/ Scams

Why the PSR must take action to protect APP scam victims

We’re calling on the Payment Systems Regulator (PSR) to introduce new transparency requirements on banks so that customers can see exactly how they treat and reimburse victims of APP scams.

8/07/2021: the PSR must not let victims down

Today, Rich Piggin (@rpiggin), Head of External Affairs and Campaigns at Which?, is appearing in front of the Treasury Select Committee to give evidence about the devastating impact of bank transfer scams and what action the regulator needs to take to make life better for victims. 

The chances are that in the past year you either have, or know somebody that has, received a text, call or email that turn out to be a scam attempt. While we should all be vigilant online, nobody intends to be the victim of a crime. Scam victims frequently talk of feeling scared and untrusting of others after the event, and often feel re-victimised when their bank blames them for not realising quickly enough that something wasn’t right.

These victims all too often struggle to get their money back, despite most major banks being signed up to a code that should ensure customers are reimbursed when they are not at fault. Banks are failing to implement the Code that they helped to write properly and consistently. Don’t just take our word for it – the Financial Ombudsman and the Lending Standards Board (which oversees the Code and is funded by the banks) have both criticised banks repeatedly over the years for their failures. The result is a lottery of protection for victims.

The situation is unsustainable. Encouragingly, the Payment Systems Regulator (PSR) is proposing mandatory protections be introduced. One solution they have put forward is to let the banks modify and rewrite the existing code, effectively handing them the opportunity to water down the consumer protections they disagree with and ignoring the evidence from the last two years. We firmly oppose this. Instead, the regulator should take forward its other proposal and introduce a requirement on all firms to reimburse customers who have acted appropriately.

Self-regulation has failed. We must do better. Letting banks act as judge and jury when it comes to scams has not worked. We must put in place a new system centred on helping the victims of this terrible and growing crime.

Banks and the regulator have had two years to try and make self-regulation work. All the evidence shows that this approach has failed. £700k a day is being lost to this crime, but less than half of it is reimbursed. Victims – particularly vulnerable ones – are being routinely failed by banks whose actions are undermining the Code they helped to write.

It is vital that the PSR does not hand the banks the power to modify or rewrite the existing code. Instead, it must take writing the new rules into its own hands and make it mandatory for all firms to reimburse victims when they are not at fault.

Rich will be giving evidence from 10:30am today (Thursday, 8 July).  A longer version of this update appeared as an Op Ed in Times Redbox (paywalled content)


Do you agree that the regulator must not give banks the power to write their own rules on scam reimbursement?
Loading ... Loading ...

15/06/2021: Update

28/04/2021: PSR must take action

When you fall victim to a crime, you expect to be believed. If someone breaks into your house, you don’t expect the police officer to point out where you should have installed CCTV. If you get mugged, you don’t expect to be asked for proof of how you put up a fight. And if you fall victim to a sophisticated and intricate scam, you don’t expect your bank to add to your feelings of guilt and distress by pinning the blame on you.

Yet that is exactly what is happening at the moment, with victims of authorised push payment scams (otherwise known as bank transfer scams) when they are tricked into unwittingly transferring money to a scammer. 

Which? News: Banks routinely blame victims of fraud

We receive information from hundreds and thousands of victims every year. The case studies we see highlight the impact on victims of this horrific crime – and how this is often exacerbated by banks who appear not to care about what has happened to one of their own customers who may have just lost a life-changing sum of money.

Blaming the victims

Recent evidence published by the Lending Standards Board (LSB) and the Financial Ombudsman (FOS) demonstrate just how poorly some banks are treating victims and the lengths they will go to to try and pin the blame on individuals rather than accept any wrongdoing on their part.

The LSB oversees a voluntary code that industry helped to write and which sets out protections for APP scam victims. The Code states that victims should be reimbursed other than in a few specific circumstances – and even then banks are expected to consider the scam in the round and how individuals may have been affected by the context of what happened and how.

Data showing just how well banks are adhering to the letter and spirit of the Code was recently provided to the LSB by signatories to the Code (which includes all the major banks plus Co-op, Metro, and Starling) and published earlier this year. 

