/ Money

We need to talk about bank transfer scams

Bank transfer

It’s now 42 days since we made our super-complaint to the Payment Systems Regulator (PSR) calling for banks to better protect customers who are tricked into transferring money to a fraudster – and we need your help.

Bank transfers have increased dramatically in the UK over the past decade, with more than 70 million made in a month, compared with just over 100 million in a whole year 10 years ago.

When Which? surveyed 2089 people, we found that one in ten had either made a bank transfer to a fraudster’s account or know someone who has. But statistics won’t be enough to prove action is needed.

Bank transfer scams

Bank protection systems haven’t kept pace and fraudsters are increasingly taking advantage with ever more sophisticated scams designed to con unwitting victims out of often large sums of cash. If we’re going to prove to the regulator that this problem is rife, we need more hard evidence.

Some of you have already shared your bank transfer scam experience with us on Which? Conversation. One guest author anonymously recounted his tale of being conned out of £50,000 after a phone scammer convinced him to transfer money to a ‘safe account’.

D Morris told us a similar story about an elderly relative.

Then there are those who’ve lost money paying for things like holidays. Ian Stevens told us on Which? Conversation that he lost £2,500 transferring to a fraudster thinking he was settling up for a holiday house in Paris.

But if we’re going to succeed in convincing the regulator to take action, we need you to share more of your stories – and, seeing as it had 90 days to respond to us when we made the super-complaint in mid-September, we’ve only got another 48 days to prove that action is needed.

If you or someone you know has suffered from this type of scam then please report it to us here.

Bank transfer protections

The problem with bank transfers is that unlike direct debit, debit card or credit card fraud, if you do get scammed into transferring money via a bank transfer, you currently have no legal right to get your money back from the bank.

Often banks won’t refund you if you’ve appeared to ‘authorise’ the transaction, even if it was unknowingly to a fraudster’s account.

We think this is quite simply unfair and that’s why we made our super-complaint on 23 September. We want the PSR, working with the Financial Conduct Authority (FCA), to investigate and find out how much this type of fraud costs consumers.

We then want the regulators to take action and propose new measures and greater liability for banks to ensure consumers are better protected when they have been tricked into making a bank transfer.


Do you think action on bank transfer protections is needed? What else do you think needs to be done to protect people from scammers?

Comments
Profile photo of malcolm r
Member

I support any attempt to improve security for online banking. One call has been made to add the name of the account holder as a third piece of information, along with the account number and sort code. My information was this is not straightforward but is being explored.

The intro says “often the banks won’t refund you if you have appeared to authorise a transaction, even if (it) was unknowingly to a fraudsters account”. Well, generally you do “authorise” online transfers, you don’t “appear” to. “Unknowingly” to a fraudsters account – presumably unknown to you, but also unknown to the bank. I think we must be careful how we attribute responsibility; simply blaming the banks for every transaction that goes wrong, whatever part the payee played in deciding to, appears to absolve the customer from any responsibility.

I would have thought Which? could sit down with the various parties and see just what the complications are in the system and summarise these for us. I don’t believe the banks are oblivious to the situation and are happy to see customers defrauded. (I’m sure some will disagree with this). So perhaps a fuller exposition of the facts would help.

Profile photo of alfa
Member

I agree, the banks are not responsible for peoples stupidity.

But, I do think there is a lot more they could do to recover stolen funds.

When you open any account you should have to have evidence of where you reside and a copy of a passport or other photo id. An account should not be opened or any money withdrawn until the bank has checked the evidence is genuine.

Whenever money is scammed, the receiving bank should be held responsible and they should immediately contact the police to arrest the fraudster and recover the funds.

Profile photo of John Ward
Member

My goodness, Alfa, if the banks are not responsible for people’s stupidity, who on earth is? Society believes that there needs to be some overall life-event guardian to shelter us from the consequences of our errors and omissions; we can’t be expected to carry these burdens on our own backs throughout our lives, and since we all have to have a relationship with our banks – even if not with our brains – that is the obvious place to look for support and recompense in adversity. Other than that, you have hit the nail smartly on the thumb.

Profile photo of alfa
Member

🔨
👍 LOL !!! 😈

Profile photo of Ian
Member

LOL! Alfa’s spot on – and neatly encapsulated, as always. It’s incredibly difficult just to open an account these days, so you’d imagine that some of that complexity and checking might have filtered down to the process of making a transfer. Simply transferring money ain’t exactly straightforward, nor particularly safe. It’s all about inserting numbers and that’s fraught with pitfalls.

Here’s a thought: if the bank transfer screen checked the identity of the recipient and showed it to the transferor before initiating the actual transfer (a simple enough process) that would go some way to making the process safer. But on Scams – well, they could default to enforcing a checking delay, I suppose .

Profile photo of malcolm r
Member

It is the Payments Systems regulator to whom the supercomplaint has been sent. I would have thought Which? would already have assembled adequate evidence when the complaint was submitted.

The PSR says:
“We are gathering information to help us build a clearer picture of the issue Which? raised. Our work is focusing on four key areas:
– what is the scale of the problem
– what protections are currently in place
– what relevant developments are on the horizon
– what actions can we, or other relevant organisations take.

