/ Money

I lost my life savings to scammers

Consumers are being targeted in a new bank transfer scam. Our guest author Emma Harper speaks out after losing nearly £20,000 to the scammers…

A pernicious type of ‘Authorised push-payment’ (APP) fraud is on the rise, where scammers, posing as your bank, attempt to trick you into giving away sensitive banking information, claiming your account has been hacked.

With this information the scammers can access bank accounts and steal your money.

Which? has been campaigning against these bank transfer scams for years, but last month their Money Helpline reported a large spike in calls about it.

Now Which? has spoken to several victims who have between them lost a staggering £350,000 to the scammers. I’m one of them.

Scammed of my life savings

On the evening of Monday 22 October 2018, I received a call from someone claiming to be from my bank’s fraud department.

The scammers were highly professional and believable. They had ‘spoofed’ my bank’s telephone number, so it looked like my bank were calling.

The man on the other end of the call said they’d received payment requests from my account.

They knew personal details about me, saying the payment requests were not from the local area where I live; they also knew I was a premier banking customer.

Guide: Help, I think I’ve given fraudsters my bank details

I said I hadn’t authorised any payments and asked if my bank account was secure – he said he would check and call me back.

One and a half hours later, a different person who called herself Katie, called back saying there had been large movements of money between my accounts. She said they were concerned that I was being scammed.

I was driving at the time, she said she would call me back when I was home – because, in an attempt to appear professional, she said it was bank policy not to speak to customers when they were driving.

When I got home, she called back and said to secure the account, I needed to give them some security details.

I was in a real panic at this point. I thought they were my bank – they knew where I lived, they knew I was a premier banking customer, and they had cloned my bank’s telephone number – I thought I was having thousands of pounds stolen. So of course I told them my details to try to stop this.

Accessing your accounts

First they asked for my telephone banking pin. I hadn’t used telephone banking for years, and gave them one number that I think may have been incorrect. They knew this, and said the pin was wrong.

They panicked me further by saying I only had one more attempt to secure my account.

They then asked for three digits of my nine digit online banking password, which I gave them.

To reassure me that the account was secure, they asked me to log on to my online bank account, which I did via Google and selected the main bank website. I never doubted that I was logging onto the legitimate site.

She said, ‘as you will see the account has been suppressed’ – and I could see the money had been moved internally within the accounts.

To stop the money going out of my accounts, she said, they needed to close the accounts down and transfer the money into an ‘internal safe account’.

Stealing your money

I was asked to make a payment to a payee, with the same name as me, and enter a specific figure: £19,756.

At no point did I enter any account number or other details – these had already been input by the scammers. I then authorised that figure using my card reader.

I was sent a text 14 hours later by my bank, advising me that there had been unusual online activity on my accounts. I then contacted the fraud department myself. I said to them I’d already dealt with the unusual online activity the previous evening. It was then they told me I’d been talking to scammers.

Scam aftermath

The scam has been life changing. I was in trauma initially and then became ill resulting in a cancer scare, which thankfully, was cleared before Christmas.

There are thousands of people like me who are currently falling victim to sophisticated scamming techniques.

My bank claims I authorised the payment and therefore refused to give me my money back. In my opinion, they took no responsibility for the scam and did nothing to protect my money.

In fact, 12 months previously my savings account had been hacked, and the bank had provided no information about how this had happened.

My bank claims that it uses a risk-based approach when deciding if a payment is suspicious. In my case: a new mobile device was registered, a new payee set up and the account effectively emptied within 20 minutes… and I’d been hacked 12 months previously. Sound suspicious? Apparently not.

It took my bank 14 hours to inform me of unusual activity on my account, making it impossible to recover any monies from the beneficiary bank account.

Banks need to do more to protect their customers and prevent fraud – because as it stands, when you are victim of the APP scam, you feel you are totally alone.

This is a guest post by Emma Harper. All views expressed are Emma’s own and not necessarily those also shared by Which?.

Have you been contacted by scammers claiming to be your bank? What do you do if fraudsters call you up? Do you think banks need to do more to protect their customers?