It paints a damning picture of how banks are interpreting and implementing the Code in wildly inconsistent ways and how victims are being mistreated across the board:

🔹 Victims were held fully or partially to blame 60% of the time, and therefore often denied any reimbursement

🔹 Blame was shared between the customer and either the bank sending or receiving the money, or between the two banks themselves, in a further 17% of cases

🔹 Two banks pinned the blame on victims in nine out of every ten instances

🔹 For investment scams – which often involve the highest amounts of losses – victims were blamed 67% of the time

🔹 Romance scams, which can involve extreme emotional and psychological manipulation, had a blame rate of 61%

Final adjudication

When a victim is dissatisfied  with the outcome of a decision made by their bank they can escalate it to the Financial Ombudsman for a final adjudication. In some cases, these decisions are published.

We had a look at some recent decisions, which were all upheld in favour of the victim (as are the vast majority of APP cases), and found evidence of banks placing extreme and unjustifiable expectations on what a customer should have done to avoid being scammed. 

These included HSBC telling a victim who lost £2,000 to a HMRC scam that it was “inconceivable” that he didn’t spot the red flags because he worked in a professional industry, and Nationwide refusing reimbursement of £1,146 because the victim “didn’t listen” to warnings given – despite receiving a call from a spoofed number which made her believe she was speaking to her building society.

In a separate case, Halifax only returned half of a £60,000 loss to an investment scam victim who had “failed to make sufficient checks” before investing – before backtracking after Which? intervened to point out they had never asked the victim what checks they had actually made.

All of these and more provide further evidence for what we have been saying for years: the banks are consistently misinterpreting the Code they helped to write in order to put the blame on the victim, and the Payment Systems Regulator (PSR) is doing little to ensure they adhere to the rules.

Our calls on the PSR

We are calling on the PSR to use its upcoming consultation to introduce new transparency requirements on banks so that customers can see exactly how they treat and reimburse victims of APP scams. It must do this as quickly as possible to prevent banks making this a race to the bottom, and many more victims being denied rightful reimbursement

That same consultation will also recommend a way to make APP scam protections mandatory. We strongly believe that industry has been given sufficient time and opportunity to provide the solutions so under no circumstances must the banks be allowed to write another new code to replace the existing voluntary one as the PSR has suggested. 

We will be continuing to make this case over the coming months so that the PSR stands firm and takes action to protect victims.

What would you say to the PSR if it suggested allowing the banks to write another new code?


We cannot rely on voluntary codes of practice when large sums of money are involved. The PSR needs to develop clear rules for determining whether or not customers should receive compensation, or how the blame should be shared, rather than leaving it up to individual banks, which has led to the current differences between how individual banks treat their customers. I agree that the banking industry has had long enough to sort this out and that transparency is essential.

I’m pleased to see the measures that banks are now taking to help us protect our money. I would like to see all payments made to new payees to be delayed by default to provide sufficient time for a prompt investigation if fraud is suspected. Some customers might want to forgo this protection and perhaps it is only needed for larger sums of money.

Delayed payment is a very good idea.

Which? urges action to stop scams ‘victim-blaming’ by banks………
Official figures show banks signed up to an industry code on bank transfer fraud hold victims fully or partially responsible for being scammed up to 77 per cent of the time. Victims were held fully responsible for 60 per cent of payments, while 17 per cent of the blame was shared between the customer and either the bank sending or receiving the money, or between the two banks themselves………..”


Well, perhaps the “victims” do have some or all responsibility for making decisions to pay money to fraudsters. Why we should expect an almost blanket assumption that no customer has any responsibility for any loss incurred when responding to a scam, and that I, and other bank’s customers, should just give them their money back without real justification, beats me. We need an approach that is fair to all parties and that recognises that a bank’s negligence is material in deciding whether compensation is made.

The examples, of customers who have lost money, given in the press release do not convince me that they are not a party to to the loss. Some seem to indicate ignoring banks warnings, ignoring publicised scams, or dabbling in matters and with people they know little or nothing about.

I am totally in favour of banks paying out when they are at fault, and in doing their real best to recover funds from the receiving bank where fraud is involved. I also think a bank is culpable, at least in part, when it opens accounts for people who turn out to be fraudsters without conducting due diligence.

