/ Money

Update: stopping bank transfer scams – what would meaningful action look like?

Our research has found that people are still losing life-changing sums of money to fraudsters exploiting bank transfer payments. So, how much longer should we wait for effective action from industry?

Update: 28/02/19

Several major banks have signed up to a new code that will ensure refunds for thousands of victims of bank transfer scams.

In a huge win for our campaign, seven major banks have signed the code that ensures refunds for victims of bank transfer scams, and greater protection for all their customers. The banks who have signed up are:

■ Barclays

■ Lloyds Banking Group


■ Metro Bank

■ Royal Bank of Scotland

■ Santander

■ Nationwide

These banks will begin a new reimbursement scheme for customers who have lost money through bank transfer scams on 28 May this year.

The new code requires banks, building societies and other payment services providers to put more measures in place to protect customers from bank transfer fraud – and, crucially, enables victims of this type of scam to get their losses refunded by their bank if they have done nothing wrong. But the code is only voluntary.

There’s still more work to be done. In the last two years alone £400m has been lost to bank transfer scams – and we want customers of all banks to be protected.

We’ll be turning up the pressure on the banks who haven’t signed up to the code in the coming months to demand they get on board and protect their customers.

Stop scams

Two years ago, as part of our super-complaint to the Payment Systems Regulator, we collected evidence from nearly 600 victims of fraud who told us they’d collectively lost over £5.5m to bank transfer scams.

Five months on from the PSR’s response saying that they’d found evidence that banks could be doing more, we’ve been checking to see if anything has changed.

We’ve found that people are still exposed when it comes to bank transfer scams, with many losing significant sums of money.

Despite fraudsters continuing to exploit bank transfer scams, we’ve not seen enough evidence that banks are making progress to protect their customers.

Roger and his wife lost £2,000 to a scammer posing as their gardener:

And cases like Roger’s are far from unique. In fact, our latest research reveals that one in 10 people in the UK had made a bank transfer, or knew someone that had made a payment, that later turned out to be to a fraudster. And of those people who had lost money to bank transfer scams, more than half had been victims in the last six months.

Huge sums of money are being lost to these fraudsters, and we found that nearly four in 10 didn’t get any money back at all.

So, today we’ve written to banks calling for them to clearly outline what action they are taking to safeguard consumers from bank transfer scams.

Bank scams

When it comes to banking the general expectation is that banks will look after you as their customer and your money too. But with so many continuing to lose such large sums of money to fraudsters exploiting the system, it’s clear more needs to be done.

The industry, regulator and next government need to urgently take action to tackle financial fraud. We want the next government to set out an ambitious plan to ensure that financial institutions do more to protect consumers from bank transfer scams.

We need your help to do this – please share your scams experiences with us and help keep the pressure on to deliver this change.

Tell us your scams story

Confirmation of Payee plans announced

Update, 11 December: The Payments Strategy Forum has outlined plans for a new payments system architecture in the UK.

One area that the Forum has been examining is ‘Confirmation of Payee’. Currently, when you make a payment to someone the bank will check that the account number and sort code you provide matches the ones on the account you wish to pay.

Throughout our scams campaign, we’ve heard of lots of stories where victims of scams have lost huge sums of money where they have believed they are making genuine payments for things like conveyancing fees or building work, but instead they are using bogus bank details sent to them by scammers.

The Forum has outlined that customers wishing to make a bank transfer will have to now enter the exact name on the account, as well as the other details. This would mean that when you transfer funds to another account the system would also need to confirm the name of the account you are paying matches the name you’ve provided.

If the transfer is to a person, the confirmation system will check to verify if the details are a match or not. If the transfer is a business, the confirmation system will return with the name, address and registration number of the company so that the consumer can check it.

The hope is that this confirmation system will encourage customers to verify details before transferring any money and also help to tackle one aspect of bank transfer scams.

