/ Money

Update: what more can be done to minimise the harm caused by bank transfer scams?

Bank transfer scams

Following our super-complaint last year, the Payment Systems Regulator (PSR) has set out its approach to tackle the problem of bank transfer scams. But will these plans go far enough?

As we pointed out last year, unlike with the protections in place for other payment methods, such as credit or debit cards, those who fall victim to a scam when transferring money from their bank account will find that they aren’t protected.

The PSR has already agreed with us that banks could to do more to protect their customers.

And in its response to our super-complaint last year, it suggested that banks need to improve the way they respond to bank transfer scams, and do more to identify fraudulent payments.

It also proposed a package of work for the industry to take forward.

This included developing common standards to collect data, an approach to responding to instances of reported scams, and proposals for better sharing of information.

Terms of Reference

Under the PSR’s proposed plans announced today, the regulator will examine how other countries approach preventing and responding to this type of scam.

It will also compare how the payments industry tackles other types of scams and fraud, such as those involving payments made by credit or debit card.

In particular, it’s looking at what more the bodies who manage the payment systems (like Faster Payments) can do to protect consumers.

It’s also considering whether banks themselves could be required to do more, if they want to use these payment systems for their customers.

We’re pleased to see the PSR’s commitment to tackling the significant consumer harm caused by bank transfer fraud.

We strongly believe banks need to do more to protect their customers.

Currently there’s little incentive on them to put in place better safeguards, and banks have failed to adequately respond to the problem to date, despite seeing their own customers losing life changing sums of money.

Next steps

We need the PSR to take action, propose new measures and look at banks’ liability when it comes to sophisticated payment scams.

Which? will be responding to the PSR’s proposed approach by the deadline of 21 March.

But, in the meantime, there is nothing stopping the banks from taking a lead and setting out how they are going to ensure that consumers aren’t left out of pocket.


Banks are due to report back to the PSR later this summer, and we expect to see clear and meaningful progress.

If they fail to deliver, then the regulator must step in and require the industry to put in place better measures and checks to prevent customers from losing money to bank transfer scams.

Update: 4 April 2017

Following its consultation, the Payment Systems Regulator (PSR) has published the final Terms of Reference for its program of work to tackle bank transfer scams.

The PSR listened to feedback from Which?, as well as others, and accepted many of our points, including ensuring that:

  • the focus is on seeing better outcomes for consumers;
  • any proposals consider the way that scammers quickly adapt their methods and are future proofed; and
  • there is a clear timetable that starts to deliver real change for consumers quickly.

We will be watching closely to ensure that the PSR sticks to its timetable and makes swift progress.

There is still a massive gap in the protection for victims of transfer scams and there is more that banks can be doing themselves.

It’s now six months since we first raised the alarm, and we’ve not seen many changes from banks in terms of how they’re preventing customers from losing money.

We’re keen to hear from you – have you noticed your bank doing anything differently to protect people from scams? What do you think of the PSR’s approach? Would you like banks to be doing more?

Comments

We ought to get the message out not to do anything just because a cold caller asks you to. Even better, don’t speak to any cold caller. Why are we holding back?

Indeed. Given the widespread coverage of these scams in the media, why do people still take these calls and listen to the callers?

One thing that annoys me is that when I do receive a genuine call from my bank, they are more interested in getting me to prove my identity than proving that they’re calling from my bank. They refuse to answer any of my verification questions until I’ve answered theirs. If I challenge them, then they invite me to call back on the usual number, which I know will take a long time.

I couldn’t agree more. It is the telephone scripts written by lawyers and their practise of law that makes life easy for scammers. The legal profession needs a thorough overhaul of their ethical standards.

One idea that may be particularly helpful is if all professional lawyers who draft legal agreements and “small print” should put their names to it and be personally responsible. This may push up costs through liability insurance, but no amount of insurance would protect them for being disbarred from the profession on account of a dodgy deal. No more insurance policies that can’t possibly pay out, for example and no more bogus subscription small print on product purchases.

As to the telephone, maybe the best thing is to use it for outgoing calls only. If the banks still employ staff who can read and write, then they can always send a letter.

