/ Money

We need to talk about bank transfer scams

Bank transfer

It’s now 42 days since we made our super-complaint to the Payment Systems Regulator (PSR) calling for banks to better protect customers who are tricked into transferring money to a fraudster – and we need your help.

Bank transfers have increased dramatically in the UK over the past decade, with more than 70 million made in a month, compared with just over 100 million in a whole year 10 years ago.

When Which? surveyed 2089 people, we found that one in ten had either made a bank transfer to a fraudster’s account or know someone who has. But statistics won’t be enough to prove action is needed.

Bank transfer scams

Bank protection systems haven’t kept pace and fraudsters are increasingly taking advantage with ever more sophisticated scams designed to con unwitting victims out of often large sums of cash. If we’re going to prove to the regulator that this problem is rife, we need more hard evidence.

Some of you have already shared your bank transfer scam experience with us on Which? Conversation. One guest author anonymously recounted his tale of being conned out of £50,000 after a phone scammer convinced him to transfer money to a ‘safe account’.

D Morris told us a similar story about an elderly relative.

Then there are those who’ve lost money paying for things like holidays. Ian Stevens told us on Which? Conversation that he lost £2,500 transferring to a fraudster thinking he was settling up for a holiday house in Paris.

But if we’re going to succeed in convincing the regulator to take action, we need you to share more of your stories – and, seeing as it had 90 days to respond to us when we made the super-complaint in mid-September, we’ve only got another 48 days to prove that action is needed.

If you or someone you know has suffered from this type of scam then please report it to us here.

Bank transfer protections

The problem with bank transfers is that unlike direct debit, debit card or credit card fraud, if you do get scammed into transferring money via a bank transfer, you currently have no legal right to get your money back from the bank.

Often banks won’t refund you if you’ve appeared to ‘authorise’ the transaction, even if it was unknowingly to a fraudster’s account.

We think this is quite simply unfair and that’s why we made our super-complaint on 23 September. We want the PSR, working with the Financial Conduct Authority (FCA), to investigate and find out how much this type of fraud costs consumers.

We then want the regulators to take action and propose new measures and greater liability for banks to ensure consumers are better protected when they have been tricked into making a bank transfer.


Do you think action on bank transfer protections is needed? What else do you think needs to be done to protect people from scammers?

Comments
Member

I support any attempt to improve security for online banking. One call has been made to add the name of the account holder as a third piece of information, along with the account number and sort code. My information was this is not straightforward but is being explored.

The intro says “often the banks won’t refund you if you have appeared to authorise a transaction, even if (it) was unknowingly to a fraudsters account”. Well, generally you do “authorise” online transfers, you don’t “appear” to. “Unknowingly” to a fraudsters account – presumably unknown to you, but also unknown to the bank. I think we must be careful how we attribute responsibility; simply blaming the banks for every transaction that goes wrong, whatever part the payee played in deciding to, appears to absolve the customer from any responsibility.

I would have thought Which? could sit down with the various parties and see just what the complications are in the system and summarise these for us. I don’t believe the banks are oblivious to the situation and are happy to see customers defrauded. (I’m sure some will disagree with this). So perhaps a fuller exposition of the facts would help.

Member

I agree, the banks are not responsible for peoples stupidity.

But, I do think there is a lot more they could do to recover stolen funds.

When you open any account you should have to have evidence of where you reside and a copy of a passport or other photo id. An account should not be opened or any money withdrawn until the bank has checked the evidence is genuine.

Whenever money is scammed, the receiving bank should be held responsible and they should immediately contact the police to arrest the fraudster and recover the funds.

Member

My goodness, Alfa, if the banks are not responsible for people’s stupidity, who on earth is? Society believes that there needs to be some overall life-event guardian to shelter us from the consequences of our errors and omissions; we can’t be expected to carry these burdens on our own backs throughout our lives, and since we all have to have a relationship with our banks – even if not with our brains – that is the obvious place to look for support and recompense in adversity. Other than that, you have hit the nail smartly on the thumb.

Member

🔨
👍 LOL !!! 😈

Member

LOL! Alfa’s spot on – and neatly encapsulated, as always. It’s incredibly difficult just to open an account these days, so you’d imagine that some of that complexity and checking might have filtered down to the process of making a transfer. Simply transferring money ain’t exactly straightforward, nor particularly safe. It’s all about inserting numbers and that’s fraught with pitfalls.

Here’s a thought: if the bank transfer screen checked the identity of the recipient and showed it to the transferor before initiating the actual transfer (a simple enough process) that would go some way to making the process safer. But on Scams – well, they could default to enforcing a checking delay, I suppose .