As part of our evidence gathering we will speak to a wider range of people and organisations to help us build a clearer picture of the issue and understand what action we might take.We will work particularly closely with the Financial Conduct Authority (FCA)which is the conduct regulator for firms in the UK which provide payment services to their customers.

We have to respond by…..22 December 2016. In our response we will set out initial conclusions and our thoughts on what needs to happen next.This might include commissioning further work or reviews, looking at current requirements that influence behaviour, enforcement action, or making referral to another organisation which is better placed to investigate the issue.

Anybody with information they believe could be helpful can contact them at PSRSuper-Complaints@psr.org.uk

I applaud Which? for launching this issue. However I am not sure, when it is now with the PSR, why they don’t let them get on with it and see what they report on 22nd December.

Profile photo of John Ward
Member

When I wish to make an on-line payment through my Nationwide current account there are quite a few steps to go through and obviously you have to check and confirm the details along the way to make sure you have entered the correct sort code and account number of the receiving bank account. Although I am asked to insert the payee’s name this is not corroborated with the account details held by the receiving bank but is for future identification by me and my bank. There are also verification checks on my side before the process is executed. However, if you want to make another payment to the same creditor the process is simplified because you can select the person’s or firm’s name from a list on the payment request form and their bank details will appear exactly as they were used [presumably successfully] on the previous occasion. I tend to still check the sort code and account number just to be doubly sure but I don’t have any concerns over the safety of the process once you have made the first transaction to a particular payee. It has been suggested that on the first occasion with any creditor one should run a trial transaction of a small amount through the system and await for confirmation of receipt from the payee before transferring the balance.

The scams occur when a false [and fraudulent] notification is sent to the payer asking them to change the destination of the payment before they have committed the transaction, usually on the premise that there has been a temporary change of bank account due to technical problems or a similar made-up pretext – and these can be very convincing. But it is absolutely vital on receipt of such a message that (a) no reply is sent, (b) the correct payee is contacted in person as a matter of urgency to verify their receiving bank details, and (c) they report it to their bank immediately. It is a moot point whether or not it is advisable to tell the payee the reason for the request at (b) above at that stage as there are suspicions in some of the cases that the scam could not have been perpetrated without the collusion or connivance of the intended payee.

I am surprised that Which? has left it until nearly half way through the Regulator’s investigation before submitting essential evidence – surely this should have been presented at the outset. Let’s hope the PSR does not add 42 days to the reporting schedule.

I am a bit mystified by the statement “From our research, we know that one in ten of you have either made a bank transfer to a fraudster’s account or know someone who has. Who are the “you” – the Which?-Connect panel [or just those who completed the survey]? The Conversationalists? The adult population at large? Or does it mean 10% of only those who have ever made a bank transfer or know someone who has? I always find numbers more useful than percentages, especially if making a case for something. The Regulator will no doubt ask for them so better have them handy.

Profile photo of malcolm r
Member

It is the Payments Systems regulator to whom the supercomplaint has been sent. I would have thought Which? would already have assembled adequate evidence when the complaint was submitted.

The PSR says:
“We are gathering information to help us build a clearer picture of the issue Which? raised. Our work is focusing on four key areas:
– what is the scale of the problem
– what protections are currently in place
– what relevant developments are on the horizon
– what actions can we, or other relevant organisations take.

As part of our evidence gathering we will speak to a wider range of people and organisations to help us build a clearer picture of the issue and understand what action we might take.We will work particularly closely with the Financial Conduct Authority (FCA)which is the conduct regulator for firms in the UK which provide payment services to their customers.

We have to respond by…..22 December 2016. In our response we will set out initial conclusions and our thoughts on what needs to happen next.This might include commissioning further work or reviews, looking at current requirements that influence behaviour, enforcement action, or making referral to another organisation which is better placed to investigate the issue.

Anybody with information they believe could be helpful can contact them at PSRSuper-Complaints (at)psr.org.uk

I applaud Which? for launching this issue. However I am not sure, when it is now with the PSR, why they don’t let them get on with it and see what they report on 22nd December.

Profile photo of Neena Bhati
Member

Hi Malcolm,

We completely agree that it’s the regulator’s job to investigate the issue and gather the evidence in order to respond to the super-complaint. The experiences we gather from those who share their stories will help the regulator hear directly from consumers on how they have been affected and what changes they want to see happen to address the problem. This would be as, if not more useful to the PSR than anything Which? or any other organisation can offer in terms of intelligence. We’re really pleased that the PSR think so too and have shown their support for the tool to encourage more people to share their stories: twitter.com/ThePSR/status/794486167932698625

Profile photo of malcolm r
Member

Thanks, Neena, I had assumed that the supercomplaint was based on extensive experiences that had already been reported to you, hence triggering your action, and that these experiences would have been submitted to support the supercomplaint. I have then assumed that to be the basis on which the regulator was considering the complaint and that it was worth waiting for the outcome of their first deliberations in December.

Profile photo of John Ward
Member

That’s what I was thinking, Malcolm. With seven weeks to go before the Regulator’s response should be delivered, some of which will be taken up with finalising the drafting, it’s cutting it a bit fine to hand in some late homework. What if it doesn’t amount to much?

I would still appreciate an answer to the questions I asked in the final paragraph of my post above about the unclear survey statistics.