What I would like to see is banks offering accounts with different levels of payment facilities by their customers depending upon their declared or perceived capabilities; limiting single amounts that can be paid, requiring authentication of any new payee, requiring a second authentication for transactions above a limit, having a day or two delay in certain transactions where the bank question the transaction and require confirmation, for example.

I believe people have a responsibility to take care when making financial transactions and many cases given in Convos, and by Which?, suggest they do not. I do not see why I, who provides banks with money, should reimburse someone whose actions were instrumental in them losing money. Unless the bank is party to the fraud, by negligence for example.

I would also suggest that fraudsters keep ahead of the game, so while popular scams might be recognised new ones will be formulated that are not yet well known. Quite how the banks are supposed to foresee this defeats me.

Credit cards charge high interest rates and that profit can be used as a compensation fund. That is not the case with regular bank accounts.

Do you have a scheme when people have been scammed out of cash to refund them?

I would like the receiving bank to be required to take liability and refund money when it goes into an account that has been used fraudulently and opened without due diligence.

Automatically refunding people who have been scammed will inevitably make them more careless in their transactions, knowing that if they lose money the rest of us will “see them right.”

I think any scheme has to look at the various parties’ responsibility when determining whether compensation is due, and how much. Simply avoiding that step leaves the system open to abuse and unfairness to all who fund it. You and me.

I agree with Malcolm. It seems to me that, at the top level, banks decided that supporting the current Code was the politically correct thing to do. Unfortunately, at the operational level, where traditional banking values and standards are in greater evidence, there has been resistance and the refund rate has disappointed.

People who were defrauded by scammers impersonating their solicitors have received some redress and some professionals have been struck off for not ensuring security of their e-mail systems to prevent hacking and misrepresentation. While that might not have impacted on the banking industry it has pushed up the cost of legal work.

At the root of this problem is the ease with which criminals can set up bank accounts and rake in large sums of money and yet the receiving bank that arranged the account seems to have no liability. That cannot be right and possibly explains why the victim customer’s bank will not refund the money with a good grace.

I am hoping that with the new confirmation of payee procedure the risk of APP fraud [or Payment Diversion Fraud as it is now called] will diminish, but it will not end because scammers will invent new ways of presenting the payee account that will defeat the controls and look as though it is legitimate. I therefore also endorse Wavechange’s comment at the top of this Conversation to the effect that we must have mandatory controls affecting all banks.

Judging from some of the comments by banks who have not made full refunds, referenced in the Intro, I get the impression that this whole issue is not being dealt with at a senior and experienced enough level within the industry since some of the remarks are clearly inappropriate and ill-judged and show that the bank has not been exercising due diligence on behalf of its customers, so the problem is circular and part of the culture.

It is very easy for tech savvy people to see a scam but scammers are becoming increasingly sophisticated and for some people this is a really big issue. I don’t understand how it is so easy for someone to set up a business a/c without apparently rigorous scrutiny, like have they registered themselves/ their business with Inland Revenue are they paying NI and do the LA they are using their home for businesses purposes and their house insurance and car insurance That would surely make some think twice. This would solve some of the unnecessary heartache and time but not if they are trading abroad. Why are we making it so easy for people to rob others?

Victims are not blameless in this. Many are very careless, failing to take account of widespread media coverage of this issue, which includes media reporting about the spoofing of caller ID.

Fault can be attributed in the following order:
1. Scammer
2. Account holder at receiving bank (for letting scammers use their account)
3. Receiving bank (for failing to exercise KYC)
4. Account holder at sending bank (victim, for ignoring widespread media coverage)
5. Sending bank (for failing to implement confirmation of payee functionality)

Far too much blame is attributed to the sending bank, which is usually the last party to be at fault, if at all.

Chris, the reason that I say that many victims are careless is because APP fraud has received widespread media attention for many years. Consumers are advised never to trust any unsolicited callers who purport to be from their bank. Caller ID spoofing is far from a new concept, which has likewise received plenty of media attention, particularly in the context of APP fraud.

The common reason given by the scammers is that the victim needs to move their funds to a “safe account“, which is in reality is a compromised bank account over which the scammers have control. The most glaringly obvious flaw in this reason given by the scammers is that a bank has full control over its accounts, and would never need to ask a customer to move the money on its behalf. Yet victims don’t stop to think about the lack of plausibility of this reason and ignore the hundreds of media reports about APP fraud that they have read or watched, and foolishly believe any unsolicited caller.

