they knew the payee’s account belonged to a fraudster. Should they have also known the payee was on the FCA warning list? Is that information not automatically relayed to banks?

In 2016 my friend transferred £19000 to an account controlled by fraudsters. He received no support or co-operation from Santander or Barclays, the receiving bank. The police interviewed the person to whose account the money went in to but the CPS turned down the request for further action and no further details were given to him. Since then the account names of payee and account holder name have to correspond and had this been in operation earlier he would not have lost his life savings. Financial institutions should have closed this loophole years ago and should be back dating refunds to take care of people caught up in these scams prior to the new regulations came into operation.

The simple way to ensure money is transferred to the right person is to make a trial transfer of £1, check with the intended recipient it has been received then transfer the balance. Before Confirmation of Payee this seems a sensible and responsible way to deal with your own money. CoP is very useful but not essential.
I presume you can still be persuaded to transfer money to an account that checks out but is not the intended person if you don’t take sufficient care. So the £1 precaution can still be worthwhile.

”While it’s important that people are alert to these threats, banks have a critical role to play in protecting customers from the scams that they are usually better placed to spot.”

It would be useful if Which? expanded this statement to explain how banks are able to spot these scams and prevent customers money being transferred.

@gmartin, George, could Which? enlarge on how banks can spot new scams and block transfers?

While it is positive that the introduction of the scams code has led to banks refunding more customers, reimbursement rates remain unacceptably low given its pledge to return money to all of those who are not at fault.

Would it not be more productive if we made the effort to educate as many bank customers as possible to help them avoid scams, to take a more thoughtful and responsible approach to handling their finances, and introduced bank accounts with restricted facilities for those who are less capable, rather than effectively paying anyone back who has not taken sensible precautions? If they are not diligent means they are at fault and, unless their bank knew, or should have known, the destination account was owned by a scammer I do not see why the bank – to the disadvantage of their depositors and other customers who act responsibly – should automatically cough up.

The suggestion that a customer must be reimbursed for a scam if they are “not at fault” is very questionable and also, to me, seems very confused.

In the Which? Mag for October a statement is made as follows, following a dispute with Monzo bank : ” …..but you ( the defrauded customer) should never be held accountable if you can prove you didn’t give permission to send the money….”. Yet in many reported scams the customer has transferred money by instructing their bank accordingly. Hence given permission.

And if a customer gives a scammer all the details necessary for them to access their account this amounts to giving permission to transfer money, doesn’t it, however unwise the decision?

The problem with refunding money, it seems to me, in a blanket way is that it simply removes the responsibility from many to treat their financial affairs more carefully, and mixes up the genuine victims with the careless, but expecting the rest of us to pay for their carelessness.

We should concentrate more on protecting customers from themselves rather than allowing careless behaviour to be perpetuated.

I transferred a large cash sum to my brother yesterday, using a mobile banking app. This required adding a new payee.

The app confirmed that the receiving account name I had input matched the sort code and a/c numbers that I had input.

The app required me to input details from my cashpoint card, as additional proof of my id.

Before I could authorise the payment, the app popped up a page of warnings about typical scam scenarios, i.e. to help avoid APP scams and such like.

So it was good to see those checks and warnings now in place.

Yes, my bank is now using the three factor authentication and further checks. It doubles the transaction time but that is still very quick and is much safer so I feel more comfortable with on-line payments now. The extra time is only required when setting up a new payee so for all future payments to the same account it is as rapid as ever.

I am now accustomed to seeing these warnings when transferring money to new payees using mobile banking. It’s a worthwhile change that should have been implemented years ago.

When I tried to transfer £10 to a small society’s account to pay for my membership, the payment was not authorised. I had copied the name/account/sort code from an email that the chairman had circulated. I received multiple warnings after I decided to go ahead and make the payment. This highlights the need for account holders to provide the exact name of the person or organisation to avoid problems.

Banks are definitely becoming more vigilant and scam aware.

I have been using my contactless card a lot more recently instead of cash and one transaction was blocked, requiring my PIN before it would authorise the payment. I purchased a new FF online on Thursday and the bank required a code which they phoned through to me before the transaction was completed.

Its encouraging to see the banks taking the scam problem more seriously and carrying out a lot more online spot checks.

Beryl – The requirement to enter a PIN occasionally when using a contactless card has been in place for years and possibly since they were introduced. I wondered why I was not being asked to do this and realised that it’s probably because I frequently use the same card for larger purchases where a PIN must be used.