Congratulations, Malcolm, on having a post duplicated after a three-hour time interval. I wonder how that happened. I think this site has been suffering from gremlins lately.

Profile photo of John Ward
Member

Malcolm – Please ignore that last remark – I subsequently saw that you were awaiting moderation for a link and posted again in case your comment had gone missing.

Profile photo of Patrick Taylor
Member

“We’re really pleased that the PSR think so too and have shown their support for the tool to encourage more people to share their stories: twitter.com/ThePSR/status/794486167932698625″

Words can hardly express how underwhelmed I am that we feel we need more stories. Can we be more proactive.?

If that seems harsh bear in mind that amongst 800,000 subscribers I suspect there may be one or two with technical information on the Bank payment systems and also the requirements on opening Bank accounts.

I am willing to bet that if we look closely at the recipient Bank Accounts we may very well have some fertile grounds for looking at how the Banks facilitate the fraud by inadequate opening procedures and being prepared to ignore strange patterns of use.

I would also look at the systems used in other countries to see if they suffer the way we do.

We could also consider adapting the IBAN system that stops transcription errors to a large degree
” IBAN imposes a flexible but regular format sufficient for account identification and contains validation information to avoid errors of transcription. It carries all the routing information needed to get a payment from one bank to another wherever it may be; it contains key bank account details such as country code, branch codes (known as sort codes in the UK and Ireland) and account numbers, and it contains check digits which can be validated at source according to a single standard procedure.[8] Where used, IBANs have reduced trans-national money transfer errors to under 0.1% of total payments.”

Member
Farweasel says:
4 November 2016

Oh go on then Patrick ……….

So, in an attempt to make telephone banking easier and less fraud prone, the Bank I use is trialing a new scheme based on voice recognition.
(I won’t embarass them by saying which bank it is because, well, at least they are *trying* to enhance security).
So I said OK I’ll particiapte.
What happened next had shades of farce:
I had to echo a gratingly ‘home counties’ accented woman saying a set phrase.
I dunno if it was my lovely broad northern vowels and different (but consistent) pattern of speach cadence, there were numerous failed attempts before at last the sytem declared it was satisfied.
BUT….
Both the next two occasions I contacted the bank I went several time through the system with it trying to match my voice to my profile. Each time it asked me to repeat, then repeat again, then told me it could NOT verify a match
……. And put me through to an assistant anyway.

In fairness, mostly what I wanted was information and to shuffle money between my accounts not transfer it out – but I did wonder would that have been permitted.

Deciding it was best to err on the side of caution anyway I asked to revert to my more labourious ID of inputting ‘password numbers’.

Profile photo of Patrick Taylor
Member

Thanks for that interesting insight into the voice recognition systems. There has been a lot of claims on their accuracy and it would seem that yet again hype trumps reality.

Profile photo of malcolm r
Member

I wonder how these voice recognition systems work when you get a sore throat, or other vocal impediment?

Profile photo of Patrick Taylor
Member

Payment Systems Regulator
In April 2015, the FCA created a separate body, the Payment Systems Regulator (PSR), in accordance with section 40 of the Financial Services (Banking Reform) Act 2013.[10] The PSR’s role is “to promote competition and innovation in payment systems, and ensure they work in the interests of the organisations and people that use them”.[11]

As in keep changing the title and the Dept and then we just pretend we are all new here and fraud reporting is novel.

Which begs the question who was dealing with the problem before them. Somebody must have already all the data possible. Possibly the Banks might be asked to hand over the details of all the claims they have had, and those helped and those refused. That is where all the relevant information is held.

I think Which? has been inveigled into being part of the process rather than being a driver. There must be sufficient information out there already; the point is what solutions are there. Perhaps the fundamental one is that immediacy of the bank systems facilitates crime.

And certainly I can bet you a pound to a penny that the Banks are NOT being clever about solving the problem. I have highlighted that receiving accounts could be screened more closely and if necessary a drag placed on the movement of money particularly if it is being routed off-shore.

We know that overseas students in London sell their bank account details for fraudulent purposes so perhaps we need a lock on what can be paid in and paid out. The facility of returning to your homeland to avoid any prosecution make it attractive money. My French account has a Euro 2340 limit per month on it and this is standard opening procedure for Credit Agricole and possibly other French banks. There are also limits on withdrawals per week. And helpfully every on line payment generates an email from the Bank.

But then getting people fully loaded with debt, the US model, adopted by us is not how the French operate.

Obviously there are details to nail but one thing we know for user the ease at which all computers can be hacked and the rapidity that the money can go abroad will increase fraud generally in the future , currently we are looking simply at scams involving human interactions.

I am not sure we have a fix for humans so lets look at fixing payment systems.

Profile photo of duncan lucas
Member

This is now the second Convo in two days where other posters are able to post on a new Convo at approx. 10.30 am and I cant do that as the LATEST DISCUSSIONS does not appear on any of my 4 browsers till 10 pm at night —somebody trying to tell me something ??