Anyway, victims are far from top of the blame list. I ranked them at number 4 above, but significantly above the sending bank at number 5. Unless a sending bank has failed to implement confirmation of payee functionality, then the sending bank should not foot the bill at all.

I will also add another party to blame to number 6 in the list – telecoms companies, who should be blocking all incoming calls whose caller ID is a number listed on the back of any UK debit card. Banks never use these numbers as their outgoing caller ID; they use these numbers only for incoming calls.

If your dog bites a child, would you blame the child? Some dog-owners do.
It is easy to blame the victim, but its a cop-out. Not everyone has a high IQ. Those with low IQs deserve the protection of the law and the authorities.
These days it’s difficult for those with low incomes to manage their money. In the old days of cash they would physically divide their weekly pay packets or pension into pots, one each for gas, electricity, telephone, groceries, etc. and anything left could be used for occasional purchases like clothing. Nowadays that’s impossible because utility companies won’t accept cash.

If you suspect a dog might bite then you should not approach it.

Most scams are already illegal, so we already enjoy the protection of the law.

It’s not working too well though, is it?

Rather than more law, perhaps we need more law enforcement.

I couldn’t agree with you more although I’m registered with the TPS for many years it seems that a landline today is an endless source for scam calls I sometimes wonder just what the public are paying line rental for when in my case 99% of the calls are scam ones which the telecom providers say are from abroad. Not the case half of them or more are from mobile numbers

As with all these hair-brained compensation schemes Which? goes after, they attack the end result, don’t tackle the root causes and never consider the consequences that we all end up paying for.

These businesses fight back.

You can now claim for your train being 10 minutes late, so surprise, surprise, the cost of fares went up. Which? staff can now have an extra 10 minutes in bed, while those on lower salaries will be struggling to pay the higher fares.

Flight delays? By how much has the cost of flights increased to cover compensation paid out?

Up-to Broadband? Instead of working out why we couldn’t get the maximum speed available to our routers, they now have an unacceptable minimum speed, so problems with slow speeds are not acknowledged by ISPs and they no longer attempt to get you the speed your line is capable of getting.

Access to ATMs? Surprise, surprise, more are charging fees to use them. The maintenance of these machines does have to paid for.

So now Which? expects banks to reimburse victims of APP without question?

Chris Walker said When you fall victim to a crime, you expect to be believed. . . . . . you don’t expect your bank to add to your feelings of guilt and distress by pinning the blame on you.

By your logic:

A Nigerian prince emails me, says transfer £10,000 to him and he will turn it into a £million for me. By your logic, I can pay him safe in the knowledge my bank will pay me back if it doesn’t work out and even better, they won’t ask any awkward questions.

A stranger knocks on the door says transfer £10,000 to his bank account and he will send me some jewellery. Again, by your logic, I might as well take a chance.

The bank had absolutely nothing to do with the above payments, so if I was stupid enough to take a chance with them, why should I get my money back? There is no difference between a stranger knocking on the door example and buying expensive boots at too-good-to-be-true prices from an unknown site on the internet. Why should either get a refund AND with no questions asked?

I wish you would stop using the word SOPHISTICATED that is mainly used to justify people’s stupidity. The majority of scams are not sophisticated at all.

Why should banks reimburse us for scams they have warned us about? They tell us often enough they will never ask us to transfer money so why do people take no notice?

I have said many times that education is the answer and not compensation that absolves people of personal responsibility. I have given my shopping checklist many times now, when is it going to be a convo where people can learn how to protect themselves, ask questions, educate themselves instead of becoming a victim?

The majority of victims only have themselves to blame and we need to treat the root cause, not just pay compensation that we all have to pay for because there are consequences – for example, is Which? partly to blame for the low interest rates on our savings?

Washing machine insurance fraud is another matter entirely, one that the police and Trading Standards should be dealing with – arresting and charging the criminals involved.

I feel Which? prefer to sympathise than put the hard work into making constructive proposals. We saw that with ATMs; only after several years of being given alternatives and, it has to be said, providing restricted partial and misleading reports, have they at last acknowledged there are other solutions. They could have promoted and supported those much earlier.