Member

It is the Payments Systems regulator to whom the supercomplaint has been sent. I would have thought Which? would already have assembled adequate evidence when the complaint was submitted.

The PSR says:
“We are gathering information to help us build a clearer picture of the issue Which? raised. Our work is focusing on four key areas:
– what is the scale of the problem
– what protections are currently in place
– what relevant developments are on the horizon
– what actions can we, or other relevant organisations take.

As part of our evidence gathering we will speak to a wider range of people and organisations to help us build a clearer picture of the issue and understand what action we might take.We will work particularly closely with the Financial Conduct Authority (FCA)which is the conduct regulator for firms in the UK which provide payment services to their customers.

We have to respond by…..22 December 2016. In our response we will set out initial conclusions and our thoughts on what needs to happen next.This might include commissioning further work or reviews, looking at current requirements that influence behaviour, enforcement action, or making referral to another organisation which is better placed to investigate the issue.

Anybody with information they believe could be helpful can contact them at PSRSuper-Complaints@psr.org.uk

I applaud Which? for launching this issue. However I am not sure, when it is now with the PSR, why they don’t let them get on with it and see what they report on 22nd December.

Member

When I wish to make an on-line payment through my Nationwide current account there are quite a few steps to go through and obviously you have to check and confirm the details along the way to make sure you have entered the correct sort code and account number of the receiving bank account. Although I am asked to insert the payee’s name this is not corroborated with the account details held by the receiving bank but is for future identification by me and my bank. There are also verification checks on my side before the process is executed. However, if you want to make another payment to the same creditor the process is simplified because you can select the person’s or firm’s name from a list on the payment request form and their bank details will appear exactly as they were used [presumably successfully] on the previous occasion. I tend to still check the sort code and account number just to be doubly sure but I don’t have any concerns over the safety of the process once you have made the first transaction to a particular payee. It has been suggested that on the first occasion with any creditor one should run a trial transaction of a small amount through the system and await for confirmation of receipt from the payee before transferring the balance.

The scams occur when a false [and fraudulent] notification is sent to the payer asking them to change the destination of the payment before they have committed the transaction, usually on the premise that there has been a temporary change of bank account due to technical problems or a similar made-up pretext – and these can be very convincing. But it is absolutely vital on receipt of such a message that (a) no reply is sent, (b) the correct payee is contacted in person as a matter of urgency to verify their receiving bank details, and (c) they report it to their bank immediately. It is a moot point whether or not it is advisable to tell the payee the reason for the request at (b) above at that stage as there are suspicions in some of the cases that the scam could not have been perpetrated without the collusion or connivance of the intended payee.

I am surprised that Which? has left it until nearly half way through the Regulator’s investigation before submitting essential evidence – surely this should have been presented at the outset. Let’s hope the PSR does not add 42 days to the reporting schedule.

I am a bit mystified by the statement “From our research, we know that one in ten of you have either made a bank transfer to a fraudster’s account or know someone who has. Who are the “you” – the Which?-Connect panel [or just those who completed the survey]? The Conversationalists? The adult population at large? Or does it mean 10% of only those who have ever made a bank transfer or know someone who has? I always find numbers more useful than percentages, especially if making a case for something. The Regulator will no doubt ask for them so better have them handy.

Member

It is the Payments Systems regulator to whom the supercomplaint has been sent. I would have thought Which? would already have assembled adequate evidence when the complaint was submitted.

The PSR says:
“We are gathering information to help us build a clearer picture of the issue Which? raised. Our work is focusing on four key areas:
– what is the scale of the problem
– what protections are currently in place
– what relevant developments are on the horizon
– what actions can we, or other relevant organisations take.

As part of our evidence gathering we will speak to a wider range of people and organisations to help us build a clearer picture of the issue and understand what action we might take.We will work particularly closely with the Financial Conduct Authority (FCA)which is the conduct regulator for firms in the UK which provide payment services to their customers.

We have to respond by…..22 December 2016. In our response we will set out initial conclusions and our thoughts on what needs to happen next.This might include commissioning further work or reviews, looking at current requirements that influence behaviour, enforcement action, or making referral to another organisation which is better placed to investigate the issue.

Anybody with information they believe could be helpful can contact them at PSRSuper-Complaints (at)psr.org.uk

I applaud Which? for launching this issue. However I am not sure, when it is now with the PSR, why they don’t let them get on with it and see what they report on 22nd December.

