/ Money

Update: what more can be done to minimise the harm caused by bank transfer scams?

Bank transfer scams image

Following our super-complaint last year, the Payment Systems Regulator (PSR) has set out its approach to tackle the problem of bank transfer scams. But will these plans go far enough?

As we pointed out last year, unlike with the protections in place for other payment methods, such as credit or debit cards, those who fall victim to a scam when transferring money from their bank account will find that they aren’t protected.

The PSR has already agreed with us that banks could to do more to protect their customers.

And in its response to our super-complaint last year, it suggested that banks need to improve the way they respond to bank transfer scams, and do more to identify fraudulent payments.

It also proposed a package of work for the industry to take forward.

This included developing common standards to collect data, an approach to responding to instances of reported scams, and proposals for better sharing of information.

Terms of Reference

Under the PSR’s proposed plans announced today, the regulator will examine how other countries approach preventing and responding to this type of scam.

It will also compare how the payments industry tackles other types of scams and fraud, such as those involving payments made by credit or debit card.

In particular, it’s looking at what more the bodies who manage the payment systems (like Faster Payments) can do to protect consumers.

It’s also considering whether banks themselves could be required to do more, if they want to use these payment systems for their customers.

We’re pleased to see the PSR’s commitment to tackling the significant consumer harm caused by bank transfer fraud.

We strongly believe banks need to do more to protect their customers.

Currently there’s little incentive on them to put in place better safeguards, and banks have failed to adequately respond to the problem to date, despite seeing their own customers losing life changing sums of money.

Next steps

We need the PSR to take action, propose new measures and look at banks’ liability when it comes to sophisticated payment scams.

Which? will be responding to the PSR’s proposed approach by the deadline of 21 March.

But, in the meantime, there is nothing stopping the banks from taking a lead and setting out how they are going to ensure that consumers aren’t left out of pocket.


Banks are due to report back to the PSR later this summer, and we expect to see clear and meaningful progress.

If they fail to deliver, then the regulator must step in and require the industry to put in place better measures and checks to prevent customers from losing money to bank transfer scams.

Update: 4 April 2017

Following its consultation, the Payment Systems Regulator (PSR) has published the final Terms of Reference for its program of work to tackle bank transfer scams.

The PSR listened to feedback from Which?, as well as others, and accepted many of our points, including ensuring that:

  • the focus is on seeing better outcomes for consumers;
  • any proposals consider the way that scammers quickly adapt their methods and are future proofed; and
  • there is a clear timetable that starts to deliver real change for consumers quickly.

We will be watching closely to ensure that the PSR sticks to its timetable and makes swift progress.

There is still a massive gap in the protection for victims of transfer scams and there is more that banks can be doing themselves.

It’s now six months since we first raised the alarm, and we’ve not seen many changes from banks in terms of how they’re preventing customers from losing money.

We’re keen to hear from you – have you noticed your bank doing anything differently to protect people from scams? What do you think of the PSR’s approach? Would you like banks to be doing more?

Comments
Guest
Catherine Deery says:
6 April 2017

My Santander bank in Penrith made sure that I was sending money for a eBay purchase to a bona fide trader, I am seventy off and appreciated the help and advice.

Guest
Graham Fairhall says:
6 April 2017

Perhaps for a transfer over a certain amount ( which could be agreed with the customer in advance ) then a quick check by e-mail, mobile phone might be a sensible idea. My credit card company operate a similar policy with spending patterns outside a normal range and on overseas use unless I notify them otherwise.
If I am responsible for money going astray ( by typing in error a wrong sort code/acc number ) then that is my problem, and I would not expect the bank to re-imburse me.

Guest
Peter Dawson says:
6 April 2017

If I have to send any large amount anywhere. I send a small number of pence first and then check with the expected recipient to see if it has arrived in their bank account. I even did this for a payment to my brother who had given me his bank details, just to ensure that I had typed in the correct information. I saved the information in my account so I could easily transfer the balance.

Guest
David Thomas says:
7 April 2017

Great idea! I will adopt that policy

Guest
Carol Wilson says:
23 April 2017

I like your thinking! Great idea

Guest
D.O'Connell says:
6 April 2017

NATIONWIDE has altered and increased the log in procedure for our current account,

Guest
Alice Knight says:
6 April 2017

I would like UK banks to notify people when the account number of the ‘receiving’ account does not match the name of the account holder. In this way the person transferring money would know that they were a victim of a scam. In Germany and France this is done so why can’t it be done in the UK?