Profile photo of John Ward
Member

Do you mean that the ribbon across the top that includes ‘Recent Activity’ does not appear, or that you are actually being blocked from making a comment? There are other ways to get into the comments but not to see them all in date order. I always go straight to ‘Latest Comments’ in the ‘Recent Activity’ drop-down menu and I have never had the problem you mention – I can’t believe it’s personal but perhaps there is a conflict somewhere between Which?’s system and yours.

Profile photo of duncan lucas
Member

John I have kept my mouth shut at the increasing number of trackers here , I wont list them to embarrass Which but they are now using the latest technology -to UNIQUELY identify you , its the latest method to silently not only track you over websites but to rearrange what you see on WHICH . It cant be blocked by normal means ( but I have a way if I want ) but using a special browser I was able to identify it -HTML5 -aka- canvas fingerprinting extraction -see research papers by Princeton University (USA)+ KU Leuven University Belgium and I have many high tech. investigation websites giving all the info on it –and it isnt nice . I have archived two of the most prestige tech. websites around in relation to the inner workings of tracking , in other words apart from the sly tracking they can “rearrange the website to what they want to display to a visitor . That they have done it to me , is ,in my opinion -below the belt and more like the antics of GCHQ , dont expect me to be able to post on a new Convo till 12 hours later than everybody else . If they had not done this I would have kept quiet about this “new ” way of working , and presenting it as “benign ” isnt going to work I know ALL the facts -full stop.

Profile photo of Ian
Member

They use more than most sites. I have brought it up with them before but accept their argument that it’s now becoming common among commercial sites.

Profile photo of duncan lucas
Member

“Miraculously ” I can now see -Latest Discussions and the latest convo if it stays that way I will say no more about it.

Profile photo of John Ward
Member

Could’ve been a blip, so fingers crossed, Duncan. But from what you have told us you have quite a defensive system yourself so perhaps Which? Conversation struggles to get through.

Profile photo of duncan lucas
Member

A “defensive system ” that only works for 12 hours John ?

Profile photo of John Ward
Member

Well, I assume you are not trying to stop Which? Conversation reaching you, just to make it more difficult for the wrong sort of contact from the wrong sources.

Profile photo of duncan lucas
Member

John it only happened two days ago , no changes were made to my PC , nor was any of my browsers changed nor search engines and the fact that after 12 hours I could see the new convo+ latest Discussions point to Which,s server not anything related to me. I knew something was up anyway as I was getting unusual stability conditions for a good while . John a lot goes on behind the scenes. I let myself be tracked by the “new system ” which is related to the log-in system used by Which -WordPress – Which isnt the only website using this but its the only one that I have problems with.

Profile photo of Lauren Deitz
Member

Hi Duncan, this sounds really strange to me as the convos over the past few days have published overnight so you should have seen the appear in the early hours of the morning (if you’re up and looking for them that is :P). I’ll do some digging and find out if there’s a fix for this, I don’t want you to be missing out 🙂

Profile photo of duncan lucas
Member

Lauren it was sorted by , I take it , Which, the day after my last post on it , thanks Lauren.

Profile photo of Lauren Deitz
Member

Ok good. If you do see this happening again for you would you be able to email me some screen grabs of what you’re seeing – it will help us in trying to work out what the problem is

Profile photo of John Ward
Member

Malcolm – I picked up your explanation for the duplicated post on another Conversation so please ignore my previous remark. I remain surprised that the moderator cannot delete a duplicate post, however, as sometimes it is due to a system glitch.

Profile photo of wavechange
Member

I wonder how many banks and other financial institutions still send emails that include phone numbers and email addresses in emails rather than inviting customers to look up this information and get in touch. If members of the public are expected to behave responsibly then the banks etc. should have learned to do this years ago. If banks etc. have to call their customers then they should ask customers to look up the contact details and make the phone call.

If the public is made aware that unsolicited phone calls and emails with contact details are likely to be scams we might make progress in tackling the current problems.

Profile photo of alfa
Member

Very good point Wavechange. I regularly sing my bank’s praises, but was not impressed to get a letter asking to check held details were correct. Name, address and date of birth were put in writing for me to check.

Education is needed on both sides it seems.

Profile photo of VynorHill
Member

Who needs a scam when anyone can walk in and steal money from 20,000 customers in one go? Who said that on line banking was fool proof? Who is next? Sadly, trust in the internet is vanishing and this great shopping, banking and lifestyle experience may yet founder if these security leaks can not be patched.

Profile photo of duncan lucas
Member

Agree with that Vynor -Tesco “payout ” weekend .

Profile photo of John Ward
Member

20,000 customer accounts is only half of it – I read that over 40,000 accounts were targetted but many were not emptied because the fraudsters did not have time to finish the job before all accounts were frozen.

Profile photo of VynorHill
Member

Ps. Since many scams rely on sophisticated profiling to succeed, anyone trawling through the pages of Which Conversations would have a field day. Some risks are worth taking and sticking an oar or two in here is worth it.

Profile photo of duncan lucas
Member

They got fed up after a few years and stopped bothering me Vynor as I never reply to emails that look the least bit “iffy ” / bad URL,s and my call-blocker works . I dont care anyway nobodies going to repress my comments just because I fear somebody will use any info I give out and they know I dont do Internet transactions , now if only I could stop the postal “death merchants ” without getting myself arrested !

Profile photo of John Ward
Member

Melanie – Is it possible to have some clarification on the points I raised at the beginning of this Conversation?