I think Convos have provided Which? with a goldmine of information and constructive proposals from many contributors, largely ignored. Maybe they lack the kind of people to make use of such input, or maybe they have a different business model. I find it frustrating that our only consumers’ organisation seems to lack real objectivity in some ways.

Having had this rant, I do acknowledge that Which? does well in other ways.

Chris, how do you suppose the TSB finds the money needed for all those refunds?

Perhaps from another triumph of the law of unintended (but quite foreseeable) consequences – “Our overdraft rates will be a standard rate of 39.9% APR Representative (variable).“?

People don’t have to know the details of all the many scams in operation. They just have to remember three things – [1] not to respond to unsolicited calls asking for financial details, [2] not to let another party have access to their computer, and [3] not to take any notice of e-mails requesting a diversion of funds to a new account without checking directly with the organisation concerned. How many times do banks have to tell customers that they will never ask for their personal details by telephone or e-mail before their action is deemed to be sufficient?

Compensation has to come from somewhere. It doesn’t grow on magic money trees and big companies don’t have lots of spare money. So the real innocent people like me who have taken no part in the transaction end up paying for someone else’s mistake. I will get lower interest rates on my savings, higher interest rates on a mortgage, loan or overdrafts. How is that a fair solution?

There is another consequence you probably haven’t considered, and that is fraudsters setting themselves up as victims.

If the banks don’t investigate or question APP victims, it will open the floodgates to fraud on a massive scale with fraudsters posing as victims. There always needs to be a deterrent in the form of people taking responsibility for their actions. Over-dramatic words and forcing banks to reimburse without question is not the answer.

I will repeat the wise words of John Ward:
People don’t have to know the details of all the many scams in operation. They just have to remember three things – [1] not to respond to unsolicited calls asking for financial details, [2] not to let another party have access to their computer, and [3] not to take any notice of e-mails requesting a diversion of funds to a new account without checking directly with the organisation concerned. How many times do banks have to tell customers that they will never ask for their personal details by telephone or e-mail before their action is deemed to be sufficient?

Education is the key, not reimbursement without question.

People sometimes report that their bank recovered the money and refunded them. I wonder how often the bank has not recovered the money, possibly not even having attempted to recover the money, but has refunded the money anyway. It’s probably a 10% chance that the perpetrator of a fraud is an account holder with the same bank as the victim. The bank is not going to admit that are they?

Very true John.

I would counter that most calls are “unsophisticated” and most of us just hang up before any damage is done. You only hear about the “sophisticated” ones that fool ordinary people. If the caller doesn’t address me by name it’s a scam.
I’ve been informed of unauthorised payments from banks I don’t bank with and had at least two calls from HMRC threatening to arrest whoever answers my landline phone for fraudulent use of my NI number.
I now think my mobile number has been shared with a scammer who claims to represent different delivery companies, all of which have a parcel for me. I’m not expecting any parcels and if I’m not at home they can put a card through the letterbox.
The latest one is from Morrisons giving me a delivery window for groceries I haven’t ordered. I don’t usually shop with Morrisons.

It’s simple. They find it by paying next to zero interest on deposits and charging more on loans. They don’t need our deposits because they can borrow as much as they want from the Bank of England at 1.1%.

The base rate is currently 0.1%.

Sums up the recommended basic defensive posture neatly. No doubt people are gullible with to many just idly “going with the flow”. My major concern is the criminals who prey on older people, who are genuinely vulnerable to ploys using “fear factors”. Enforcing of law is also a problem as a lot of the down phone and online fraud is perpetrated by crims based off shore.

Em says:
9 July 2021

Scams targetting most individuals are not “sophisticated” at all. They are run by people who have the education attainment of a school leaver, but are probably more street-wise. Scams also need to be simple to operate and understand, or the targets won’t be able to participate in their own downfall. They rely on high volume deployment with low uptake. The people being scammed usually become aware of it at some point. The trick is to extract the money before they do.

A sophisticated scam is reserved for corporations, governments and high net-worth individuals. They require more time and effort to set up, and it usually takes a while to realise you are being cheated.

Isn’t it the case that the single factor giving these fraudsters the ability to gain the confidence of their victims in nearly all cases is the fraudster’s ability to spoof telephone numbers? Is it impossible in this age of technology to prevent spoofing?