I am aware this has been a requirement for some time Wavechange but for larger purchases I would normally use my credit card for backup if necessary. I also ordered a new cheque book on the phone this week and had to undergo quite a stringent security check before the bank agreed to send it. The bank always used to automatically send a new one through the post but have stopped doing that now in favour of customers applying when needed.

It was a combination of all three transactions that brought this to my attention how the banks have become more vigilant and security aware. It’s a first time for me that I have been phoned a code for an online credit card transaction.

Was that First Direct Derek?

I got an email from them the other day to say:

We’re getting in touch to let you know about a new way we’re keeping you safe from fraud.

Every now and then, when you’re sending money in Online Banking, we’ll pop up a fraud warning message as an additional reminder about the things fraudsters are doing to try to get access to your money.

If you see one of the messages, you just need to select the reason you’re sending the money, from the drop down list. This will bring up the relevant fraud warning. If you read this and it makes you think something isn’t right, here’s your chance to pause and not send the money until you’ve thought it through. We really want to make sure you’re protected from fraud and this is another way we hope to help.

The warning will give you a chance to try calling any companies that might have asked you to send money out of the blue, on their official phone number, or look up the details of the particular scam on the fraud section of our website.

The warnings could save you from accidentally and unwittingly sending money to a fraudster and keep you safer from fraud when you’re sending money digitally.

Hi alfa, it was not First Direct. But I guess all the better banks should be doing this sort of thing now.

Ive been a victim of the authorised push payment scam, where i knowingly transferred money into someone elses account, i was being manipulated and lied to. Bank are investigating now, they recovered some of the money, does anyone know if i might get the rest of it back, which was quite a lot of money?

Ar – I expect the bank has recovered what it can and that there is little hope of retrieving the rest unfortunately. Since this seems to be a case of fraud I think you would be well advised to inform the police and give them all the facts and contacts so they can investigate.

Is this a new scam? Phone call saying that our smart meter needs updating. My wife took the call and said that my husband deals with those issues. However we do not have a smart meter. So be aware that this could be a scam.
Telephone number 0203997365
Keep safe

G. Mazzarini says:
23 December 2020

I also wanted to point out the role of crowdfunding websites like Indiegogo and Kickstarter, which do not check enough on the honesty of the companies advertising on these websites. Furthermore, they do not protect customers, but the companies looking for funds, even when it is evident that it is a scam. I experienced this first hand with Indiegogo and was shocked at how much they protected the company that was committing the scam.

Sadly I was the victim of an FPP scam a couple of weeks ago. In the morning I had mistakenly used the wrong pin when trying to withdraw cash. On the third attempt, the machine returned my card and told me to call my bank (FD). Once home, I sent a message through the FD on-line banking app to check what I needed to do to unlock my card.
About 40 minutes later I had a call on my mobile from First Direct Bank which I immediately assumed was in response to my message.
However, the caller, who knew my name and where I lived said he was from the Fraud Dept and was incredibly persuasive telling me about a suspected fraudulent transaction to my account. He led me into a classic FPP scam where I was persuaded to make an internal transfer from savings to current account, and set up a new account (with a Barclays sort code) to transfer £9200 into it with a promise that the caller would contact me the following day to move the rest!. My wife and I became a rather suspicious, and when challenged, the caller assured me he was from FD and quoted my account password.
Following the end of the conversation, I called FD who immediately told me I had been scammed. I have now received a letter from FD who promise to come back to me within 15 working days.
Needless to say, I am extremely cross with myself for allowing this to happen, and I only want to tell my story to show how easy it is to be scammed.
The scammer did phone back the following day, but of course, as I told him he was a scammer, the phone went dead and the call number was withheld.

R.G. says:
7 January 2021

Unfortunately, I have fallen victim to a scam. It was the ‘fraud’ department that called me. From there on, my idiotic mind went along, and around £9000 from my saving and current account has been taken from my account. My bank called me the next day informing me I have been scammed, and have been told to wait 10-15 days. I am a university student with deadlines on top of deadlines, and on top of this has added financial stress including academic stress. Feel like the biggest idiot in the world. Please, always challenge the caller and if suspicious, hang up. Also be aware of phishing emails! The number that called me was 0345 600 7010, what I legitimately thought was an actual hsbc number. Hopefully, can get my money reimbursed. Stay safe folks

Nick Tobin says:
11 January 2021

Where can you turn if your business is too large for the ombudsman service?

Nick – Depending on the problem, you might need to use a solicitor or other specialist adviser.