The system will be available from December 2018, although it will be voluntary as to whether your bank offers it to you when you make a payment

We’ve been calling for confirmation of payee for some time now, so while we welcome its introduction, we believe it’s important that banks quickly act to introduce this measure to help protect their customers from scams.

Our Money expert, Gareth Shaw, said:

‘Hundreds of millions of pounds are being lost to these increasingly complex scams, so introducing confirmation of payee is a vital step towards boosting consumer protection.

‘With consumers still at risk of losing-life changing sums of money, banks must now urgently adopt these proposals.’

Update: 18/10/2018

A new ‘confirmation of payee’ service is on its way in 2019 to combat bank transfer scams.

Customers are to be warned if the name of someone they’re trying to pay does not match the account details. With losses to this type of fraud increasing drastically, it’s clear that this measure can’t come soon enough.

While we await its introduction, it’s crucial that an agreement is reached on the funding mechanism to reimburse all victims of bank transfer fraud who have been left out of pocket through no fault of their own.

Update: 25/09/2018

According to UK finance, the trade body that represents the banking industry, fraud victims have lost more than £145m this year to scams that leave them with no legal way of getting their money back. Just 20% of losses have been recovered.

In the first six months of the year, there were around 34,000 cases of ‘authorised push payment fraud’ (bank transfer scams). Losses averaged around £4,260.

Details of a reimbursement scheme are due to be published this week. Gareth, Shaw, Head of Which? Money Online said:

“It’s now two years since our super-complaint highlighted the lack of protection for victims of bank transfer scams, but these shocking figures show just how widespread the problem still is.

Banks’ efforts to date have been woefully insufficient and they have not done enough to protect their customers, who continue to lose life-changing sums of money to ever-more sophisticated crooks.

The Payment Systems Regulator has rightly committed to introducing a reimbursement scheme for victims. It’s about time that banks step up and properly compensate customers who have lost money through no fault of their own.”

Update: 28/02/2018

Win! The regulator has confirmed plans and timeframe for scams reimbursement scheme. Following its consultation on a reimbursement scheme for victims of bank transfer scams, the Payments Systems Regulator (PSR) has today confirmed that it will press ahead with plans to better protect scams victims.

It has also announced the formation of a steering group to design the code that will underpin the reimbursement scheme, setting out the members as well as the key principles and objectives of the group for the next six months. Forming this steering group alongside Which? are Age UK, Toynbee Hall, and representatives from the banking and tech industries.

The group will deliver an interim set of rules by the end of September. These will then be consulted on with a final set agreed by the end of the year.

However, from September, the Financial Ombudsman Service (FOS) will be able to use the draft code when determining new consumer complaints about authorised push payment scams.

We welcome today’s announcement as a step in the right direction. We hope that this will help to ensure the reimbursement scheme properly compensates victims who have been left out of pocket through no fault of their own.

However, the industry must also use other measures to better protect consumers at the point of transfer to stop such scams happening in the first place. These measures could include confirmation of payee, which would add an additional check before a bank transfer is made.

Do you want your bank to sign up to Confirmation of Payee to help protect you from bank transfer scams? What should the banks to do to protect their customers from losing money to bank transfers? Do you think the next government should tackle scams and financial fraud?

Steve G says:
20 December 2017

If it adds a bit of extra time, while the Banks check the payee’s details, so be it. Losses like these to individuals (as well as Companies) are a poor reflection on the security and fairness of the Banking system.

Andrew Wainwright says:
20 December 2017

This is a great idea but I am concerned that scammers may use it to find out the names on accounts by trawling through account number after account number. It would be better for the sender to input the account holders name, or at least part of it. The full account name is obviously impractical; is the first name in full or just an initial, are initials separated by full stops or not, is “Mr” or “Mrs” used. So if the bank’s system could recognise a part of the account name, this would probably provide the required level of security.