Comments

Perhaps a useful template starting point:

Michael Dominiak says:
26 January 2019

I am a Luddite and do my banking the old fashion way by going into a branch.
After reading Emma’s story it would appear that the system the banks wish their
customers to use is not fit for purpose and they should bear responsibility
when scammers are able to manipulate the system. How did the scammers have so much
info about Emma. It makes me wonder if people at the bank’s call centres are selling
customers details, scammers have someone on the inside or are bank call centre workers being coerced into providing this information.

I think it’s fair to assume that insider knowledge is behind at least a proportion of these scam attempts. But banks are notoriously reluctant to admit to this.

In 2016 the Sunday Times ran an investigation which stated “The full scale of fraud committed by staff at Britain’s banks is being swept under the carpet because the financial giants can simply dismiss the culprit and never tell the police, a senior detective warns today.” They found that about 50 cases were reported to police every year and many more were kept secret by the banks themselves.

In the same period the Telegraph reported that fraudsters behind a £113 million international money laundering ring had conducted one of Britain’s biggest ever cyber scams cold-calling bank customers.

The criminals, who targeted Lloyds and RBS business banking customers, made between £1 million and £2 million a week at its peak and operated like a nine-to-five business.

Police believe they were using information from corrupt insiders. No insiders from within the RBS banking group were discovered, but three Lloyds insiders have been convicted.

From Birmingham Live: “This month a crooked bank worker and his accomplice have been jailed for trying to rope RBS colleagues into a £200,000 fraud scam. The duo were jailed after attempting to recruit bank staff they played football with into the plot. Dilbaagh Singh-Derewal, 24 of Acocks Green, pleaded guilty to bribery and was sentenced to two years and six months in prison.”

These, however, are the ones we’ve been told about. It’s likely many more are happening and we know nothng about them.

DerekP says:
27 January 2019

I’ve worked in at least one (if not two) workplaces where staff caught committing fraud were dismissed but the matters were not referred to the Police for prosecution. Neither place was a bank, but fears of the effects of bad publicity on the reputation of those companies seemed to work against any desires to prosecute the offenders involved. That said, the offenders were sacked in all cases.

Mike Dominiak says:
27 January 2019

The £800,000 Bank of Scotland Auchterarder embezzlement case which happened last year is very interesting as the bank employee was cleared. How can one move large sums of money without adequate I.D. and checks being carried out.
I purchased a car in 2016 and moved funds from my savings account into my current account. I had to go through hoops to prove who I was despite the teller having known me for over 30 years.
Again look what happened to Gloria Hunniford a few years ago.

Mark says:
27 January 2019

These people are common thieves and should be hit with the full force of the law including full confiscation of all assets to pay restitution. Any bank staff who are implicated in it should have the same sanctions applied unless they can show they acted under extreme coercion (which sadly can be the case), in which case the charges against those threatening them should be very serious and penalties suitably severe.

Steve C says:
27 January 2019

I cannot understand how the banks cannot reclaim the money back from the scammer with a high degree of success. The receiving bank have make checks on who owns the account with id, I realise some id will be bogus, but that will be down to the bank not properly checking the details, and therefore the receiving bank should be liable if the money is not recoverable.
In any case, any physical handover will include fingerprints, which, again with video at a physical branch should help catch the perpretrator.
If it is done online, then the IP and other details should be able to be traced.

Insted, the onus is on the sending back shrugging and holding up their virtual hands.

It’s outrageous

I was scammed out of a 5 figure sum (the first number – a 2) several years ago. Thanks to help from the good people at Money Which? (Debbie Carter, if my memory serves me correctly), I got it all back. Needless to say, the refunded money was moved straight out of the accounts (by me, this time!) and they were closed. I have never had an account with Santander since, nor would I and the number of times their name appears in such stories I would not recommend that bank to anyone. The high interest rates they pay (a risk premium, perhaps!) are not worth it.

derek says:
28 January 2019

As a which consumer i am rather baffled by how easily people are scammed. Its well known by now and the stories you hear especially from Radio 4s money box series that these scams are carried out. I for one will not be duped into any scam as i am very much on my guard and against these issues. People must be more alert to these scammers. I Did have a person try it on me but i just kept them on the phone and wound them up and i really enjoyed it and it made my day, they will never scam me!