Guest
David Williams says:
6 April 2017

I use two Banks.
1. HSBC for all main transactions ,to receive my Pension payments and for me to carry out living transactions.
2. Santander, to pay my domestic SO’s (Gas-Electricity. Council Tax etc).. also to give me interest on my capital invested.
Referring only to the HSBC I noticed that in the last 6 months to one year; particular surveillance has been focussed on VISA and Master Card Payments. In particular I have received five or six mobile messages requesting that I contact a security office ( given Number ) to respond to questions about certain accounts that have appeared to be dubious. My Personal ID procedure has been upgraded and on two occasions a card has been blocked then replacements issued.
The conversation with the office has always be on a friendly / advisory basis.
I am pleased by the way these changes with others have been introduced.
end

Profile photo of davidejones
Guest

There is only one way to ensure our communications with the bank are secure and that is face to face, at the bank. Unfortunately technology is taking us away from this, and the more links we put in the communication chain, the more insecure our data becomes. One way we could improve matters ( for online customers ), is to ensure that the banks only send us ONE message, and that is ” there is important infomation in the notes in your secure account. ” We would then have to access our account and read the message list. No other communication by telephone, email, text, letter or pigeon should be considered to be legitimate.

Guest
Ros Florence says:
6 April 2017

My bank ask if I know who I am sending money to before I send it

Profile photo of duncan lucas
Guest

Just got an email from Krebs , seems an 18 year old French kid with very high intelligence wrote a malware programme that was able to access banks in the USA gathering customers data , the author of “Nuclear Bot ” no less which (he said ) was able to bypass IBM security product –Trusteer Rapport – “nonsense ” said IBM (they would wouldn’t they ? ) funnily enough he then got a job “opportunity” in California offered to him shortly after , as one US wag said- yes get off the plane black bag over head /handcuffed / fast trial and 10 years in a US jail (no parole ) . Moral-Banks safe ??–and beware of Californians bearing gifts .

Guest
Elaine says:
6 April 2017

My bank said that data protection prevents them from saying if an account name and number don’t match. So if I want to pay John Smith and mistype the account number and it goes to Mr Jones that’s all my fault. I don’t see why they cant just flag up ‘The name and account number don’t match, please check both items carefully?’

If a bank has opened an account for fraudsters to move money into, they should be liable for all the people robbed by them. It is so hard to open an account it suggests that help from bank employees who have the authority to authorise opening could be a problem in some instances?

Profile photo of malcolm r
Guest

If you mis-type the account number, then of course it is your fault – surely you cannot blame someone else. The banks do not match name and account; the name is simply for your information as to who you paid the money to. Until a method of linking account name to the transaction is developed – and this seems less easy then people assume – we are stuck with a two-level payment reference. The PSR are working on this. I transfer £1 until I have confirmation the transaction went to the right person.

Guest
Geoff says:
8 April 2017

If banks ask for name AND number then it is not unreasonable for the bank customer to assume that the detail is cross-checked.

Guest
Graham Dellow says:
6 April 2017

Banks must stop closing branches, if people have any worry about an email, a phone call or any other contact, they should visit their branch or phone their branch to discuss, before doing anything else.

Profile photo of malcolm r
Guest

Banks close branches when insufficient people use them. If people used them more…..a chicken and egg situation. I’d like to see “combined branches” where one place had representatives from different banks to cut costs.

Guest
David Thomas says:
7 April 2017

I disagree, Banks close branches to save money.

Guest
Gloria Collings says:
6 April 2017

I also made a recent Bank Transfer with Santander – Evesham – and they asked several questions, checking that I knew the person the money was being sent to.

Guest
ANDY says:
6 April 2017

It is equally clear that the use of internet is as big a part of the problem as the financial institutions. The internet companies also need to do their job properly and need to be policing these scammers.

Guest
Beverley stone says:
6 April 2017

I recently needed to transfer £2695 to a garage for a second hand car purchase. When I attempted to send the money a message on screen told me I need to phone a number to my bank. I was in a hurry so was a bit miffed being asked a load of personal security details remember family name pet cat town of birth etc which went on for at least 15 minutes. I was also asked if I knew what a scam was and if I could recall any. Thankfully I passed the test on request sending the money I had to authorise the funds after a call from the bank asked me to say or tap in the on screen number.. I was pleased the bank was being watchful but I think there ought to be a simpler way. My bank was Halifax.

Guest
Geoff says:
8 April 2017

For large purchases such as a car then use your debit card at the time you collect the car from the dealer – that way they don’t get the money until you have the keys in your hand.