I propose that ALL organisations using any electronic means of communication should BY LAW be forced to provide the customer with a staff code/number such that their staff member can be identified by the organisation AND law enforcement. Use of just a first name makes me mad!

Likewise surely it would also be possible to have a set of pre-answered questions for the staff member to prove to the customer that it is a genuine call?

At present it is far too easy for them to deny previous communications.
If they record calls – can the police get access without legal hassle?

Would it also be possible for the bank to install suitable software to confirm back to the customer before transmitting any funds that the address is who the customer believes it to be?

If account details like address, email, phone numbers have changed in maybe the last 3 months, large payments could be held for verification.

First Direct now have voice recognition and a 24 hour call centre. It would not be too much hassle for a text or email to be sent asking the account holder to phone up and verify the payment before it could be released.

The trouble is that it is often old people who get scammed and they are the least likely to have text and email. Perhaps it would be better that for anything over, say £200, the customer needs to phone the bank.

The PSR’s proposals are at https://www.psr.org.uk/psr-publications/news-announcements/PSR-sets-out-to-identify-pso-role-to-tackle-scams.

There seems no intent to make automatic refunds to defrauded people, unless the bank has been negligent, but work seems likely to be directed at getting more success in recovering such payments from the miscreants and their accounts. The “Terms of Reference” seem a sensible plan to address this problem and I hope consumer groups will actually take part in the development of the processes and not just comment on the outcomes. For once it also seems to be taking place in a reasonable timescale.

For those who might say this should have been done before, well these scams seem to have grown in volume relatively recently. I see no point in looking backwards unless it can teach us something; we need to now work together to get an improved system operating. But we will never defeat determined criminals – they can always stay one step ahead or develop another ruse to part the unwary from their money!

Not realising this new Conversation was coming up, I placed the following comment in the previous Conversation on this topic:

“The PSR documents leading up to the Terms of Reference are not the most digestible of tracts but the terms of reference themselves are quite well written and seem comprehensive if a little laboured in parts as they seek to cover all the bases. It’s a good first step and although neutral in tone I do detect a willingness to put the banking industry in a position where it will take new actions in order to prevent Authorised Push Payment [APP] scams – that is where an intended payment is diverted fraudulently to a malicious party – and to see what the policy should be on recovery of the missing money. The PSR will be looking at systems in other countries to identify relevant practices to defeat scams and also at other business sectors [telecoms is quoted] where fraud is identified to see what counter-measures could be introduced into the banking system. The terms of reference are due to be approved after a consultation process by the end of March 2017 with a report timetabled for the second half of the year. While the PSR credits Which? for the necessity to undertake the inquiry in pursuance of its super-complaint it doesn’t explicitly accept that it would not have done anything but for Which?’s intervention; such is the doctrine of regulatory bodies.”

There is an invitation to make a response to this document by 21 March – see Section 3.4.

As I’ve said before in these pages, I bought a BT caller ID phone for £10, and then as a very long standing Virgin customer who pays by DD, asked them to give me caller ID free-it normally costs £3 or so pcm.
They did, and I labelled all my friends etc on the phone.
I no longer answer calls that I don’t recognise, never mind withheld numbers. Anyone desperate to get in touch will eventually.

Please let us not forget very senior citizens. I try and watch over my 92 year old neighbour who receives many scam calls, including the Microsoft windows one. She does not have a computer but her phone is her lifeline and I can’t get her to agree to an ex-directory line yet. I block numbers every so often on her phone using the BT system, yet they still get through. Trouble is she is completely taken in the the “nice” callers.
I have also gone to her bank and asked what protection they will put on her account – in other words an automatic alert if any unusual transactions are tried. I was told there was no such service. Whilst in the bank another senior citizen was discussing a scam call he had received – luckily he was checking with his bank.