On 4 November 2016 I wrote : “I am a bit mystified by the statement “From our research, we know that one in ten of you have either made a bank transfer to a fraudster’s account or know someone who has. Who are the “you” – the Which?-Connect panel [or just those who completed the survey]? The Conversationalists? The adult population at large? Or does it mean 10% of only those who have ever made a bank transfer or know someone who has? I always find numbers more useful than percentages, especially if making a case for something.

As a further point, how many reports of bank transfer scams have you now received in response to the enquiry in the Intro?

Profile photo of John Ward
Member

@ldeitz,

Hi Lauren – I refer to my post above. I raised some queries on a section of the Intro to this Conversation and so far there has been no response. Could you see what the problem is please and expedite a reply?Thanks.

Profile photo of Patrick Taylor
Member

https://www.ncbi.nlm.nih.gov/pmc/articles/PMC3666355/

Discussing statistically estimations of knowing people. So if we have a pool of people and we all know 500 and one in ten of us reports a case then that would be one in 5000. However we could have many of the 5000 report the same case.

Basically it is a minefield and, after all the times we have asked for proper figures and how and where derived, we get ignored. I accept that not everyone is interested but remember the average subscriber is more intelligent than the UK average. Humour us and put this data somewhere where it can be analysed.

It is a well-know fact [ honest]* that journalists are terrible with statistics and prone to misuse so lets get Which?’s act together.

http://www.badscience.net/category/statistics/

*1.68m hits on Google

Profile photo of Lauren Deitz
Member

Hello John, sorry for missing this question. I think we need to clarify this for the purpose of the Convo, so I’ll change this. This was part of the research carried out ahead of our super-complaint, Which? asked 2089 adult members of the public on the 7th and 8th September 2016 if they, or anyone they know, ever made a bank transfer payment which was paid into a fraudulent account. One in ten (9%) responded either saying that they had themselves or know someone that has made a bank transfer into a fraudulent account. So the ‘you’ in this case is genralised to extend to the UK adult population as a whole.

Profile photo of John Ward
Member

Thank you very much Lauren. That is a staggering statistic. I hope all those surveyed fully understood the question because, on the face of it, its almost unbelievable that there is that much fraud occurring on a little-used payment system. I am intrigued to know where the evidence is to support it [media comments, casework, investigations. prosecutions, etc].

Although the number of Faster Payment System and other money transfers [via CHAPS or BACS] is rising it is still small. In fact, I would doubt whether ten percent of the population has ever made one of those types of payment. As Patrick comments above there is a risk of duplicated evidence and hearsay with this type of question which is not very robust for a subject of this importance. I have to admit to still being a bit lost in the percentages of percentages analysis of the survey data and feel it would be far better to present numbers.

And do you, by chance, have an answer to my second question? – How many reports of bank transfer scams have you now received in response to the enquiry in the Intro?

Thank you.

Profile photo of Patrick Taylor
Member

I hope it was not Which? who did the survey directly as one might be forgiven for thinking how stupid it was. You have conflated what should be two questions to give a startling one figure answer. I suspect this was for dramatic effect and cannot be justified.

Just to make it clear:

Q 1. Have you ever made a bank transfer payment which was paid into a fraudulent account
Q 2. Do you know if anyone you know, has ever made a bank transfer payment which was paid into a fraudulent account

This would produce one reliable figure and one slightly less reliable figure. There is a wrinkle in people understanding what is meant by a fraudulent account and the case where people misguidedly send it to the wrong account.

So Q1 and Q2 should be actually Q3 and Q4 as you first rule out the accidental transfers. A supplementary question as to whether the person recovered the money would also have been of interest. Within Banks and external Banks should have produced interesting numbers on recovery.

All in all this survey sucks mightily and is an embarrassment as a basis for the Conversation.

Profile photo of Patrick Taylor
Member

As a general comment. Tweaking an initial Conversation piece after it has been published and people have responded may be wise in some instances.

However it is good journalistic practice to make a note of changes so people will understand that contributors comments made perfect sense when they were posted.

These amendments are traditionally shown at the end of the piece.

Profile photo of Lauren Deitz
Member

Hello Patrick, should editing be major and change the sentiment then you’re right we would normally add such clarifications at the end with a note to explain how and why we have done so. In this case I’ve simply added further detail as to who and how many we surveyed. Thanks

Profile photo of Lauren Deitz
Member

Hi John, not a problem – sorry you hadn’t had a response sooner, sometimes it can be difficult to see these questions.

We’ve had a wealth of evidence come in – the tool that we’re collecting evidence with has had over 30,000 submissions so far and it’s only been running for 13 days. That’s not to mention the comments left on convo, correspondence via email and also a bank of Which? member stories. All of this evidence is just our own that we’ve collected from our audience, other organisations are also collecting their own evidence and data which seems to indicate that scammers are successful at using bank transfers to con victims out of money. We’re still collecting our evidence to submit to the PSR, but we expect to report on the number affected and the estimated figure of the impact of scams soon.

Profile photo of John Ward
Member

Thanks, Lauren. It will be very interesting to drill down into some of the evidence in due course to see how this enormous number of transfer diversions is occurring, and with so little public attention as well. It’s putting a big question mark over the payment transfer systems and banks should be feeling very uncomfortable at the lack of trust that this will cause.