Guest
Ephie Zeilon says:
7 April 2017

I can recommend my bank Svenska Handelsbanken. It is a Swedish bank with a significant high street presence in the UK http://handelsbanken.co.uk.
It is everything that the English high street banks are not. It is ethical, it is personal [everyone has a personal account manager: not just millionairs] and it is extremely safe. Their internet security procedures are a bit tedious at first, but when you learn them, they are water tight, in fact unbreakable. Try them, and you will wonder why you ever bothered with English high street banks. Still, they don’t have a way of protecting the customer from a wrong bank transfer [done in error, or due to scam] – so I’d welcome legislation that would protect customers.

Guest
Keith Whitty says:
7 April 2017

Barclay’s are stopping my payments until I return a text to release the funds on unusual or new payments. I was also offered compensation when they refused to refund a payment 3mins after I made it, realising I was being scammed. Their staff were ridiculous when I first reported the issue and it took a 6months the to be compensated when it could have taken 5mins.

Guest
June Nelson says:
7 April 2017

My, TSB, bank behaved in exemplary fashion; blocking my card after two unusual foreign transactions. They telephoned me and when I assured them that the transactions were as intended my card was unblocked immediately

Guest
Charles says:
7 April 2017

There are a number of positive steps banks could take to stop, or lower the ease with which the banks have facilitated the fleecing of the credulous, aged and vulnerable . This will require joint action by more companies than just the banks. The banks are just the tip of the spear.
– Allow customers to block at the branch any transfers from their accounts outside of DD’s and standing orders, and place limits on these amounts of so that if they are breached the customer must come into the branch and authorise the payment.
– Carry out better checks on DD’s and standing orders.
– Train the bank staff instead of sticking poorly trained staff in branches and call centres.
– Man the bank fraud departments at week ends,24 banking started decades ago. Yet the fraud prevention departments shut up shop for the week-end. The Friday afternoon scam is a well know FACT. The scammers recognise and exploit the fact that the fraud prevention staff stop work on Friday and only resume on Monday. Whereas the scammers and thieves work week-ends.
– Mandate high staffing levels in the fraud departments, by law. We have regulations on adequate balance sheet capital, why not on adequate fraud prevention staffing?
– Ensure that payments from accounts MUST have
i. the sort code
ii. Account number
Iii. Name .. this last additional check would help.
=If the customer is making a payment over £3,000 they MUST visit the branch before the transfer to authorise the payment.
-For payments over £3,000 the banks must phone the customer and explain the risks of being scammed.
Insist that the telephone companies change their systems so that when a person puts down a telephone the line is cut, and the scammer cannot keep the line open.
-Fine the banks millions for failing to protect their customers.
-Link executive bonuses to levels of customer financial losses. “What gets measured gets managed!”

These are some changes but as they are branch centred I doubt that the regulator, parliament, MP’s or the banks will be keen on implementing them.

Guest
Marilyn Sheffield says:
7 April 2017

When we lived in Dubai the bank sent an automatic text when a payment had been made, so we could easily contact them if it wasn’t us. It worked as someone used my credit card details to buy car parts in Italy. The bank eventually refunded the money.

Guest
BEAU TAYLOR says:
7 April 2017

My bank always rings me to check any new transaction before it authorises payment. This is a good thing as I always know where my money is going. If there is any strange activity in my account I would always be rest assured the fraud team would I form me Immediately.

Guest
sue allenby says:
7 April 2017

Any unusual activity should be followed up by email or text to the customer. A reply from the customer should be mandatory. If the customer is over 60, the contact should include a phone call if there is not response from virtual contact.

Guest
Peter Murray says:
9 April 2017

Why over 60? there are plenty of people under 60 that are’nt glued permanently to their smartphones and a great deal of people over 60 who use smartphones and are internet savvy. There are plenty of people who are intelligent to know better who get caught out by scammers, common sense seems to be a rare commodity these days in people of ALL ages.

Guest
Maria Sargeant says:
7 April 2017

Yrs later and still in the dark and life is unbearable. I have come to realise ” one mustn’t complain ” …. best just put up and shut up. …

Guest
David Jarman says:
7 April 2017

Not sure this counts, however my bank Halifax seconds after i had
made a purchase at a cost of £26 plus on line i had a text from the
Halifax asking me to confirm i carried out the transaction, never
happened afore pretty dam good i thought.

Guest
Janee says:
7 April 2017

I am with Santander. I have internet banking and use it – wouldn’t be without it. However when I want to transfer a large some of several thousand i.e. self assessed tax bill, gift money to decrease estate I go to the branch to do this. Every time I have had to produce photographed ID (passport) and the staff member has read to me a statement to make me think if it might be fraud. I always tell the staff member the reason for the transfer.

