/ Money

I lost my life savings to scammers

Consumers are being targeted in a new bank transfer scam. Our guest author Emma Harper speaks out after losing nearly £20,000 to the scammers…

A pernicious type of ‘Authorised push-payment’ (APP) fraud is on the rise, where scammers, posing as your bank, attempt to trick you into giving away sensitive banking information, claiming your account has been hacked.

With this information the scammers can access bank accounts and steal your money.

Which? has been campaigning against these bank transfer scams for years, but last month their Money Helpline reported a large spike in calls about it.

Now Which? has spoken to several victims who have between them lost a staggering £350,000 to the scammers. I’m one of them.

Scammed of my life savings

On the evening of Monday 22 October 2018, I received a call from someone claiming to be from my bank’s fraud department.

The scammers were highly professional and believable. They had ‘spoofed’ my bank’s telephone number, so it looked like my bank were calling.

The man on the other end of the call said they’d received payment requests from my account.

They knew personal details about me, saying the payment requests were not from the local area where I live; they also knew I was a premier banking customer.

Guide: Help, I think I’ve given fraudsters my bank details

I said I hadn’t authorised any payments and asked if my bank account was secure – he said he would check and call me back.

One and a half hours later, a different person who called herself Katie, called back saying there had been large movements of money between my accounts. She said they were concerned that I was being scammed.

I was driving at the time, she said she would call me back when I was home – because, in an attempt to appear professional, she said it was bank policy not to speak to customers when they were driving.

When I got home, she called back and said to secure the account, I needed to give them some security details.

I was in a real panic at this point. I thought they were my bank – they knew where I lived, they knew I was a premier banking customer, and they had cloned my bank’s telephone number – I thought I was having thousands of pounds stolen. So of course I told them my details to try to stop this.

Accessing your accounts

First they asked for my telephone banking pin. I hadn’t used telephone banking for years, and gave them one number that I think may have been incorrect. They knew this, and said the pin was wrong.

They panicked me further by saying I only had one more attempt to secure my account.

They then asked for three digits of my nine digit online banking password, which I gave them.

To reassure me that the account was secure, they asked me to log on to my online bank account, which I did via Google and selected the main bank website. I never doubted that I was logging onto the legitimate site.

She said, ‘as you will see the account has been suppressed’ – and I could see the money had been moved internally within the accounts.

To stop the money going out of my accounts, she said, they needed to close the accounts down and transfer the money into an ‘internal safe account’.

Stealing your money

I was asked to make a payment to a payee, with the same name as me, and enter a specific figure: £19,756.

At no point did I enter any account number or other details – these had already been input by the scammers. I then authorised that figure using my card reader.

I was sent a text 14 hours later by my bank, advising me that there had been unusual online activity on my accounts. I then contacted the fraud department myself. I said to them I’d already dealt with the unusual online activity the previous evening. It was then they told me I’d been talking to scammers.

Scam aftermath

The scam has been life changing. I was in trauma initially and then became ill resulting in a cancer scare, which thankfully, was cleared before Christmas.

There are thousands of people like me who are currently falling victim to sophisticated scamming techniques.

My bank claims I authorised the payment and therefore refused to give me my money back. In my opinion, they took no responsibility for the scam and did nothing to protect my money.

In fact, 12 months previously my savings account had been hacked, and the bank had provided no information about how this had happened.

My bank claims that it uses a risk-based approach when deciding if a payment is suspicious. In my case: a new mobile device was registered, a new payee set up and the account effectively emptied within 20 minutes… and I’d been hacked 12 months previously. Sound suspicious? Apparently not.

It took my bank 14 hours to inform me of unusual activity on my account, making it impossible to recover any monies from the beneficiary bank account.

Banks need to do more to protect their customers and prevent fraud – because as it stands, when you are victim of the APP scam, you feel you are totally alone.

This is a guest post by Emma Harper. All views expressed are Emma’s own and not necessarily those also shared by Which?.

Have you been contacted by scammers claiming to be your bank? What do you do if fraudsters call you up? Do you think banks need to do more to protect their customers?

