Monzo spoofing scam: how we helped a victim get their money back

it may be that you entered a digit incorrectly or was incorrectly given to you. Even so recent changes in the law mean that the banks must trace and refund the money. At one time if someone paid say £500 into your account by mistake they could not make you pay it back as no crime had been committed by you, however the moment that you spent it or transfered it a crime was committed and action taken. Now i am sure they just take it back as it should always have been.

After a long delay, the larger banks now use ‘Confirmation of Payee’ to identify where the name of a payee does not match the number and sort code for an account. Prior to this, one digit wrong in an account number or sort code could mean that a payment could go to John Smith instead of Ian Jones. Here is information about CoP from HSBCs website: https://www.hsbc.co.uk/help/confirmation-of-payee/ Even now, not all banks have implemented CoP though there is pressure to make them do so.

It has been said before that implementing CoP by every bank, large and small, may not be the simple job some think. I would like the banks to explain just what is involved. CoP involves two banks, your own and the payees. It may be different banking software needs to be changed to accommodate the change. Just a guess. But I do remember reading of complications when it was being proposed. Lets just have some facts.

Before CoP you could check the correctness of a payee by sending £1 initially and checking it had been received by the right person.

Perhaps CoP should have been a requirement at the time we were provided with online banking facilities. A reasonable person would assume that if they made a payment to a named person or business there would be way of ensuring that it would not go to a different person.

Why did banks not insist on customers making trial payments before transferring larger sums as a temporary solution until CoP had been implemented?

Much has been said about the need for customers to behave responsibly but perhaps the banks could set an example. I’m very pleased that banks have done so much to help their customers protect their money over the past couple of years but – in my opinion – this could have been done sooner.

Perhaps CoP should have been a requirement at the time we were provided with online banking facilities. ” As I suggested above it may be down to compatibility of the various banks disparate software systems. If so, considerable work may have been required to get a common system that worked. Best to criticise when we know the facts?

”Why did banks not insist on customers making trial payment”. Many people did realise this was a sensible way to handle significant transfers to a new payee. People do have to take some responsibility for their actions.

However we need to look at how to improve things, not use hindsight.

With respect, I’m entitled to my own views. I am not alone in believing that CoP should have been introduced sooner: https://www.moneysavingexpert.com/news/2020/06/confirmation-of-payee/

Of course you are, as are we all. I was saying I would like to see the facts before criticising, and we have not, to my knowledge, been given the banks views. If they have deliberately avoided introducing CoP for no good reason then criticism may well be due.

I also am very pleased that banks have done much to help their customers protect their money over the past couple of years, but I am also mindful of the fact that the banks have also closed branches and withdrawn facilities at an unprecedented rate. I would say half the bank and building society branches in Norwich have closed over that timescale and the position in the smaller towns and larger villages is far worse.

The closure of branches in particular has made it much more difficult for millions of customers to manage their financial affairs. I know people who always go into their bank branch to make any substantial payment transfers and now have to travel further to continue doing so; they will not do it on-line.

And WHICH banks are these dilatory slow coaches? The person making a payment has no control over the organisation which is receiving his funds. Unless we know the names of these non-joiners there is no adverse publicity. It is time the system was mandatory!

Who do you bank with? None of my bank’s are cold calling me…

Nor mine. If they wish to communicate they send me an e-mail informing me that there is a message waiting in their on-line banking site to which I would have to log-in through the secure process in order to access it. Any messages on-line have been responses to enquiries I have initiated. I cannot recall any spontaneous or un-anticipated messages.

If your bank persists in cold-calling you, either formally request them to stop doing so or cancel the telephone contact facility. If urgent contact is required, they should agree to send an e-mail [containing agreed identification details] to which you can respond securely [i.e. not via a link] or by telephone to a named individual involving a reciprocal ID check.

To Trish B, were it not that there was a follow-up in writing, apparently, I’d wager that the cold calls had scam written all over them. What information could they possibly have been asking for in a letter??? If scammers are now progressing to faking letters / letter heads / HO addresses this is taking scamming into a new dimension. Otherwise a case for switching bank accounts like quick.

I should add that as a customer of First Direct, whose operations have been built on telephone banking, I have on occasions had calls from the bank but mostly pre-arranged. I seem to remember that some form of personal ID was called for each time.

Trishb, surely the sensible thing to do is call your bank and find out what information they want from you. Make sure you call on a trusted number either from a bank statement, another trusted document or the back of a bank card.

Like Ian, I am with First Direct. They haven’t had reason to call me for a few years now, but if they do I always tell them I don’t go through security unless I instigate the call so will call them back. They understand completely and put a note on my account so I am put through to the correct department when I call back.

If they have to call you back, either do the above or if they are really difficult to get through to, give them a password so you know it is definitely the bank calling you.

You always need to make sure the line has been cleared when calling back just to be sure you haven’t been talking to scammers. So call back on a different phone, call another phone in your house and make sure it rings or call someone you know and hear their voice.

We want banks to be more vigilant with who they let set up accounts therefore making it tougher for scammers to operate, so we shouldn’t moan at any extra steps or info they request that help keep our accounts safer.

Give your bank a call. That way you will know for sure if the request is genuine.

In my case I was called by the “Nationwide Fraud” dept, the caller at no point asked me for any information as he had it already. Obviously he obtained my information somewhere, maybe from hacking other internet sites, it certainly wasn’t from me. I lost around £18000 and haven’t seen a penny of it back.

Mike – I am intrigued to know why you were called if the fraudster already had all the information required. What do you think they were after, which they didn’t already have, that would enable them to successfully raid your account?