I agree with Andrew’s concerns, mainly because I have similar confidence in a bank’s priority for its customers’ security, as I have for political awareness of the realities of daily life for ordinary citizens. Anything which can provide greater, simpler involvement for individual customers in controlling the security of their own payments, rather than leaving it to the banks and then having to rely on their “independent” status should a problem occur.

As I understand it, to avoid this trawling to find details, you input the specific name of the account (you’ll need to find this out) and the bank will simply say if it is correct or not before you confirm the transaction.

I’m not clear though why the alternative would worsen security. if you have a cheque from someone this contains all necessary account details.

Robin says:
20 December 2017

There should be a sort of holding pen/account for monies being transferred so that the genuine buyer & seller can check details before money is released.
Having been the victim of money transfer fraud I asked my bank if they new where the money went & they told me it was transferred to an account in the Elephant & Castle district of London.
Action Fraud were contacted but held out little hope of getting the £5000 back.
I then created another email address & contacted the scammer as if a new customer. The same product was on offer but of course I was non committal re a purchase.
I contacted Action Fraud so that they could follow the same route to possibly trace the culprit.
On telling them what I had done to find out more I received a severe telling off & was told that what I had done was probably illegal !
Action Fraud made a case note & number & told me to call them at a future date for a report.
When I did so I was told no action would be taken.

It is a bit of a shock to find that Action Fraud is actually a collator of information rather than some aggressive policing action team. I symapathis wilth all who have become victims of a banking industry which has only been concerned with its own profits and simple systems. And of course shoddy account opening systems.

As an ex-banker I am aware of the chnages that the banking industry, through the BBA, agrees certain practices. I would point out that using cheques requires the recieving Bank to check it goes into the named account, and indeed one could croos the cheque for the correct bank. Adding the account number is probably Ok too. Any branch of any Bank accepting the cheque for the wrong account is liable for the value.

Good system isn’t it. Guess why banks have been keen to get rid of them . And of course they have to cheque the signature is legitimate. Doubly troublesome for the banks but doubly safe for customers.

BTW in France bouncing cheques or even a single cheque is seriously bad news with “huissiers” chasing up the bad debt for you. And the Bank of France banning you from any banking facilities for five years. Tough love works.

RParker says:
20 December 2017

Banks have to do a lot more to secure our money before they force us into a virtual money paperless society

John Hamilton says:
20 December 2017

Surely this will help protect some of the most vulnerable to scams namely the elderly this has got to be a step in the right direction, however, more needs to be done especially from the banking fraternaty who lets face it are well paid (with the of exception of the grass root employees).

it annoyed me when the bank allowed a direct debit from a year previous to be paid even though the card had run out and i had been issued a new one 4 months previously with different numbers on the card

This comment was removed at the request of the user

William McCall says:
22 December 2017

Banks are closing branches and becoming evermore part of the online world. They have actively persued the elimination of cheques and cash and all these actions give them a clear commercial advantage. These actions have consequences and they can’t behave like spectators and pretend they have no responsibility for the financial safety of their customers. In fairness the banks have reacted but very slowly and, seemingly, reluctantly.

This requirement should be made compulsory on Banks. If my current bank did not provide this safeguard I would move all my banking requirements to another bank that did, pronto!

And that is the best way to deal with any provider with whom you are dissatisfied 🙂 . Unless anyone knows of obstacles that the new system might introduce to certain banks, my suspicion is that the “voluntary” bit is a formality to avoid legislation perhaps, and that all, or most banks, will provide the service. It is just as much in their interests as their customers.

Stuart Clements says:
23 December 2017

Having just moved house with the transfer of money and all that entails this matter is strongly in our mind. Electronic transfers are so easy but with the well known risk. We are lucky our solicitor is local and could receive cash so easily but why should we have to when some commitment by the banks could ease the worries.

Ian James says:
23 December 2017

The banks in there efforts to force us to go cashless should at least make sure they have a robust security framework before embarking on this. They have an obligation to the customer to protect them, though you woudn’t think so at times. It is the banks that are pushing the pace of change but they don’t seem to take into account the age of some of their customers or consider the difficulties the elderly have with online and cashless banking. All the safeguards and protection processes need to in place and fully tested before we go down this route – if we ever actually do go cashless.