Comments

Extremely sorry to hear this, Emma, and I believe you’ve been courageous in writing this topic header. Thank you for that.

Normally, when reading accounts like this it’s always tempting to say “Well, if you’d done so and so…” but in this case it was clear that the scam was exceptionally sophisticated. They clearly knew an enormous amount about you and their behaviour – the comment about policy not to call customers when driving, etc. – only served to validate their activity in your eyes.

It does serve to reinforce the fact that you can no longer believe the word of anyone who calls you out of the blue and whom you don’t know personally.

A very similar incident happened to me a few weeks ago. Someone from the bank’s fraud team called and asked me to complete the missing bits from some security details. I told them I wasn’t prepared to give them any such information, and I’d telephone the bank myself.

As it was, it concerned a issue I was having with an online retailer who’d charged over the odds, and the bank was – to put it bluntly – making a pig’s ear of the thing. But I think what concerned me the most was you saying you’d looked up the bank’s site on Google. That a site had been created that was clearly fraudulent seems an indictment on the lack of care of the search engine itself.

The fact that the scammer knew so many of your details might well have been down to the previous scam / hack you suffered. Whatever the cause it does serve to undermine further any faith we might once have had on the ability of Banks to keep our money secure.

Thanks for sharing, Ian. In your case, was it actually the bank calling you up to ask for security details? Seems a bit of an oversight on their part if they do do this – it just invites scammers to attempt the same surely.

It was the bank, indeed. I’ve long had an issue with this: they call the customer and then provide some of the security info and ask for the remainder to be completed. I suppose their only other recourse is to ask you to ‘phone them. But that would be safer.

Some years ago I was advised to use a separate browser for banking and to make the bank’s portal the home page of that browser. Possibly some of the best advice I ever had.

I wonder what can be done to recover Emma’s money. Why did the bank take 14 hours to notify her of the unusual activity? I suggest that this should be investigated and maybe the bank should take some responsibility for the loss.

Where large sums are involved, perhaps there should be a delay during which the customer could be notified of the planned withdrawal, allowing action to be taken to stop a fraudulent transfer.

I have just set up a new payee for online banking and even before logging out I had received a text message to say to contact the bank urgently if I did not do this. Fortunately, no phone number or email address was given. Perhaps if Emma had been notified before the money had been transferred the scam would have failed.

In the past, I’ve also had intrusive marketing and sales calls from my bank’s loans business. Having cold called me, they then asked ME to authenticate who I was. I told them to foxtrot oscar and then raised a formal complaint.

Sierra India Uniform Yankee Alpha is my usual response…

Mark says:
27 January 2019

I always tell them that I will call back in such cases, dialling the number I have checked myself. Never any problem with that. Anyone who said that isn’t possible is a scammer, or if anyone from the bank told me that I would immediately report them to their own internal audit department.

I think that most banks will automatically seek prosecution for any member of staff who is dismissed for fraud related activity now. Whether the authorities actually do it is up to them….

I have had an increase in cold calling recently, often the same times of day and with the same background sound. I hang up immediately so have never found out what they wanted. It is difficult to know exactly what to do if someone uses your name and starts a conversation about a possible bank fraud. Hanging up doesn’t prevent the need to investigate further. Phoning the bank might just be phoning the criminals if they have some way of keeping a connection alive. Phoning the bank on another phone means talking to the fraud department and that, in turn, might mean a temporary freezing of one’s accounts while investigations are made. In the case above it seems that the criminals had considerable detail to work with and in that case, it would probably mean closing and re-opening accounts to clear the stolen data from the system. I would do this face to face rather than on line or by phone, but would be very cross at the time wasted, the temporary unavailability of my banking and the need to write to everyone with whom I have financial dealings. I would also be cross because it was not I that provided the fraudsters with this information in the first place. As I have said many times, catching these people will help, but they seem to have the advantage and thus their criminal activity succeeds.

The biggest flaw in the scammers’ tactics appears to be the implausibility that a bank needs action by the customer in order to move money between accounts under its control. What reason did the scammers give for their inability to move the money themselves to the “internal safe account“?