Member

Hi Malcolm,

We completely agree that it’s the regulator’s job to investigate the issue and gather the evidence in order to respond to the super-complaint. The experiences we gather from those who share their stories will help the regulator hear directly from consumers on how they have been affected and what changes they want to see happen to address the problem. This would be as, if not more useful to the PSR than anything Which? or any other organisation can offer in terms of intelligence. We’re really pleased that the PSR think so too and have shown their support for the tool to encourage more people to share their stories: twitter.com/ThePSR/status/794486167932698625

Member

Thanks, Neena, I had assumed that the supercomplaint was based on extensive experiences that had already been reported to you, hence triggering your action, and that these experiences would have been submitted to support the supercomplaint. I have then assumed that to be the basis on which the regulator was considering the complaint and that it was worth waiting for the outcome of their first deliberations in December.

Member

That’s what I was thinking, Malcolm. With seven weeks to go before the Regulator’s response should be delivered, some of which will be taken up with finalising the drafting, it’s cutting it a bit fine to hand in some late homework. What if it doesn’t amount to much?

I would still appreciate an answer to the questions I asked in the final paragraph of my post above about the unclear survey statistics.

Congratulations, Malcolm, on having a post duplicated after a three-hour time interval. I wonder how that happened. I think this site has been suffering from gremlins lately.

Member

Malcolm – Please ignore that last remark – I subsequently saw that you were awaiting moderation for a link and posted again in case your comment had gone missing.

Member

“We’re really pleased that the PSR think so too and have shown their support for the tool to encourage more people to share their stories: twitter.com/ThePSR/status/794486167932698625″

Words can hardly express how underwhelmed I am that we feel we need more stories. Can we be more proactive.?

If that seems harsh bear in mind that amongst 800,000 subscribers I suspect there may be one or two with technical information on the Bank payment systems and also the requirements on opening Bank accounts.

I am willing to bet that if we look closely at the recipient Bank Accounts we may very well have some fertile grounds for looking at how the Banks facilitate the fraud by inadequate opening procedures and being prepared to ignore strange patterns of use.

I would also look at the systems used in other countries to see if they suffer the way we do.

We could also consider adapting the IBAN system that stops transcription errors to a large degree
” IBAN imposes a flexible but regular format sufficient for account identification and contains validation information to avoid errors of transcription. It carries all the routing information needed to get a payment from one bank to another wherever it may be; it contains key bank account details such as country code, branch codes (known as sort codes in the UK and Ireland) and account numbers, and it contains check digits which can be validated at source according to a single standard procedure.[8] Where used, IBANs have reduced trans-national money transfer errors to under 0.1% of total payments.”

Member
Farweasel says:
4 November 2016

Oh go on then Patrick ……….

So, in an attempt to make telephone banking easier and less fraud prone, the Bank I use is trialing a new scheme based on voice recognition.
(I won’t embarass them by saying which bank it is because, well, at least they are *trying* to enhance security).
So I said OK I’ll particiapte.
What happened next had shades of farce:
I had to echo a gratingly ‘home counties’ accented woman saying a set phrase.
I dunno if it was my lovely broad northern vowels and different (but consistent) pattern of speach cadence, there were numerous failed attempts before at last the sytem declared it was satisfied.
BUT….
Both the next two occasions I contacted the bank I went several time through the system with it trying to match my voice to my profile. Each time it asked me to repeat, then repeat again, then told me it could NOT verify a match
……. And put me through to an assistant anyway.

In fairness, mostly what I wanted was information and to shuffle money between my accounts not transfer it out – but I did wonder would that have been permitted.

Deciding it was best to err on the side of caution anyway I asked to revert to my more labourious ID of inputting ‘password numbers’.

Member

Thanks for that interesting insight into the voice recognition systems. There has been a lot of claims on their accuracy and it would seem that yet again hype trumps reality.

Member

I wonder how these voice recognition systems work when you get a sore throat, or other vocal impediment?

Member

Payment Systems Regulator
In April 2015, the FCA created a separate body, the Payment Systems Regulator (PSR), in accordance with section 40 of the Financial Services (Banking Reform) Act 2013.[10] The PSR’s role is “to promote competition and innovation in payment systems, and ensure they work in the interests of the organisations and people that use them”.[11]

As in keep changing the title and the Dept and then we just pretend we are all new here and fraud reporting is novel.

Which begs the question who was dealing with the problem before them. Somebody must have already all the data possible. Possibly the Banks might be asked to hand over the details of all the claims they have had, and those helped and those refused. That is where all the relevant information is held.

I think Which? has been inveigled into being part of the process rather than being a driver. There must be sufficient information out there already; the point is what solutions are there. Perhaps the fundamental one is that immediacy of the bank systems facilitates crime.