It gives you peace of mind when doing any cash transactions

Elizabeth Chell says:
25 December 2017

Would you sign up to it Which?

Anything that makes bank transfers safer is good. I believe ALL banks should have to do this as a mandatory step to protect their customers.
I also think that there should be a delay in transfer time to allow payees to change their minds if they think they have made a mistake.

Not all bank customers who do on-line banking want a delay in payment transfers. I have a list of about twenty regular payees and in most cases I want to make same-day payments. These are payees whose account details do not change from one payment to the next.

If I want to delay the payment [for example, until nearer the due date for a credit card bill] I can set that option and specify the date; that is not so that I can reconsider the transfer or change my mind [which I am not sure is possible although the bank could probably stop it for a fee] but so that I can manage my account. I see no point in the banks offering their customers use of the Faster Payments Service if it is going to be subject to delays. And would the delay be one working day, two working days, or what?

For transfers to new payees, the advice that has been given many times in these Conversation holds true: make a nominal trial payment first and then transfer the balance when you have had confirmation of receipt of the trial amount.

We bank customers have been conned into substituting secure payments for speedy transfers with all the risk for wrong transactions landing firmly at our feet of the customer. How the industry has made life so much easier for the conmen. For ages I have wondered why we have not make more of a fuss en masse about the insecurity and risk forced on us by the banking industry. Particularly, since the big bank bail
our using our taxes after years of what I can only describe as dodgy dealings.

As John says above, and many elsewhere, online payments are generally secure if you do them correctly, check you have the correct account details and have not made a mistake typing them in, and for a new payee take the simple precaution of transferring a nominal amount and checking it has been received before committing the balance.

This year banks will introduce “confirmation of payee” adding a third item to the information required. It seems the option chosen will be for you to declare the account name when preparing the payment and your bank will simply tell you whether or not this matches the other account details. You can then choose whether to continue with the payment, or not.

Considerable diligence will still be required when the third security factor of payee confirmation is introduced. Customers must check that the account description they give is exactly the same in all respects as the account name they wish to credit. Some firms have different account names to their trading names, or have dates within their titles, so all those discriminating details will need to be checked. People should not enter an account name and just click ‘confirm’ when a match is indicated, they will need to take time to review the information and verify it. The consumer hasn’t won the battle yet and cunning scammers will exploit every weakness.

Nobody has been pressurised into using the Faster Payment Service: it is entirely optional. There are several other ways to make cleared payments with different degrees of security and speed. Banker’s Drafts are still available. Secure transfers are available where a senior officer at each bank will personally supervise the transfer at each end. Normal BACS transfers and cheques can still be used but require clearance. Apart from cheques, there are direct fees for each of these methods rising in proportion to the degree of security, clearance and speed, and for a major transfer a controlled secure process might be more appropriate. For years solicitors and conveyancers have relied on BACS and there have been few problems; the fee is only around £25-30 and is probably worth it for a critical and high-value payment.

The exact (“official”) account name must, presumably, be entered by the payer and unless the payer gets this right, they will be told the name does not match, as I understand it. They should then not proceed with the transaction until they have the correct account name. It no doubt still leaves room for error (unless the bank blocks the transfer until the correct information is given, but I am not clear if this is the case) but it seems far better than the present system.

Yes, it should be a major improvement. I would hope the bank will block the transfer until the payee name given exactly matches the account name held by the bank. Where there is more than one account with a certain name the sort-code and account number will still be the determining factors.