NFH, I agree with that observation, but the art of the scam involves manipulating the victim so that pressure of moment enables the suspension of disbelief.

A few years ago, I remember a vaguely similar scam went down, after a colleague’s bank cards were pinched at a conference.

In that case, the scammers started by contacting the bank and somehow used the stolen cards to gain additional account data. Then they phoned the victim, posing as his bank…

They’re mighty tricky, these…tricksters. And very convincing.

Sorry to hear your story Emma.

Some time ago, I suggested getting kids to act short scam scenarios and slot them into popular TV programs to help those less informed recognise scams.

Here’s one I made earlier:

There are kids film clubs, maybe school projects, many have smartphones and the above scenario could easily be created at home. I know several elderly people who would love to watch them. Looking out for new ones as they sat down to watch Strictly would maintain their interest and drum in the message. The more natural they are, probably the better, but the key would be variation.

Emma, if you had seen scenarios like yours, do you think you would still have be taken in?

Bit of a pity that they got rid of the Public Information Film office, since that would have been ideal.

Any chance our moderators could kindly insert a missing “L” into the 11th word in my opening comment, above?

Gladly 😂

You’re too kind… 😶

@oscarwebb – remind me to take a look at the filtered words list… 😉

Emma, sorry to hear of this, but thanks ever so much for sharing the story.

It would be great if the bank admit to some liability in your case and/or provide some explanation as to how your details were compromised.

Sharing the lessons learned may also help others avoid similar scams.

I find it hard to believe that the scam in Emma’s case did not involve the fraudulent misuse of customer details by a bank employee.

Indeed. This is something which I’d bet is on the rise.

Yes, I agree that banks should do more to protect their customers, but at the end of the day they make it quite clear that they will never phone you so really the onus is on us the customer to make sure we do not divulge any details to anybody ringing us up and asking for them, the main problem is in trying to contact your bank, I live in Spain and there is a separate number for people ringing from overseas, but it makes no difference to the time you are kept waiting, in the last year after ringing the customer service line and being kept waiting once for 15 minutes and secondly 25 minutes before the call was answered I have been then been put through to the fraud Dept. on the last occasion I waited 15 minutes before the phone was answered and on the first occasion I gave up after 30 minutes, on both of these occasions there was no scam involved but if there had been my account could have been emptied due to the banks lack of urgency in answering the phone since moving from the U.K I have twice had cause to complain and have received compensation although on the last occasion money just appeared in my account with the tag compensation and no other explanation or apology, I have suggested to them that they employ more staff to expedite customer queries in a speedier manner but this suggestion seems to have fallen on deaf ears, thankfully I have never been scammed but if I did fall victim, I hope it would be dealt with a lot quicker than it does at present.

I don’t have a problem with my bank phoning to say that there is a problem provided that the request is simply to contact the bank as a matter of urgency. It’s unacceptable to be kept waiting if you are trying to report fraud or responding to a phone message requesting you contact the bank.

Hey William,

‘They make it quite clear that they will never phone you.’

This might be true of some banks, but as Ian posted above: some banks do call their customers.

If my bank spots an unusual transaction on a card it contacts by automated text or call to check whether the transaction is legitimate. The card will be blocked until a satisfactory response us received.

It might be useful if UK Finance were asked to comnent on what is being said.

My bank allows you to set your contact preferences. We have no mobile signal whatsoever, and emails may not be seen, so we opt for ‘phone. That doesn’t stop me from giving them a hard time when they do, though, and ask me to confirm who I am.

The big question is why they don’t extend the voice ID protocol they use for the account access to the fraud people – or maybe they don’t entirely trust the Fraud gang?

If First Direct call, we always say we don’t go through security when we haven’t instigated the call.

Their answer is always no problem, a note is put on the account and told to call our usual number. If the call needs to go through to a specific department, they will tell us. There never seems to be a problem with someone else picking up the call, so any handover software must be good.

That’s actually a very sage and sensible response that most could be taught to use. We know scams work by exploiting time pressure and fear in the recipient, but if folk could be taught that when called out of the blue a sceptical response will almost always serve them better.