For some strange reason, nobody seems to want to tackle the underlying factors of fraud and scams, probably because they can’t turn around and boast ‘look what I did’ as the only proof of anything working will be a reduction in cases.

Spoofing telephone numbers ought to be made illegal and technology stop calls from reaching their destination, but as long as BT can charge for call blockers and make money from the misery of victims, nuisance calls will continue.

My mum who had an operation yesterday, has had 3 calls this morning from Microsoft wanting access to her computer (she hasn’t got one), she owes money to Amazon (never had it) and her telephone line has a problem and by now they have probably learned she is with BT as she doesn’t like to be rude to people. My parents have rather a lot of medical calls, miss half of them by the time they get to the phone, so call the numbers back. I can but try my best to educate them into not becoming victims.

Alfa, I agree with most of the points you have made, particularly about victims being to blame. But I disagree that number spoofing should be made illegal. There are many legitimate uses of number spoofing where the caller spoofs their own number because they use different lines for their outgoing and incoming calls. I do this personally, as I explain below.

Number spoofing is the reason scammers are not caught and stopped and has got to the stage where it does need to be banned from general use along with the internet sites that offer the service.

Phone calls from some organisations will show their switchboard number as the caller. The NHS could adopt this method.

In your case, would it work if there was a system for registering one spoofed number with your telecom provider then you could switch to it when necessary? Spoofed numbers could then be trackable by the authorities and scammers would not be able to keep switching to fake numbers.

I think telecoms companies should be able to ping all phone calls to ensure they originate from the correct source before connecting them to their destination.

If BT can sell call blockers, I just don’t believe they can’t do more to stop nuisance calls on a large scale for everyone.

Alfa, yes, my provider allows me to spoof only the numbers that I have previously verified by receiving an SMS. This proves that each number is mine. The provider I use is based in Luxembourg, so any changes to caller ID in the UK would be irrelevant.

If spoofing were prevented, you could just divert all incoming calls to your other line. Call diversion is an optional extra that might be free or it might cost you a few quid each month.

Em says:
9 July 2021

According to BT, we have to wait for the full roll-out of Voice-over-internet-Protocol (VoiP) before they can tackle number spoofing. And how does that help with 07 (mobile) calls where anyone can obtain an untraceable burner phone and SIM?

Again, far too much blaming of a single technology that has a minor role in deception, which nobody is forced to use. What did we do when we had POTS dial-up telephones? There was no caller-ID. And who ever said caller-ID could or should be relied upon to vet callers?

No one is obliged to take any incoming calls. And the purpose of caller-ID is so that a pre-identified number from you ex-, mother-in-law, stalker, double-glazing salesman, etc., can be rejected. If you don’t recognise the phone number at all, why answer it? I have yet to see a case where the caller spoofed a number that I already know.

The only example of my caller ID showing a familiar number was when my own appeared. It was so long ago that it was a marketing call rather than a scam.

I look forward to a discussion about VOIP. Business has been using it for long enough.

”We had a look at some recent decisions, which were all upheld in favour of the victim (as are the vast majority of APP cases), and found evidence of banks placing extreme and unjustifiable expectations on what a customer should have done to avoid being scammed. “
This begs the question of why the bank should be held responsible for the “victims’ “ losses if the bank was not involved, other than following their clients’ instructions to move their money from one account to another. Would they know the receiving account was operated by fraudsters? Why are they responsible for their client’s actions?

I sympathise with people who do lose money by being tricked but, when it is down to their own actions, I really do not feel I should repay them out of my own hard earned money, unless my bank has been instrumental in the loss.

I believe the receiving bank should be the target of any compensation; they set up accounts for fraudsters and, if not done with due diligence, are involved in the blame.

I also believe banks should offer accounts with restrictions to those who might be vulnerable to fraud so that substantial payments cannot be made without checks.

100% agree with you malcolm.

APP stands for Authorised Push Payment, meaning the sender authorised the payment.

Where money has mysteriously disappeared from an account for no apparent reason, then of course your bank should reimburse you, but why should they reimburse you through no fault of their own that the rest of us have to pay for?

Again, there are more warnings today about number spoofing, this time by Ofcom, but no doubt consumers will again ignore these warnings by assuming that caller ID can be trusted and they will foolishly fall victim to APP fraud.