I hope you never get scammed, Derek, but many people who thought they were impervious to scammers have been defrauded by sophisticated criminal techniques that have deceived them. By guile, these people are well-versed at getting under people’s natural defences; they rehearse day and night and cultivate a reassuring manner; they have practiced their spiel on everyone they have called before you; they have the element of surprise and are so convincing that the person called is taken in completely. They often use information that the target thought only they knew, thus luring the victim into a trap, sometimes with pretend urgency or false jeopardy to provoke a quick response of personal data.

None of us are immune, Derek, and tomorrow’s story will be different from today’s so it is difficult to prepare yourself or know you can always defeat them. Many extremely clever and sure-footed people have been exploited by scammers so I am glad that you are always on the alert.

Martin Camble says:
28 January 2019

Sorry but the banks make it very clear that there are absolutely no conditions under which they will ask you for any on-line-banking PIN number/password and anybody who discloses such information to a telephone caller may as well just toss their money out the window. This is not new, these scam have been around for years. They have become more “professional”, but essentially it’s still the same scam. The rules are simple. Never, ever disclose password or PIN information to anybody who calls you and never accept a phone number or a URL from a caller. Always hang up, wait a few minutes and then call the bank directly yourself (preferably from a different phone) on the number that you always use (and which is usually printed on the back of your card or can be found from the official website). Wake up people, the banks cannot be held responsible for our errors of judgement, it’s up to all of us to protect ourselves.

I wonder if it would help if banks etc. used the terms ‘secret PIN’ and ‘secret password’ to make it blindingly clear that they must never be passed on to anyone.

DerekP says:
28 January 2019

As reported by myself and others, some bank departments have been known to cold call customers and then attempt to ask for some of that secret data, as a means for confirming that they’d actually reached the target customer.

I know that if I call the bank I am asked to disclose selected characters from the secret data when going through security checks, but I have initiated the call rather than received a call. That seems fairly safe since I call the correct number rather than one mentioned in an email or a phone call. I’ve had emails from the bank but never a nuisance call. If my bank cold called me they would get one warning and if they did it again they would probably lose me as a customer.

Mike Davies says:
28 January 2019

I agree totally with Martin. Banks cannot be held responsible for account holders passing confidential information to telephone callers. This sort of fraud has received huge publicity over the years and whilst one has considerable sympathy for the victims, if the customer failed to check with their bank they must accept responsibility.

DerekP says:
29 January 2019

I get what Martin and Mike are saying, but I do look to my bank to help keep my money safe, in this real real world where account holders are only human and thence also fallible.

Previous convos have discussed the problems that occur if we expect banks to take to sole responsibility for this.

I don’t expect my car insurance company to drive my car safely for me, but I do want them to help in the event that I mess that up.

Mark Baker says:
28 January 2019

Perhaps if the receiving bank were held liable for a percentage of the sum lost they would take it more seriously. How is it that accounts can be set up and then emptied so easily without flagging up fraud alerts at the receiving bank? Why do we never hear of instances where someone is caught? Surely with large sums questions about money laundering would require checks. A time lapse ban on removing funds of 24/48 hours would allow blocks to be put in place and funds recovered.

I wI agree. I would rather have a delay in payment than risking my account being emptied by a fraudster before any action can be taken to identify and investigate possible crime.

DerekP says:
29 January 2019

In looking at the threats posed by scammers, we may need to recognise that they are organised criminal networks, in which successful scams – like the ones reported above – may actually use data drawn from a number of different supporting scams.

In many scams, the objective is to access the victim’s bank account. Hence, persuading them to log in to their internet bank is a common mode of attack.

Would you like to know more?

If so, here are links to the three parts of a Jim Browning video about bank login scammers:

youtube.com/watch?v=g5X9ZSXb7xI

youtube.com/watch?v=ucqli5i29jo

youtube.com/watch?v=kx-s2o1yWxk

Furthermore, the below account of an attempted scam against an elderly/disabled couple should not leave us in any doubt about the sort of people that operate these scams:

youtube.com/watch?v=7q9Nqo71-kQ

Would you like to know more?

A superb film, which brilliantly exposed the American critics’ inability to comprehend satire and subtlety. One of the funniest films of that decade.

DerekP says:
29 January 2019

Thanks Ian. I really enjoy that film too.