And certainly I can bet you a pound to a penny that the Banks are NOT being clever about solving the problem. I have highlighted that receiving accounts could be screened more closely and if necessary a drag placed on the movement of money particularly if it is being routed off-shore.

We know that overseas students in London sell their bank account details for fraudulent purposes so perhaps we need a lock on what can be paid in and paid out. The facility of returning to your homeland to avoid any prosecution make it attractive money. My French account has a Euro 2340 limit per month on it and this is standard opening procedure for Credit Agricole and possibly other French banks. There are also limits on withdrawals per week. And helpfully every on line payment generates an email from the Bank.

But then getting people fully loaded with debt, the US model, adopted by us is not how the French operate.

Obviously there are details to nail but one thing we know for user the ease at which all computers can be hacked and the rapidity that the money can go abroad will increase fraud generally in the future , currently we are looking simply at scams involving human interactions.

I am not sure we have a fix for humans so lets look at fixing payment systems.

Member

This is now the second Convo in two days where other posters are able to post on a new Convo at approx. 10.30 am and I cant do that as the LATEST DISCUSSIONS does not appear on any of my 4 browsers till 10 pm at night —somebody trying to tell me something ??

Member

Do you mean that the ribbon across the top that includes ‘Recent Activity’ does not appear, or that you are actually being blocked from making a comment? There are other ways to get into the comments but not to see them all in date order. I always go straight to ‘Latest Comments’ in the ‘Recent Activity’ drop-down menu and I have never had the problem you mention – I can’t believe it’s personal but perhaps there is a conflict somewhere between Which?’s system and yours.

Member

John I have kept my mouth shut at the increasing number of trackers here , I wont list them to embarrass Which but they are now using the latest technology -to UNIQUELY identify you , its the latest method to silently not only track you over websites but to rearrange what you see on WHICH . It cant be blocked by normal means ( but I have a way if I want ) but using a special browser I was able to identify it -HTML5 -aka- canvas fingerprinting extraction -see research papers by Princeton University (USA)+ KU Leuven University Belgium and I have many high tech. investigation websites giving all the info on it –and it isnt nice . I have archived two of the most prestige tech. websites around in relation to the inner workings of tracking , in other words apart from the sly tracking they can “rearrange the website to what they want to display to a visitor . That they have done it to me , is ,in my opinion -below the belt and more like the antics of GCHQ , dont expect me to be able to post on a new Convo till 12 hours later than everybody else . If they had not done this I would have kept quiet about this “new ” way of working , and presenting it as “benign ” isnt going to work I know ALL the facts -full stop.

Member

They use more than most sites. I have brought it up with them before but accept their argument that it’s now becoming common among commercial sites.

Member

“Miraculously ” I can now see -Latest Discussions and the latest convo if it stays that way I will say no more about it.

Member

Could’ve been a blip, so fingers crossed, Duncan. But from what you have told us you have quite a defensive system yourself so perhaps Which? Conversation struggles to get through.

Member

A “defensive system ” that only works for 12 hours John ?

Member

Well, I assume you are not trying to stop Which? Conversation reaching you, just to make it more difficult for the wrong sort of contact from the wrong sources.

Member

John it only happened two days ago , no changes were made to my PC , nor was any of my browsers changed nor search engines and the fact that after 12 hours I could see the new convo+ latest Discussions point to Which,s server not anything related to me. I knew something was up anyway as I was getting unusual stability conditions for a good while . John a lot goes on behind the scenes. I let myself be tracked by the “new system ” which is related to the log-in system used by Which -WordPress – Which isnt the only website using this but its the only one that I have problems with.

Member

Hi Duncan, this sounds really strange to me as the convos over the past few days have published overnight so you should have seen the appear in the early hours of the morning (if you’re up and looking for them that is :P). I’ll do some digging and find out if there’s a fix for this, I don’t want you to be missing out 🙂

Member

Lauren it was sorted by , I take it , Which, the day after my last post on it , thanks Lauren.

Member

Ok good. If you do see this happening again for you would you be able to email me some screen grabs of what you’re seeing – it will help us in trying to work out what the problem is

Member

Malcolm – I picked up your explanation for the duplicated post on another Conversation so please ignore my previous remark. I remain surprised that the moderator cannot delete a duplicate post, however, as sometimes it is due to a system glitch.

Member

I wonder how many banks and other financial institutions still send emails that include phone numbers and email addresses in emails rather than inviting customers to look up this information and get in touch. If members of the public are expected to behave responsibly then the banks etc. should have learned to do this years ago. If banks etc. have to call their customers then they should ask customers to look up the contact details and make the phone call.

If the public is made aware that unsolicited phone calls and emails with contact details are likely to be scams we might make progress in tackling the current problems.