Last time I did this I had quite a long conversation with the staff member who intimated that often they suspect that the transfer may be suspect but there is not much they can do about it. To my mind there should be 2 gateways: Does the name on the account to which the money is transferred match what the person transferring thinks it should be
and
there should be a cooling off period so that a fraudulent transfer could be pulled back

In the days of cheques the cheque would take at least 3 days to ‘clear’ and could be ‘stopped’ within that period. Also (and I worked in a bank during the early 70’s) we checked each cheque coming into branch to make sure that the payee matched the account – pretty sure on that. But cheques were paid in via a credit payin slip over the counter. If payee did not match account then cheque was rejected and sent back to the bank of the payee!

So maybe the old ways have a lesson to be learnt…..

Guest
David O'Brien says:
7 April 2017

The initiative to final check must be with the banks. A lot of scams are old but often fresh to their victims and there are easily accessed databases of e mail addresses , phone numbers (usually proxies) etc that are habitually used for scamming. I would think 80% or more could be detected by bank staff with a little knowledge and experience. If it has whiskers, a pointed nose, a worm like tail and squeaks it is a rat but often experience enables one “to smell the rat”.

Profile photo of Vixi
Guest

In view of the number of naughties carried out by any number of banks in any number of their transactions (I give you RSB Coutts as but one pretty horific example) and yet almost zero prosecutions in the UK, unlike other countries, they will only see it as being in their own interests to behave and put client interests FIRST will be when the law puts responsibilty on senior staff AND directors, no matter which minion caused the situation. That is why senior staff and directors get paid SO MUCH MORE. I certainly had to accept that reality (in the real world) as the CEO of various national and inter’al NFP orgs. Why not banks?

Guest
Jaclyn Beckwith says:
7 April 2017

We all get emails from our banks, how are we all to know whether to open them or not?
Many of us open them to a scam or hackers.
I think we all need to know to keep us safe.
Thankyou Jaclyn

Guest
Liam Lynch says:
7 April 2017

Open more branches instead of closing them, which would allow people to deal directly with their bank and reduce reliance on machines or online transactions which are in turn more susceptible to scams.

Guest
D C Nastri says:
8 April 2017

When a bank customer makes a transaction of more than £100 to Mr A or B or C the payment should be held automatically in a secure account for a period of say three days before the funds are released to requested the payee this will give the customer a cooling off period, very help full when being pressurised to move funds to other accounts by scammers.

Profile photo of John Ward
Guest

The whole point of the Faster Payment Service is to do what it says on the label. If a three-day waiting period is introduced that would defeat the purpose of the service. As with doing most things in life, care is needed but it is not a difficult transaction and millions of them go through every day without a problem. As has repeatedly been advised, for the first payment to a new payee it would be a good idea to put through a test transfer of a nominal amount [£1] and await confirmation from the payee that it has arrived in the correct account. That proves that the sort code and account number used will put the payment in the right place. After that, the balance can safely be transferred and all further payments to that account will be good.

Other payment services are available from banks for those wanting higher levels of security and are prepared to accept a small time delay [and a bank charge], and cheques can still be used, so slowing down the Faster Payment Service is not an acceptable solution.

It would be interesting to know how many of the millions of daily transfers are currently being affected by fraudulent diversion. I can understand how people can be deceived by a scam e-mail asking them to pay money into a different account to that originally notified but that has been very well-publicised now and I would expect alarm bells to ring, especially for big sums; people have been strongly advised after receiving such a request to obtain confirmation from the intended destination of the funds before carrying out the transaction.

Guest
Iris Jefferies says:
9 April 2017

Yes, my bank is more thorough in taking an interest in reasons why or if large transactions are being proposed; invariably, a senior operator is also involved in checking the transfer or withdrawal.

Guest
alysoun says:
9 April 2017

Scams are important, but even more so is actually having a branch you can visit. In Sheffield my bank Hsbc now only has 3 branches in the whole of Sheffield. I started to use branches in nearby Derbyshire. Mu nearest branches were Dronfield and Bakewell. These have now closed also. If I want to use a branch I either have to travel into Sheffield city entre or Chesterfield in Derbyshire . Both would take up to three quarters of an hour on public transport each way. Banks appear to have forgotten that they are supposed to be offering a service to customers. Complaints come back with the usual “use your local [post office ” (also closed) or use online banking. This is another area for a Which Campaign. You are now penalised if you do not wish to use online banking.