Jerryw says:
29 January 2019

All of these scams are very easy to defeat, by simply not believing anything *any cold caller* says to you. If you want to pursue the matter, just phone the bank back yourself, using a different phone if you have one and – important – using a number you have found yourself .. all cards have a phone number on the back.

DerekP says:
29 January 2019

Jerry, you sound quite convincing but I still don’t quite believe you 😉

Clive Mitchell says:
29 January 2019

If I had problems getting through to my bank’s fraud department as some have mentioned, the first thing I’d do is look at the top of Which’s list of best banks and move my account there. A bank which doesn’t give immediate priority to fraud-related calls (a time of high emotional stress and concern) isn’t really fit to be looking after your money.

There is more that banks could do in the face of rising fraud attempts. Like facilitating your own immediate freezing of your account through your online banking until such time as you ask for an emailed code to unfreeze it.

Why can’t they give you the option of setting your own limit (£2,000 for example) on the maximum amount of any single transaction over which amount the bank generates an automatic email requesting your specific authorisation of the transaction?

DerekP says:
29 January 2019

Clive, many banks already require specific secondary authorisation (e.g. via phone or text) of any payments to new payees.

Banks usually also require secondary authorisation for any login from a new / unrecognised device or location.

These factors prevent scammers from logging in to our accounts, if they have our account details and passwords, but not also our mobile phones (etc.).

If scammers have compromised a user’s PC, then they’ll quite likely have access to the user’s email, so secondary confirmation via email won’t then be a highly robust security measure.

In contrast, voice calls and text messages are more diverse technologies and are therefore also less likely to become compromised at the same time as a user’s PC. [Unless, of course, the “PC” in question is also the user’s mobile phone. That’s one reason why I don’t use my phone for internet banking.]

Which? Money mag Feb have a feature on card fraud with a piece headed “I couldn’t believe how easy it was for them to get my PIN”. One “victim” was filmed entering her PIN in a supermarket – we are warned to shield the terminal at these, ATMs and other places to prevent the PIN being noted. The other used the same PIN for his gym locker and his debit card; again seen by a thief who stole his card and made use of it.

Perhaps I’m on my own, but how can a card provider or bank be held responsible for this sort of behaviour? Should words not fail me…? Customers, as well as financial institutions, have to behave responsibly. The danger of making banks responsible by default is that it will make (some? many? )customers more careless if they know they will automatically get refunded, as with any scam.

Advice often given here when transferring money online to a new account/payee is to initially move £1 and then check with the recipient at a genuine contact address or by phone that the money has been received. Then transfer the balance using the details stored in your account.verified

DerekP says:
29 January 2019

Malcolm, I don’t think banks should be held fully liable for each and every potential kind of attempted (or actual) theft of their customers’ money.

But, I think a good bank ought to do as much as possible to help customers keep their accounts safe.

We tend to forget the human condition and the reaction experienced when receiving a telephone, call out of the blue, informing us that our bank accounts and life savings are under threat.

Once you are targeted, scammers first aim is to instil fear, anxiety, panic and scare the living daylights out of you when all rational thought is immediately compromised and you then become putty in their hands. Its all very well to become wise after the event if you have not been a victim and not experienced the angst that follows when someone purporting to be from your Bank, whether a genuine caller or not, tells you your life savings are about to disappear into cyber space.

I agree Banks could do a lot more to warn account holders of impending scams and to bring to justice the bad apples among their staff who are able to walk away with confidential account details of hundreds of unsuspecting customers.

As long as these thieves continue to target their customers and Banks refuse to refund monies lost, Banks will remain, paradoxically, protected from the old robberies of bygone days when `smash and grab` at their branches used to be the name of the game but at the same time an unwitting accessory to the act of theft. Legal loopholes it seems are lurking everywhere these days!

DerekP says:
30 January 2019

Beryl, I agree completely with what you’ve just said.

That’s why I think need defence-in-depth against scammers, so that we are not completely reliant on any single line-of-defence, such as, for example, the “ABC” response kit, as outlined above.

I concur, both. Scammers are examples of social engineering at its worst. And for older folk it’s also easy to forget that the ‘phone ringing suddenly is often associated with emergencies. I remember relatives who would positively leap out of their chairs when the ‘phone rang, treating it as an imperative of the most forceful kind.