I recently had to transfer large amounts to pay for a new car. I started the transaction on line, but the bank (Lloyds) asked me to call them before they would allow the transfer. They then took me through some quite rigorous checks that the account to which I was making the transfer was valid. Once they were satisfied, they then allowed the transfer. Although I did not like the hassle, I really did appreciate their proactive steps to make sure that I wasn’t being foolish.

That does sound good, Brian.

Communications from my bank regularly include the following warning, among others:

Beating fraud together

We’ll always do everything we can to keep your money safe from fraud, but there are also things you should be aware of. We’ve outlined the most common ways fraudsters may try to contact you below:

By email: asking you to either update your details using a link, or urging you to log in and check a recent transaction, or transfer money to avoid a penalty or financial loss. ********* and other genuine organisations will never contact you out of the blue by email, asking you to update your information or log directly into the Internet Bank.

By phone: pretending to be from a trustworthy company. They’ll usually ask you to log in, move money, or provide card reader codes or one-time codes over the phone. ******** and other genuine organisations will never contact you out of the blue by phone asking you to provide your PIN, card reader codes or one-time code. We’ll never ask you to move money to another account for security purposes.

By text: pretending to be from ******** advising you that there have been fraudulent transactions on your account. The text will ask you to call a non-******** number in a bid to trick you into providing card reader codes over the phone. ******** will always include the last four digits of your card number in our text messages involving suspicious transactions.

Malcolm, I think those are useful pledges for a bank to make.

That said, relying on customers to remember them is a weakness.

One potential counter to that might to issue or acquire such notes on credit card sized items that could be carried with one’s bank cards. (For example, I already carry my car breakdown cover details in this format – in case I ever need them.)

NFU issues these details on a credit card sized reminder.

The February 2019 issue of the Which? magazine has an article about banks and online fraud and points to significant differences in how well different banks handle different aspects of security.

I haven’t had any of these calls yet – but if I do get I would just say to the caller “I’m on my way into town and I can be in the bank in 10 minutes and I will sort it all out there in branch – good-bye”. I am also aware that it is not possible to disconnect an incoming call – so I would not try to call my bank using the same phone – in case the line was still open to the scammers who may be expecting that to happen and could have recordings to mimic the tones of a call being made (dial tones, ringtones etc.).

A very sad and sadly all too common story. If we (as a population) persist in using on line banking (and I am the first to admit it brings some real benefits), we open ourselves up to increased chances of fraud. It is a choice we all (sometimes unwittingly make) when we use these facitilities. It is for this reason that I have chosen not use such accounts and at the risk of seemingly like a Neanderthal, persist in using banks in the traditional manner (much to the annoyance of the staff who endeavour to push us all in a digital direction). Working as a volunteer for Citizens Advice and reading the press the cases of such fraud are sadly all too common. I would make one observation that has been missed:
The bank has control over your account. It can freeze it and stop payments. If a caller purporting to be from your bank tries such tricks, the response should be, ‘Thank you for alerting me to this. As you are clearly satisfied that you are speaking to the authorised account holder, you have my instruction to freeze my account, and I will contact you again later to sort matters out. Please text me to confirm my account has been frozen.’ Then at your leisure you can ‘test’ to see if your account is still operating normally. If it is, the chances are that you’ve thwarted a potential scam, if it is not YOU should contact your bank at the earliest opportunity to report and sort matters out.

The response should be, ‘Thank you for alerting me to this. As you are clearly satisfied that you are speaking to the authorised account holder, you have my instruction to freeze my account, and I will contact you again later to sort matters out. Please text me to confirm my account has been frozen.’

Then at your leisure you can ‘test’ to see if your account is still operating normally.

Excellent advice, Christopher. Should be printed on a card and given out by every bank to its online customers.

PC’s are complicated enough, even for those who don’t use online banking, so it is very easy for non-expert PC users to be bamboozled by scammers. In such cases – including Emma’s – we should be clear that all of the blame lies with the scammers.