Assuming the CMA comes to the same conclusions, consumers need to be very worried about this and I feel Which? should, in due course [once the evidence has been tested and found reliable], issue a strong warning.

I realise this is speculative until the evidence received has been accepted, and until the CMA have reported back on the super-complaint, but what is shocking is how the scale of this scamming has been kept under wraps for so long and I should be surprised if even the Financial Conduct Authority was aware of its possible magnitude.

Profile photo of Lauren Deitz
Member

Hello Patrick, thank you for sharing your concerns. I’d like to explain that this survey was carried our by the polling organisation, Populus. It surveyed a nationally representative sample of 2,089 UK adults online between 7th and 8th September 2016. The question was indeed split – 5% know someone who had made a bank transfer to a fraudulent account and 4% made the payment themselves.

Profile photo of malcolm r
Member

And these people had actually transferred money to a fraud account following the intervention of a fraudster, had they? Or did it include payments made to someones account as a result of a scam offer? This did not include payments made by the customer’s mistake to an incorrect account did it? It would be useful to publish the precise questions asked by Populus.

I would have thought there would be information available from the banking system operators about the numbers of fraudulent payments made by customers. I imagine reports are collected and analysed.

Profile photo of Patrick Taylor
Member

Thanks for the detail. For those not familiar with the on-line surveying community:

Populus Live Home
Hello!
Earn £1 for every 5 minutes
We are the online community that allows you to earn £s in return for your time completing surveys. As a member you will be financially rewarded for participating in our surveys and enjoy several other benefits.
Joining our community is simple. Sign up now to start earning today.
Enjoy, The PopulusLive team

You will appreciate that by earning money they have every incentive to answer surveys. Given they are paid by the minutes that the agency decides is enough I do wonder if those supplementary question I outlined were asked. Can we see all the questions asked? And the paid time limit applicable.

I wonder how similar our dear own Connect respondees would be to these figures. My money is on lower percentages. But then possibly not as they may have larger friendship circles and also probably be of the age group so often targeted by scammers.

Perhaps Which? should check the response rates and see if there are any significant differences between Populus and Connect. And in fact given I am about to write to several hundred of Members I will ask them.

Profile photo of Beryl
Member

When I purchased my present home about 26 years ago when CHAPS was less widely used, contracts were exchanged on a Friday and the whole proceeds of my cash purchase were held in the solicitors bank account until the following Monday gaining interest. It was later after receiving a bank statement claiming interest for the missing two days transfer that I queried this with my bank stating it was rather deceitful practice on the part of my solicitor when she could have in fact used the CHAPS system.

The bank manager was very sympathetic and agreed to refund the interest.

Profile photo of Patrick Taylor
Member

Beryl – An interesting case of a Bank manager doing a nice thing for a customer – because he could authorise a refund on interest.

Blaming the solicitors or carrying out a case study were probably not time effective for him so refunding your interest was a convenient answer. And for good customers one was always amenable to solving their problems. As I write that I realise I was always amenable to solving problems for people as it was so often guidance on what to do in future or providing knowledge to help them understand. Making life easier , or giving customers confidence in a situation or even the Bank was a worthwhile use of time.

Anyway the CHAPS payment system is not fool-proof and in fact never will be as it requires there to be no hiccups in the system. In the last century it was complex as you might need counter-authorisations and codes to be calculated by very senior staff.

I can speak about this as I recall the original system and the early afternoon cut-offs and more relevantly my wife has been doing these payments for a firm of solicitors for the last year. The system even now has hiccups, and solicitors too can have problems in getting confirmation payment has been made and then time to make another payment to the customer.

I do fear that if no one bothers to explain the process, the problems, the dangers, that members of the public will have a misleading view as to the reality of payment systems.

This of course would be a splendid base article for CAwiki so if people had queries they could swiftly get a useful answer on how it really works as opposed to theory.

Profile photo of John Ward
Member

So far as I can recall, the CHAPS system involves reconciliation at a senior level in both the sending and receiving branches and I would suggest is a far better service for solicitors to use for moving house purchase monies. This was one of the reasons why completion was usually at least two weeks after exchange of contracts as it enabled the buyer’s solicitor to gather in the advance from a mortgagee, deposits from banks and building societies, and funds contributed directly by the buyer. They would be held in the solicitor’s client account accruing interest at a daily rate until completion day when they would be transferred to the seller’s solicitor. The fee is around £40 which is not much considering the value of the transaction and set alongside all the other claims on our wallet during a home purchase.

The Faster Payment System seems to have eclipsed CHAPS but is inherently less secure for all the reasons already discussed and has been prone to fraudulent acts perpetrated via e-mails. Some solicitors’ firms and conveyancers have been badly caught by this and lawyers have been urged by their professional conduct bodies to tighten up their e-mail security and place less reliance on it for communicating confidential information.

I remember many years ago having to make an appointment with my bank to attend upon the under-manager in order to collect a banker’s draft [representing my deposit] that I then had to carry round to my solicitor’s office for them to bank so that my funds to buy a flat were in place a few days before completion. I had never before felt so nervous, carrying this banker’s draft around, because it was as good as cash to anyone holding it since it was drawn on the funds of the bank itself. I believe they are still available on giving notice.