When I lived at No. 27 in a block of flats another John Ward lived immediately below me in No. 20 and we both had accounts at the Midland Bank. In those days most bank transactions were processed and reconciled manually and occasionally there would be a mix-up in the documentation. Of course, the bank never entirely took responsibility – same first name, same surname, same building, same street address, same town, same postcode, etc, and just a slight difference in the door number. But it was all sorted out amicably. In those days the branch manager would write a polite letter to the customer and invite them in to sit on a green leather-upholstered chair and admire his maple desk and panelling. Nowadays you have to stand in a noisy banking hall and communicate in public with a person who has never seen your name before.

Our bank has a little office away from the tills with comfy chairs and a nice member of staff. If the bank is a little busy and they are free you are invited in to complete your transaction. Not all banks are the same……

Yes, my main Nationwide branch in Norwich is like that, but the local one and some other local bank branches have gone open plan. Barclays is the worst. There’s acres of space but it’s like a bear garden. They want everyone to do their business at a terminal. I mean, even the bears don’t do it there.

Kate says:
2 January 2018

I do not have enough detail on the proposal to sensibly comment and judge ‘yes’ this is great !
It does seem to put the onus onto the individual rather than the organisation. And frankly, sounds a tad simplistic. Scammers are not simple and I suspect would readily find a way of dealing with a confirmation of payee request by inventing one of their own to present to the individual online. More work and ideas required.

If the concern is about “Confirmation of Payee”, it works by the payer giving the account name to their own bank (together with account/sort numbers) who send to the payee’s bank. They check and respond to the payer’s bank who then tell the payer whether the account name is correct or not (if it is a private account). I don’t see how the scammer can intervene in this process. But you may see a way?


Doug says:
2 January 2018

While entry/check of a third piece of information might help with cases of mistyped sort code/account numbers I don’t see how its going to help with the main aim here – bank transfer scams. The scammer has already managed to persuade me to enter their sort code and account number so they’ll just tell me the account name to use/expect and nothing will have changed – apart from more work for me, for every payment I want to make quickly and efficiently. I would suggest a better method would be similar to when credit card companies helpfully or unhelpfully stop transactions awaiting additional verification but on the scammer accounts so that no more money can be transferred in to it until verified. e.g. there are going to be patterns – lots of money going in/coming out during the day, small/zero balance at end of day but a high daily/hourly balance or volume of transactions.

There seem to be at least two types of scams. One, where an email is intercepted from someone you expect to pay, substituting a different sort code and account number. They are unlikely to open an account in an identical name to the person you expect to be paying so you will simply need to supply the name you expect to pay, and the bank will return a negative.

Where someone simply sets out to scam you – an offer you “can’t refuse” perhaps – then no doubt all the data they supply matches. But as in any other transaction you need to understand what you are doing – as in why do you decide to fall for the scam? Who is responsible for your loss then? If the bank has been negligent in setting up an account for known fraudsters then they have some blame, but otherwise I’d suggest the person themselves is responsible.

I set up a new payment transfer this evening. I could only enter eighteen characters [including one space] for the payee name – not enough in this instance. This will have to be greatly expanded when the new scheme comes into operation.

Janet Langley says:
3 January 2018

the more secure the checks the better, when I am transferring large amounts I want to make sure that it goes to the right person/business. Just hope they do not take away all the high street branches where this can be done safely!

Janet, at the risk of repeating advice given intermittently in these Convos, if you are intending to transfer a large amount online, begin by transferring £1 to the intended recipient and then check with them personally to ensure it was safely received. Then you can repeat the transaction for the balance knowing you have not made a mistake – assuming your banking app has kept the account details and you do not have to re-enter them.

Large amounts of money ?? Lucky you to have so much I have just 2 halfcrowns to rub together no more better to have halfcrowns than not have 2 halfpennies to do it with A stupid comment from me again you all will say and I agree with you

Alan says:
7 January 2018

Many years ago, banks removed blank paying in slips from counters specifically to stop this kind of fraud. Now that digital payments are the norm, it is a natural progression to verify payees when paying digitally. This will not stop fraud but will be a useful addition to making secure payments. The banks should have adopted this years ago!