That said, we must all remain on our guard, because scammers can be very persuasive and very persistent. This is shown in the YouTube clip linked below. At least that time, the scammers met their match…

youtube.com/watch?v=poUws4y6vro

Steve says:
26 January 2019

“The bank has control over your account. It can freeze it and stop payments. If a caller purporting to be from your bank tries such tricks, the response should be, ‘Thank you for alerting me to this. As you are clearly satisfied that you are speaking to the authorised account holder, you have my instruction to freeze my account…’ ”

Yes, this is excellent. The bank already has control over all it’s customer accounts, and can freeze them at any time if fraud is suspected. The bank does not need the customer to log in or provide passcodes for this. It does not need the customer’s permission at all, every bank’s T&Cs will include a clause for fraud prevention.

The fraudsters caught Emma by pretending they were powerless to intervene, and they could only watch as money was being stolen from her account. In the cold light of day this is obvious nonsense, but their scam was sophisticated and subtle. Repeated calls and delays to build her anxiety, and a false sense of urgency at the critical moment.

I agree with other comments that Emma was probably targeted with inside info. These scammers have access to some details of high-value customers, and they knew how to mimic the style and jargon.

Brian in Oxford says:
26 January 2019

I understand that phone network providers have a policy of not clearing a call for 2 or 3 minutes after the recipient has terminated it. Surely if a call was cleared immediately it would prevent the invitation to call your bank or whatever going to the scammer. Why do the phone providers not take this simple step?

This comment was removed at the request of the user

As with everyone else commenting, I’m sorry that you were caught out by these scammers. It’s worrying that they can sound so professional, as whenever I’m contacted by GENUINE people from my bank, I’m asked to give 3 digits of my online banking password to verify my identity, and I don’t give it a second thought.

It does appear that they had access to your account already – as they were able to move money internally between your accounts. I’m assuming this was done BEFORE you gave them the 3 digits from your password – however, they could have just been asking you for details to enable them to log on! From the sound of it, when you logged on via Google you WERE going onto the genuine banking site – with the activity you saw having been completed by the fraudsters before you logged on.

You mentioned a card reader – so it sounds like you bank with a company I used to provide it support for. The card reader is the best security you can get for an account, as it stops payments being made to new payees unless you use your bank card and enter a code on the device. Unfortunately, you were so rattled by being told that your savings were being stolen that you then used this device to authorise the payment – thereby bypassing the security it was there to provide. So while I sympathise with the way you were tricked by the extremely professional fraudsters, I can understand why your bank would not have blocked the payment; unlike a dubious card payment (where your card could have been cloned/stolen), this was an online payment which had been verified by a PIN-protected card reader!

I guess all we can do to get some positives from this is to try and warn/protect others, which you are doing with this story. So thank you for that. I guess the main things to tell people would be:

1) If you’re called out of the blue, DON’T give out details which could grant access to your accounts.
2) Banks will NEVER, NEVER, NEVER ask you to move money around to prevent a fraud, assist in their investigations of one, or to try and ‘catch’ the fraudsters. It’s just not something that needs to be done (and if it WAS needed, the IT department or senior bank staff would sort it out without needing you to help).
3) If banks think fraud is happening, they will ask you to verify transactions. If you can’t do this, they are quite capable of putting a ‘block’ on the account to prevent further transactions. They don’t need to ask you for any PINs or passwords to do this.

David Taylor says:
26 January 2019

There is a very simple solution to avoid being scammed.
Step 1. Whether it’s a phone call, email or text ignore it. IGNORE IT. Put the phone down, do not respond to email or text.
You are not going to lose anything and if they are asking for information it’s 99% a scam.
Step 2. Either log in online to the organisation or phone them on the number they have provided if you need to contact them.
The web site or the person on the phone will quickly tell if there is a problem.

Some time ago I received a phone call from my bank asking if I had used my debit card to buy sports clothing in a nearby town. I was extremely suspicious but said that I had not done so. At that time my bank card was due for renewal but had not yet received a new one through the post. After I made inquiries it transpired that somebody had intercepted this new card in the post and had used it to buy items of sports gear. My bank said that would cancel that card and send me a replacement one. That too never arrived as it was also intercepted in the post. I finally obtained my new card by visiting my bank to collect it personally. The perpetrator of the scam was later apprehended after trying to use one of my stolen cards on a cross-channel ferry.
I did not lose any money as a result of this fraudulent activity as my bank was aware of an unusual pattern of spending and had alerted me before there were any serious consequences. I can only thank my bank for acting for me in this way.