Profile photo of Patrick Taylor
Member

” I had never before felt so nervous, carrying this banker’s draft around, because it was as good as cash to anyone holding it since it was drawn on the funds of the bank itself”

Untrue. The payee was your Solicitor therefore of no real danger of conversion.

Profile photo of John Ward
Member

Yes. Good point, Patrick – I’d forgotten that essential detail. Still, it would have caused a lot of problems if I had lost it or the receptionist had bundled it in with some other papers. That’s why I am a strong supporter of paperless money transfers for large amounts in such circumstances.

I have also become a frequent user of the Faster Payment System with one or two payments every week being dealt with that way. Hence, I am very worried about the extent to which this service is being compromised and made untrustworthy by the actions of fraudsters.

Profile photo of malcolm r
Member

We last purchased a house 3 years ago. The solicitors correspondence was all by regular mail. No problems there. Suggested payment methods were a building society cheque for deposit and final payment or bankers draft. We chose the former. It all worked very smoothly. No likelihood of fraud.

Profile photo of Beryl
Member

PatrickT, I was fortunate at the time inasmuchas as my late bank manager son was able to shed some light on banking transfer practices. As you rightly allude to keeping abreast of changing banking procedures is not easy unless you are closely involved in their day to day procedures, something I do miss since my son passed away.

Banks will and do look after their careful customers where possible and I know Managers are well trained to suss out the prudent from the irresponsible in managing their financial affairs and do recognise the need for leniency when the unexpected occurs where appropriate.

The increase in bank fraud which has replaced the old gang orientated robberies is now of major concern to all banks and has given rise to a more generalised mistrust of all their customers and their accounts, since it is the banks who usually end up paying for these losses, ultimately at the expense of their more responsible customers. It’s a difficult and unenviable balance to maintain for all present day banking staff and I often wonder how my son would cope if he were alive today.

Profile photo of Patrick Taylor
Member

http://www.theregister.co.uk/2016/11/16/tesco_bank_breach_competing_theories_analysis/

Some more interesting insights in how it was possibly managed. The question of the disputed withdrawals that must exist with Tesco surely deserve some serious consideration.

Profile photo of Patrick Taylor
Member

http://www.theregister.co.uk/2016/11/17/banks_quit_windows/

Presumably not directly to do with transfers but indicative that there are doubts as to the security of a major Microsoft product.

Member

I recently had cause to transfer a large sum of money so I took the recipients name and bank details (NatWest) to the local branch and asked them to verify that it was a genuine account. The manager refused to help quoting “data protection” and when I asked him if NatWest were happy to be complicit in a possible fraud he just shrugged his shoulders. If banks aren’t prepared to verify accounts then they must be held responsible when things go wrong. Happily my transfer worked out ok but no thanks to NatWest.

Profile photo of malcolm r
Member

There is a genuine data protection issue as I understand it which is one obstacle that is being investigated so I suspect your manager was correct. What would you – or he – regard as a “genuine account”. If it was so simple we would not have this debate. The simple way which you may have read from this Convo is to transfer £1 initially to see if that goes through properly. You don’t say what you were transferring money for, but if you had the slightest doubt in your own mind about the authenticity of the transaction then it would be wise to not do it until you were satisfied.

Profile photo of malcolm r
Member

I had another email from Which? imploring me to support their petition and get 3 other people to do the same.
“The PSR has 27 days to respond. But for now, please forward the below email to three people and ask them to sign our ‘Safeguard us from Scams’ campaign. With your comments and their support, the PSR can’t ignore us.”
So without seemingly any information for these other people to base a rational decision on they want to increase numbers based on a red-top style leader.

I would have expected firstly that Which? would have done all the work necessary and sought case studies and losses uncurred before putting together a super complaint to the Payment Systems Regulator. Perhaps they only had opinions and not evidence at that stage?

As the PSR have stated their treatment of Which?s complaint, including an interim report on 22 Dec (I think) with consultation thereafter to progress the investigation why is is felt necessary to harass them with a petition?

Do Which? think the PSR are “ignoring” them? Of course they aren’t. Are Which? attempting to bully them by inciting public opinion? I hope not because this is a serious issue requiring serious and in-depth
investigation for suitable and practical remedies.

Come on Which?, you aren’t a popular daily relying on headlines to grab attention. You should be professional in your approach, and allow the PSR to get on with the job you’ve asked them to look at. When you disagree with their initial findings you might then have grounds to lead another campaign.