I do number spoofing myself. I use a voice-over-IP service for most of my outgoing calls, as I can use it from anywhere in the world, not only when I’m at home. For these outgoing calls, I spoof my caller ID to be my own UK mobile number, even though I’m not actually calling from my UK mobile number. Therefore the called party sees my UK mobile number, and in many cases recognises me. Many businesses spoof their caller ID in a similarly legitimate way, because they typically use different lines for their outgoing and incoming calls. That’s why number spoofing will never become impossible.

Thanks NFH. I agree that there are legitimate uses for number spoofing.

Interesting the article says ‘In the UK, the current phone network (Public Switched Telephone Network) is being updated to a new system – Voice Over Internet Protocol, or VOIP. Mr Saunders says when VOIP is fully in place, with a target date of the end 2025, the industry will be able to stop number spoofing.’ “It’s only when the vast majority of people are on the new technology (VOIP) that we can implement a new patch to address this problem [of spoofing].”

If true, it can’t come soon enough.

I posted the link to the BBC article in The Lobby this morning. I remain to be convinced that the move to VOIP will end number spoofing for fraudulent purposes based on what I have read elsewhere, but we have to hope. VOIP is already well used by business and other organisations.

I agree, wavechange. I already spoof my own outgoing caller ID using VoIP, so I see no reason why the use of VoIP will prevent spoofing, particularly where the call originates from outside the UK, as it does in my case.

And the telecom companies couldn’t block UK numbers from being used on caller ID for calls originating from outside the UK. There are several genuine scenarios where this happens. For example, if you’re roaming with your UK mobile on a French network and you make a call to the UK, then the call goes directly from the French network to the destination UK network without passing via your own UK home network. Only the billing goes to your own UK home network, which can be hours or days later.

Hmmm. The article refers to a director at Ofcom saying that it should be possible to stop spoofed calls, as Alfa has already quoted.

I don’t know at what point the checking takes place, but you can’t use a mobile anywhere including abroad unless the phone/call is authorised/paid for, so it would not seem unreasonable that technology could check for a valid spoofed ID at the same time.

It does seem rather ridiculous that we can sort out telecoms to Mars but not our own planet.

Alfa, your comments are correct for prepaid mobile accounts. However, for postpaid accounts (commonly known as contracts), billing is in arrears and consequently the visited network likewise bills the home network in arrears. Therefore the home network plays no part in an outgoing phone call from a roaming mobile on a visited network.

The reason you give is trivial. The inconvenience to you caused by the outlawing of spoofing would no way outweigh the misery spoofing causes to ordinary people.

Sadly, outlawing spoofing won’t stop the scams. It would just result in calls coming in as withheld numbers instead of spoofed numbers. And, because any of those withheld numbers might be an important call, folk will need to answer them.

In contrast, spoofed but unfamiliar numbers are easily blocked.


Two years ago I posted this image. I was making the point that by reimbursing people, it allowed them to stop being responsible for their actions.

@justchriswalker said
I would also point out the work done by TSB under their Fraud Refund Guarantee where they reimburse 99% of all claims.

Earlier today I did a comparison of savings interest rates for TSB on CompareTheMarket. Surprise, surprise, TSB customers get a really poor interest rate on their savings compared to other financial institutions.

Compensation doesn’t grow on trees, it has to come from somewhere. Is it fair that innocent people have to sacrifice interest on their hard-earned savings to pay for other peoples mistakes and stupidity? Why should we repay someone who lost money to a get-rich-quick-scam for example? Not everyone has sufficient savings to put into riskier alternatives so they have to rely on basic interest.

This image shows the best rates compared with TSB interest rates.

I was subjected to four attempts at fraud in a single day last week. It is more than most people would have experienced in a lifetime before digital communications. I consider myself to be pretty savvy for a 78-year-old, but those who are not savvy need protection.
We expect most potential street muggers to be deterred by the law and the likelihood that they will be caught and convicted. Protection against cyber-mugging should be to a similar standard.

The one thing that concerns me about proposals to ban number spoofing is the underlying logic: as long as spoofing is able to be used, then scams will increase and be expensive, for which we’ll all have to pay.