I agree with the previous comment, why can’t banks put an automated lock on an account if an amount above a certain limit is asked for in payment, surely they must know the average out goings of a customers account

David says:
6 March 2017

Despite many saying that we should not be taken in by the scammers , and they are very good at what they do , it is not us who control the banking system and the way in which money is diverted and disbursed so quickly.
If we were in control then perhaps the blame could rest more with us but we have no control over any of the processes within the system , whereas the banks know where they are sending funds and should keep track of them for a reasonable amount of time in case of fraud. Lets face it when you actually get to speak to someone at the bank , on the telephone , you never know who you are really speaking to anyway.
The question should be do they really care about their customers and the answer is probably no!

I have read that when transferring money using internet transfers no check is made to compare the account number with the the account name. This sounds such a basic check it should surely be mandatory.

Rogue car dealers who encourage unsuspecting customers to use bank online transfers to pay for their purchase of a used car, knowing it is harder for the customer to recoup their money when they realise they have been sold a car that is not roadworthy. Some car sales businesses are not part of any official group like ADR. Trading & Standards do little, as with Consumer Services who require the cooperation of the both parties. In my daughters case, she was sold a car that was not roadworthy, the car sales people refused to cooperate, and even though the car was TOWED back to them, they have dropped all communication with my daughter (she spent £3500 on a used ). The banks do nothing, even though when using online banking transfers, there is no warning on the banking transfer page, that this is not a suitable way to pay for a purchase which may prove to be a fraud.

John K says:
5 April 2017

My bank warned me that doing an on-line transfer of money was equivalent to handing over the money in cash in a brown envelope. It is virtually untraceable! Be warned. I was shocked. Doing the transfer via a card machine is very much safer because there is more chance of tracing it. I was buying a second hand car at the time.

For a new online transfer, to an account that’s not built-in to the system (e.g. energy companies, credit card, council tax, etc) I always do a test transfer of £1 to make sure it goes to the right person. Once they confirm they’ve got the £1, then I transfer the rest. But when purchasing anything I always prefer to use a credit card for the added protection. Buying a used car from an unknown person/dealer is always a risk, no matter how you pay them.

I would like to see better education for bank customers regarding emails, cold callers etc. With cold callers they can be very intimidating and if you are elderly or someone with little knowledge of scams I imagine it would be easy to get caught out. Perhaps a written letter from the bank to the customer outlining the problems and a helpdesk? but also I think the telephone companies have a duty of care here too, we all know from the amount of calls received by scammers of one sort or another that BT or whoever are making a mint out of allowing these call centres to operate, I don’t exactly know how to stop it but some sort of call barring (free) may be a step in the right direction.

My main issue is they ask for the bank account name to make the transfer but then they do not check this just the sort code and account number , this gives us a a false sense of security as we think if we put a company name in the account name then unless these match the payment will be declined but it doesn’t it just goes into “Fred Bloggs” account, in this day and age is that not a simple software checking system, will cost them nothing.

Account Name Verification (ANV) sounds easy, but it is actually quite complicated. For example, if you were told that the account name was “John and Anne” would that be “Jon and Ann” or “John & Ann” or any one other any number of possible combinations? If the banks used ‘fuzzy matching’ the fraudsters would exploit the ‘fuzzy ‘ factor.
That said, there are ways that the banks could and should deliver ANV – but it will take a while to agree a standard across the whole bank network, develop it and implement it.
But we mustn’t let the banks of the hook.

It’s the classic double bind: the banks compete to make online transactions quick and simple. but quick and simple is what the scammers want. I suspect two-stage authentication is needed for transfers.

At the very least an agreement has to be reached between competing banks to provide electronic confirmation of where the money is being sent. At the moment that only happens through the sending bank, which you’re told to check and then off it goes. What is needed is a system in which once you’ve selected a destination account the software then does a check to ensure that the destination is indeed, legitimate. This could entail returning the detailed business name and address of the destination.

Instant notification of any unusual activities in accounts.

Nat west put in a new system – but they sent the magic number to an old mobile phone without telling me –
i went to the local branch and the tellers had no idea about what i was talking about so until they do i have to go to a branch to transfer money – annoying

In Balcombe, West Sussex, one of our residents gave a presentation on such scams to one of the village senior citizen societies. Community help and support can go a long way to combating this problem; it’s local and hence easier than relying solely on support from elsewhere. Personally, I find such scam attempts very obvious to detect, but I know not everyone does.