Profile photo of duncan lucas
Member

In relation to malcolm,s comment my email client Thunderbird has started blocking this new type of email , not completely just stopping remote data taking, your computer details etc . On checking on the webpage there is now a list of the three most popular “social websites ” , as well as others I know about but didnt cause any problem previously , while I have no problem with Which taking data from me that does not apply to those particular websites of whom i never visit nor have anything to do with. I am leaving Thunderbird in its blocked state , the social websites I already block on my browser, I dont mind Which knowing each time I view the message but what platform +application I am using known by social websites – no ! “web-bugs “

Profile photo of duncan lucas
Member

Malcolm I am in constant contact with a large number of British and American organisations who use exactly the same methods as you say Which uses , it is used worldwide and is now nearly an”industry standard ” . Some are smaller but others are major well known organisations , what you are wanting from Which is a very high “morality ” standard -way above the mainstream organisations , maybe Which thinks not doing what they do would inhibit getting across to a wider range of the public and getting a better average of poll /survey results so that they could publish with a higher degree of backing . Its a strategy that is working wordwide for many Freedom websites ,so much so that the government in the US is bringing out legislation to stop “fake news ” the problem is the US government itself has been churning that out for many decades , admitted to by those who were in charge of the CIA /FBI etc in public statements (not in the UK ) So why shouldn’t Which get “more ” of the truth if it helps in judging public opinion ?

Profile photo of Brec
Member

Received an email a couple of weeks ago supposedly from Apple iTunes about online purchase. There was a link to cancel. Fortunately contacted my Bank first and they told me there was no debit and it was a known scam. A phishing scam. Reported it to Action Fraud and Apple. So easy to click the link in a panic. Received a couple after marking it phishing in outlook then blocked it in Junk. This seemed to stop them.

Profile photo of malcolm r
Member

The Payment Systems Regulator has initially decided that banks are not generally liable for payments made to scammers. An expected outcome. In my view, if a bank has allowed accounts to be opened by known criminals involved in scamming, then they have a responsibility, but how on earth could a bank decide this? Should anyone with a criminal conviction above a particular level be denied a bank account? How do you deal with foreign banks? We must therefore take responsibility for treating our money and online transactions with care.

I think Which? made a populist complaint here, rather than a practical one. If they had made proposals to improve the on-line transfer system, talked to the industry about better security measures, and approached the problem as one that required co-operative effort I would have been more supportive. As it is, this is the line the PSR appears to be taking, including looking at how a third level of security might work – such as including the name of the payee. That is not the silver bullet though; often the name is so similar as to be overlooked; or there are several ways a payer might write the payees name, particularly when individuals are involved – full names, initials of first names, one initial + one christian name for example. It needs work that the PSR seems to be undertaking. I hope Which? will work with them.

Profile photo of alfa
Member

The problem with scammed payments seems to be that they go into a big black hole with no one apparently bothering to find out where.

Scammers accounts had to be opened, there must be names and addresses attached to them whether they are valid or not and it seems to me more effort should be put into identifying them and their account holders.

Profile photo of duncan lucas
Member

Your right Alfa and the NSA/FBI do it now and they have been arrested and jailed . There isnt a telephone line in the US they cant trace , they just dont publicise it.

Profile photo of Ian
Member

The Payment Systems Regulator has also decided that banks must ‘do more’ to identify potentially dubious transactions. I’m a little concerned that the banks might react by increasing the difficulty level when people are making normal transactions.

Profile photo of Lauren Deitz
Member

Hi all, indeed the PSR did respond to the Which? super-complaint this morning. We’ve got a convo coming on this shortly to explain more about what happened and what this means as far as the Which? campaign is concerned.

Alex Neill, Which? Director of Home and Legal Services, said this in response to the PSR this morning:

‘The regulator has finally acknowledged the considerable consumer harm caused by bank transfer scams. However, while recognising that the industry is not doing enough, it has failed to adequately address the issue of liability and has let the banks off the hook, giving them little incentive to do more to protect their customers.

‘The outcome for people is unfortunately that they will continue to be scammed out of millions of pounds. We need to see swift action and not see this kicked into the long grass in the second half of 2017.’

And we’ve published a news story here: http://www.which.co.uk/news/2016/12/super-complaint-response-lets-banks-off-the-hook-458882/

Profile photo of malcolm r
Member

The PSR has only issued an interim response. It is committed to looking at ways to improve the security of online payments. Perhaps Which> could tell us how they would improve security in ways the PSR has overlooked?

Profile photo of Ian
Member

The W? article says: “In response to our super-complaint, the PSR has told banks that they need to do more to protect their customers. It found that banks need to improve the way they respond to bank transfer scams and do more to identify fraudulent payments. But the regulator concluded that it hadn’t found sufficient evidence to justify a change in liability, so banks will continue to not be liable for reimbursing victims of bank transfer fraud.

The problem is that of liability, obviously. Currently, if someone moves money from their account they’re liable. If this changes, for whatever reason, I suspect it opens the gates to people claiming they were duped into transferring money illegally and thus seeking restitution. Not all of these folk will be honest. And therein lies the problem.

Profile photo of John Ward
Member

I don’t recall Which? bringing us an update on the two new measures announced on 29 November 2016 that (a) will allow customers to double check they are paying the right person when making an on-line transfer payment [Confirmation of Payee], and (b) will ask customers to confirm the payment when money is taken from an account by a direct debit [Request to Pay].

The initial response to Which?’s super-complaint by the Payment Systems Regulator does not surprise me. A number of members were firmly opposed to unlimited liability on the part of banks but generally their arguments were ignored by Which?, although, presumably, considered by the Regulator. Personally I feel the Regulator has exercised common sense and if Which? is disgruntled then perhaps it should have been less sensationalist in its approach. Perhaps it should also not have been so easily seduced by the elaborate tale of a TV celebrity.