Jill says:
26 January 2019

I was very interested to read Emma’s blog and very sorry to hear that she has lost so much money. I too was almost the victim of a similar scam last week. The caller was very convincing. As in Emma’s case the scammer said that there had been suspicious activity on our account and the bank would have to close the account and open a new ‘holding’ account. The difference in our case is that the caller didn’t ask for any security details, which was reassuring. Also, when I said I needed some proof that this was a general call from the bank, she asked for my mobile number so that she could phone my mobile and I could check that she was calling from the bank’s telephone number. That convinced me for a while even though at the back of my mind I was aware that there are ways of counterfeiting caller phone numbers.

It was only when she was on the point of giving me the details of the new ‘holding’ account so that I could transfer the balance that I decided that I must phone the bank myself – only to discover of course that the account hadn’t been compromised at all.

On reflection afterwards we realised that the bank itself would be able to close the account if necessary and wouldn’t need to involve us online. However, the scam was so plausible in other ways that we nearly succumbed. Indeed at one point I thought the caller was concerned that we were involved in money laundering. I’m still rather concerned that I gave away too much information even though I’m confident that I didn’t disclose passwords or account details.

It does seem as though this topic is proving particularly useful in that we now have at least two solid pieces of advice from industry insiders. I’ve edited them a bit with the hope they could be printed onto both sides of a credit-card sized item:

On side one:

1) If you’re called out of the blue, never, ever give out details which could grant access to your accounts.
2) Banks will never, ever ask you to move money around to prevent a fraud.
3) If banks think fraud is happening, they are quite capable of putting a ‘block’ on the account to prevent further transactions. They don’t need to ask you for any PINs or passwords to do this.

On side 2, the response that should be standard to any such ‘out of the blue’ telephone calls:

The ABC (Accept nothing, Believe nothing, Check everything.

“Thank you for alerting me to this. As you are clearly satisfied that you are speaking to the authorised account holder, you have my instruction to freeze my account, and I will contact you again later to sort matters out. Please text me to confirm my account has been frozen.”

Some years ago Which? sent out just such a credit-card sized piece of advice regarding the Sale of Goods Act. Is there any reason why they now couldn’t do the same for all magazine subscribers? Just a thought.

George Stern says:
26 January 2019

I’m sorry to hear of your experience. I’m not a security expert but my standard response to People getting me to do things in a hurry is A, B, C – Accept nothing, Believe nothing and Check everything.

Practically I would always recommend that a phone call is made to your bank using a different phone to the one used for the incoming call to call to check the validity of the assertions made, namely that your account had been compromised. It may be worth keeping the bank’s fraud department telephone number, which you have sourced independently, as a contact on your mobile phone so that you can make a very quick call should an emergency arise.

Paul G says:
26 January 2019

I don’t answer any calls from numbers I don’t recognise. But in this case that wouldn’t have helped. This has made me rethink. In future if I get any calls from bank etc will always end call and phone back using my own saved number.

Dabbs Ian says:
26 January 2019

Well there are lots of things that Banks could do …first follow the Fraudulent money trail , no hiding behind confidentiality . Insurance companies share information to prevent frauds
Making it much harder for fraudsters to open accounts in the first place , actually checking people out, not just a few documents you need to open a new account ..ie which bank were you with before .. employer ? 85% of applicants would have have plausible histories . Why not require photographs and even fingerprints …. yes we would have bleating from the civil liberties brigade…but we could have two classes of accounts …ie authenticated and provisional …. the latter would not be able to receive instant land large transfers . Basically all the banks information technology is old and not fit for purpose

I suspect one issue is that people sell their legally owned accounts to criminals. A lot of students were found to be doing this. The bank wouldn’t know it had been sold, and the scammer only needs seconds to remove any money they might be able to get transferred.