There have been some really intelligent and useful suggestions in this topic, including Alfa’s cartoons, the ABC method for avoiding being scammed, the Golden rules (which I summarised on page 1 in the form of a credit-card graphic) and some outstanding contributions from industry insiders.

I also suggested that W? could usefully issue the credit card idea to all its subscribers – something they’ve done before with the Sale of Goods Act.

Any thoughts, Which??

I know many people who continue with “traditional” banking and have chosen not to do it online. I was in this category until a few years ago. Presumably they are relatively immune from most scams as the offer to send a cheque to the scammers postal address may not please the scammer.

Using on-line banking does require a degree of confidence, knowledge, common sense and care; ensuring you don’t insert incorrect account numbers, check the destination of requested payments is to whom you intend, for example. So it may be those who begin to fail a little should consider what form of banking is most suited to their abilities; family could advise and banks could take a part in this. It might be worth restricting the amount they keep in a current account from which immediate on-line transfers can be made to ensure if there is a loss, it is minimal, and to give time to reflect if money has to be moved into the current account before a payment can be made.

Vera Kelly says:
13 February 2019

I was contacted by a “policeman” saying he had my grandson in custody for using my bank card- which was impossible. He was very helpful and said there must have been a fraud on the bank card and to contact my banks fraud dept. immediately which I did. The fraud dept said I had done the correct thing and took my details. The only thing that sounded a bit strange was as we hung up the fraud person said please dont use your phone for five minutes. I then phoned back the fraud dept and got a completely different person who said they would never have asked for my details over the phone- seems that the “Policeman ” just kept the line open so when I thought I was ringing the fraud dept I just went straight to the scammers. Luckily I was quick enough to stop my account – but if the ” fraud ” person hadn’t made that throw away comment about not using the phone I would have thought everything was sorted. They are getting very clever and convincing- now I never give any details over the phone.

Gordon Nurse says:
14 February 2019

I have been victim of an almost identical scam. I traced the money to a Starling Bank Account within 30 minutes of the scam — and I am sure that the person I spoke to could see my money in the numbered account I told him. But subsequently Starling Bank has said it can’t recover the money. The Bank should have frozen the rogue account immediately. What can I do?

Funny how we are not getting to the real problem here which is why are the police not catching the criminal scum and locking them up for a considerably long time? Or have we just given up on the police and expect the banks to compensate people for their naivety and lack of vigilance?

Possibly for the reason the police don’t catch many conventional thieves, nor trading standards many defective products and traders. We don’t provide sufficient funds to support them.

Which? has issued this press release today:
https://press.which.co.uk/whichstatements/which-responds-the-app-scams-voluntary-code-publication/
“Which? responds the APP Scams voluntary code publication
28 February 2019
Gareth Shaw, Head of Money, Which?, said:

“Two years since our super-complaint highlighted a lack of protection for bank customers, the publication of this code is a significant step – …………………………………………………….

I can find no link in the press release to the code. Here it is:
https://appcrmsteeringgroup.uk/wp-content/uploads/2019/02/APP-scams-Steering-Group-Final-CRM-Code.pdf

I would like all Which?’s press releases that cover other peoples announcements to include a link so we can see exactly what was announced. It rarely (never?) seems to happen.

@abbysempleskipper, Abby, do you think the Press Office could do this in future?

“TSB will refund ALL scam victims – even if they gave details to fraudsters”
https://www.which.co.uk/news/2019/04/tsb-will-refund-all-scam-victims-even-if-they-gave-details-to-fraudsters/

This is an interesting development – maybe they hope to attract more customers with this pledge. Customers who will, in the end, pay for the refunds of course out of their loss of savings interest, higher overdraft charges and loan rates perhaps.

Or, perhaps they are confident that the way they, TSB, handle account transactions, the extra security measures they might introduce, will reduce the problem to insignificance. Which is really the outcome I’d hope for.

My worry whenever we compensate people for their own mistakes is that we remove some of the incentive for us to be careful in what we do – “no matter if this might be a scam, I’ll risk it but get my money back if it is.”

It will interesting to see which other banks follow this policy.