Harry Robinson says:
5 April 2017

Surely, some responsibility must fall on the individual. If you lose your wallet with money in it, would you expect your bank to refund the cash inside a new wallet? If a bank transfer is involved in the scam, then it’s not beyond present technology to trace where the money has gone so that it can be retrieved by the banks.
If people only thought: I don’t know them, so I won’t pay them; then the scammers would be out of business.

Sorry Harry. I agree with the underlying point about individual responsibility but when a bank leaves the barn door open by not having an effective security system then they must be held to account.
Also, tracing the money is actually very difficult because ‘faster payments’ allows the fraudsters to disperse the money to 2nd and 3rd level accounts faster than the banks can chase it.

tried to stop my debit card because of a lapsed D/D payment by PayPal requesting payment through my bank debit card internet banking suggested I get in touch with my bank by phone ,reply was they would get in touch in next 48hrs or wait ,I waited on line for 10min.
Ironically if I reported card stolen an immediate stop would take place .

Never reveal your bank details (e.g account number, PIN, card reader generated passcode) over the phone. Fraudsters may instruct you to use your card reader, either to hand over passcodes or transfer money to a safe account, do not comply. If asked to dial the number on the back of the card, use a different phone. Find out more about vishing scams.
Scams can look and sound believable, with slick websites or sophisticated brochures and leaflets. this can make it hard to tell them apart from genuine investment opportunities, but remember if it sounds too good to be true – it probably is!

Gerry says:
5 April 2017

Use a different LINE, not a different phone ! (If the different phone is on the same landline, it won’t do you any good if the fraudster is holding your line open.)

That said, most landlines will now disconnect the incoming call within seconds if the called party hangs up.

E. Russell says:
5 April 2017

As a pensioner, I appreciate that many older people are vulnerable BUT we all are responsible for our own actions. However, I think that, at a minimum, banks MUST query any unusual transactions before actioning them.
Advice to account holders: use your BRANCH. Visit it, make yourself known to staff- and get to know them. Hopefully, if you are vulnerable, they will recognise this, and prevent the bad stuff.
Advice to banks: Stop closing branches, talk to your customers in the branch.

Andy says:
5 April 2017

I gave up my land-line years ago, as I was so weary of so called “business” calls. I make good use of the old number, though, as I put it down as my phone number on every form that demands one, and that way, my mobile number does not get distributed all over the internet, and in any case, I only answer calls from numbers on my contact list. e-mail scams, are usually easy to spot, as the link targets are different from the link labels, and are fairly obvious, in any case : it is no big deal to delete them. I did try, to forward them on to the fraud section of which ever bank was being targeted, but they invariably came back as undeliverable because of spam content, so I gave up.

The banks should get insurance to cover such eventualities, and pay customers back, and place customers, who repeatedly fall for such scams into special measures, to help protect them from their own stupidity..

The banks already intervene and ask for security verification if you try to effect an online payment by debit card above a certain amount, so why can’t they do the same for all payments?
Unfortunately this only confirms the authenticity of the sender, which if you’re being scammed, and are convinced you want to make the payment, does not add much value.
Remember the days when you had to wait for a cheque to clear before you could withdraw funds? Well if there was a similar clearing / fraud delay (say on all payments above £1000, or totalling £1000 to the same recipient in any one day) before the recipient could withdraw the funds then that would provide some window for the scammed to take some action and get their money back.
If the bank released the funds within the claering / fraud period they would then be liable if the sender claimed the funds back, due to being defrauded.
This clearing / fraud delay could either have an opt out for business, or an opt in for personal customers depending how it was implemented.

David Green says:
5 April 2017

Banks (by law) must ensure that I prove my identity and address before I can pay into my account, yet they can send my money to anyone and say it is my fault if the recipient can’t be traced.

A central database of bona fide accounts, with a trigger to alert banks and customers attempting to send funds to an unlisted account, may not eradicate the problem totally, but would at least make fraudsters traceable to some degree.