Profile photo of John Ward
Guest

The Midland Bank must be shuddering in its grave, Alysoun, but I suppose it would have eventually become a victim of the same competition and loss of customers.

Guest
LAJollie says:
9 April 2017

One of the biggest scams is allowing payments to online gambling companies from joint personal and business accounts. This is fraud and banks ignore the devastation it causes. I have yet to find a person who sets up a joint account for gambling purposes; it is implicit that a joint account is for managing household finances or business finances, not for engaging in ‘high risk ‘ activities not in keeping with the purpose of a joint account. With joint personal accounts this is financial domestic abuse and is being aided by banks . With business accounts this is fraud ( Police statement), helped by a bank .

Profile photo of John Ward
Guest

With respect, I don’t think it is the bank’s business to question an instruction given by an authorised holder of a joint account be it a personal or trade account. All parties to a joint account are jointly and severally liable for all transactions passing through it.

Guest
Nick says:
10 April 2017

If the Banks were made liable for any losses incurred due to criminal activity, I think that would be an easy change to implement in the Banking Code. It would cause an instant tightening of the regulations, in my opinion.

Profile photo of John Ward
Guest

It might also lead to an increase in criminal activity, of course.

Guest
Noralf Mork says:
11 April 2017

Lloyds have started to send warning SMS for transfers above £90 or so it seems. Asking me to verify if I did authorise the transfer. Which I didn’t do in two cases, and the bank discovered there were more.

Guest
Steve Muir says:
12 April 2017

I would like to see the banks made jointly liable for any fraud via bank transfer. If they were liable for 50% that would be a strong incentive for them to find ways to protect both their customer and themselves.

Profile photo of John Ward
Guest

I cannot see how banks can possibly protect anyone from the frauds that are perpetrated by criminals sending out false e-mails changing the payee details. The banks already carry warnings about this on their on-line payment transfer forms. Some of the cases involve hundreds of thousands of pounds [the balance of a property purchase sum] transferred to the wrong account in consequence of a criminal act using information obtained from the property conveyancer’s office. In such a case, compensation must come from the conveyancer because either their system was not secure or inside information was used, for both of which they are responsible and should have professional liability insurance. I do not see why account-holders’ funds should be used to cover such losses.

Profile photo of Ned
Guest

A second-line tactic is to use two accounts: a main one and a ‘hopper’. If I need to make an uncertain payment I make sure I have a little more than required in the ‘hopper’ and pay via that. If that account is compromised I can only lose a couple of quid from it – which shows I need to close it and open another one for the same purpose.

Guest
Alison Garmonsway says:
17 April 2017

Banks should stop promoting cashless society and contactless payment. Banks should reimburse customers who lose money to fraud otherwise there is no incentive for the banks to increase security or for banks to ensure fraud is fully investigated and criminals prosecuted.

Guest
T Derry says:
18 April 2017

My Bank, First Direct, have introduced voice recognition which is used in conjunction with private details that they have in their files.

Guest
Toby Tobes says:
21 April 2017

I think that the current Lloyds policy of charging interest on the interest a month after you cleared the bill is possibly breaking the law.

As I understand it, if you clear the entire bill on one month, no further billing will apply.

Profile photo of John Ward
Guest

Paying the outstanding amount due does not clear all the accumulating interest on the debt up to that date so I believe that it is a legitimate charge. If lenders forgo that it is a concession.

Guest
Martin says:
24 April 2017

Bank fraud? Online? Offline? The Trojan horse scam is promoted by Lloyds’ practices.

My wife received an email containing this:
“3 taps and you’re up and running
Please click here if you are having problems viewing this email.
We want you to recognise a fraudulent email if you receive one, so Lloyds Bank will always greet you personally, using your title, last name and the last four digits of your account number: xxxx”

But anyone can know your title, last name and the last four digits of your account number! We use them all over the place, and on cheques!!! Here, Lloyds chose to include a link! A link!!! If this was a phishing email, the link could be to a complete webpage that looks just like Lloyds, smells just like Lloyds and may infect your computer and steal your security information as you use it.

Lloyds? Shame upon you.

Profile photo of Stamphorse
Guest

I bank with Santander. I have a £250 agreed overdraft facility which I am charged £1 per day if I use it. On occasions the resultant charge has caused an excess for which I am charged an additional £2 per day. I have been charged £90 for each of the last 2 months in addition to normal interest charges. I thought there was legislation against this kind of THEFT.

Profile photo of DerekP
Guest

Stamphorse, unfortunately this practice seems to be perfectly legal. Other Convo topics on overdraft charges go into more details…