The major problem, as I see it, anyway, is that a similar logical progression can be employed to argue that all cars and motorbikes should be banned. As long as cars are able to be used, then we’ll have collisions for which – ultimately we’ll all have to pay. The same chain of cause and effect can be applied to alcohol consumption, gardening and going out as well as staying in.

It’s incredibly alluring to assume everyone who’s duped by a scam is an idiot. or who simply should have read and memorised Alfa’s excellent guides to Scam recognition and avoidance. But stepping back and remembering we live in a society composed of fallible, normal human beings with all their frailties, many of whom will fall for scams, many of whom do become panicked, many of whom don’t react well to pressure, can remind us we have a duty of care to our fellows.

ScamVictim says:
16 May 2021

Referring to the earlier comments on the banks and App Scams and from my own personal experience of being a victim of an online investment scam, can the UK reach out to other countries to form some kind of alliance for app scams involving wire transfers to international banks ? To my mind, there are too many of these new ‘challenger banks’ opening up and signing up new customers willy nilly with no proper KYC processes or strict customer vetting in place. Certainly that has been the case with my situation and now I’m having to deal with the beneficiary bank in another country as the majority of my transactions were via wire transfer to either France or Cyprus. In the latter case, the scammer’s bank account was using an expired licence number that was obviously not caught by the beneficiary bank’s vetting system. Ironically, they promote fraud protection on their website but this only protection for the scammer potentially receiving ‘fake money’, not for the person sending it to the scammer’s bank account. At no point have my bank suggested I contact the beneficiary bank so I’ve figured that out myself.

To make matters worse, dealings with the banks UK side has not been good. I’ve been on hold for 4 hours, 2 hours, 1 hour at a time before trying to get hold of the App Scam team who, according to my bank, were not accepting calls when I called the main number and asked to be transferred. No e-mail address, nothing so basically I cannot contact them. That means I have to wait for someone to call me…..instead I get a written automated letter telling me, sorry, we can’t offer any reimbursement. When I questioned/challenged this, they said send in some evidence (not requested initially) so I got together 80 pages took me about a week to put together and which I posted. This went missing in the post so I had to collate the whole thing again to then get the same response but this time “we only offer app scam reimbursement if the money went to a UK bank account”. Why didn’t you say this in the first place ????

In addition, the scammers have sold my data so I get, on average, 2 calls a day – some automated – and I have tried to report these numbers. But where and who to ? This needs to be a quick and easy, press a button to report the number which goes into a central database and switches it off at the operator end. I checked the last three calls I received on revealname.com and they were all Telefonica (O2) numbers but when I went onto their website, there was no obvious place to report the number.

Well if I didn’t have mental health issues before, I certainly do now !! It’s most definitely a fend for yourself job !

If there is a dodge available the banks will use it. The onus should be on the banks to prove absolute neglect or fraud by the customer.

Jacky Owens says:
8 July 2021

If the regulator does not write the rules then there is no regulation. Can common sense prevail for once

I am listening to the live feed and it is rather interesting.

This country is responsible for allowing much of the world’s fraud because of the ease of setting up businesses with ‘clean’ directors. The Italian mafia launders money by investing in the UK.

So far the discussion is on actual fraud rather than compensation.


The banks are by far the best equipped to tackle fraud, much better than the defrauded party, and usually they also have the most resources. So they should automatically refund the money and then later apply their skills to recovering the losses.

Dave B says:
8 July 2021

Businesses will always water down the rules if you let them write them, as it’s in their (stockholders’) interests. You can’t write them independent of the businesses however, as you’re likely to end up with unworkable solutions. So they need to do it together, but with the Regulator in the lead & holding them to account (speaking from experience of working in industry)

A K Jan Sarhandi says:
8 July 2021

Banks are no longer banks in the traditional sense. They are already Super Government in this country and around the globe. The only way to beat them is to nationalize them. Also to make them share all their profits with their customers. However, at this moment they must not be allowed to make their own regulations. They must be held responsible.

Em says:
8 July 2021

The Bank of England Act 1946, which came into effect on March 1st that year, took all the stock of the Bank of England into public ownership.

My question to all scams what is being done to catch the criminals. After all in this world of tec these scammers can be easily traced and caught. BUT we hear nothing of any convictions, what is going on . IMO nothing being done to these scammers