First Direct customers will be aware that the “first line of defence” (unquote) is now their reliance on voice recognition technology. This should make it all the less likely, one would think, that they would “cold call” customers. A hacker doing this would have to have access not only to the technology but also to the interface with the customer’s account. Quite a tall order unless I have missed something.

Dan, how long ago did this happen to you?

What negligent part did Monzo play that contributed to you losing money? Why do you think anyone, particularly someone you did not know, would double your money?

Hi Abraar – Your bank may be able to recover the money from the bank used by the scammer.

Iain — I have also wondered about that.

The original intention of the security number on the reverse of a credit card was to demonstrate that the person placing an order by phone actually had the card in their hand so they could turn it over and read out the number. That was at a time when PIN entry devices were being routinely skimmed by criminals to reveal the codes so that purchases could be made by phone without the card being present.

With most transactions now being made on-line the value of the security number has probably diminished but I don’t know what other verifying details it might contain and it might still have some basic crime prevention uses.

While hundreds of thousands of cards can have the same CSC [card security code] the combination of the PIN and the CSC is likely to be very rare. People are not asked for their PIN when buying on-line so the CSC in combination with the sixteen-digit card number and the date of expiry is as close as the banks can get to a unique identification. Good retailers use an encryption system [using the phone’s keypad] for taking a customers’ card details for a purchase.

The security number on the back of the card is sometimes referred to as the CVC [card verification code].

I delete the CVV on my cards with a black marker. It is unlikely but possible that someone could order goods and have them delivered to another address. Why give them the chance?

Mr. Jackson — When I make an on-line money transfer using the Faster Payments Service I can set the date on which payment will be made, and I usually do allow a few days if only to make sure my account is in funds.

I believe most of the money transfer frauds are when people have been deceived into diverting a payment to a different account or have received a payment request from an unexpected source and panicked without stopping to check whether it is a genuine request.

I agree with you that there is an artificial sense of urgency about these days, but that could be because so many people find themselves living on the edge. Scammers take advantage of that.

I agree with Mr Jackson and have previously suggested that in the case of new payees, payments should be delayed for several days by default to give time for suspected scams to be reported and investigated. Victims of scams sometimes realise their mistake before they put down the phone.

Yes we can delay an online payment if we wish, but how many people are likely to do that under pressure from scammers.

I do not object to a mandatory delay for new payees. That won’t come to pass in a hurry, so in the meantime, people can use the existing available tools to pause a payment. Of course, if they then had second thoughts they couldn’t just cancel the transfer: they would have to contact their bank.

I wonder why we could not achieve this sooner, John. I would like to reduce the amount lost to scammers and also the amount that banks refund to customers following scams.

My bank had a limit of £20,000 on payments but this has recently been reduced to £5,000, which I see as a useful change, particularly since I can increase or decrease this amount if I can wish. What I really want to see is a default delay on payments to new payees. As with other measures to protect customers it could be inconvenient but it would reduce the amount of money lost to scammers.

It is my personal view that this cannot be implemented sooner because the banks do not agree that such a change is necessary. Presumably the Payment Systems Regulator could impose a change if it would be in the public interest and for the reasons you have given. It is possible that no one has asked.

It would be useful to have some information on the amount of Payment Diversion Fraud that is still taking place. The number of instances was probably not the highest among scam attempts but the sums involved, first on the outright theft of the diverted money and then on the subsequent raid on the victim’s funds, could have been very large.

Unfortunately we don’t have access to anything other than published information, so we can only guess what the banks and the regulators are discussing.

The voluntary agreement by the main banks to reimburse victims of scams under the Contingent Reimbursement Model (CRM) Code provides some urgency to limit banks’ losses: https://www.psr.org.uk/our-work/app-scams/

My opinion is that, unlike other businesses, traditional retail banks should be run primarily to serve the needs of our citizens. (For me, public interest should come first and I would like to see the same requirement placed on suppliers of gas, electricity, water, phone and broadband services.) I know that others have different views. 🙂

I totally agree with you

Hi Rosemary.

These scammers work on the basis that: “You can fool all the people some of the time and some of the people all the time…” so even really savvy folk can sometimes be caught off guard and scammed.

One is Jim Browning, who you mentioned in a recent post, Derek. I have great respect for people who are prepared to admit mistakes.

We never know what new ploy will be coming our way so it is impossible to be fully prepared for the latest scam.

Who would have thought so many people would have been caught by the fake Royal Mail scam asking for a trivial amount of money to enable a delivery; the big fraud came next when, armed with people’s bank account details, the scammers hacked into their accounts and took serious amounts of money. Admittedly that fraud was e-mail generated, but many wise people wise and sensible fell for it because it was outwardly plausible . . . until people remembered that Royal Mail do not send e-mails [how could they?] but leave a card if they can’t deliver something. The National Insurance No. scam worked because most people believed that the DWP could cancel their NINo. which would stop their pension or benefit payments. There are few people who are totally impervious to tricksters so we must always be on our guard and anticipate the unexpected whenever the phone rings.

If the phone rings and I don’t recognise the caller my automatic reaction is that the call is likely to be a scam or a sales call. The same applies with an email. If there is a possibility that either might be genuine then I will look for genuine contact details rather than making use of ones provided by the caller or in an email. I recognise that I’m not going to keep abreast of current threats, so focus on learning about new techniques.

I never thought that I would be grateful for having received numerous marketing calls and emails over the years but maybe they have helped make me more suspicious.

The first thing a caller has to do, for me, is to identify themselves. If a call begins “hi” or “this call is for..” or “am I speaking to…” I automatically hang up at once.

Yes, I ask who is calling too. Some ask if they are speaking to Mrs xxxxxx and I assume that the intention is for me to confirm that I am Mr xxxxx. Nice try.

Before hanging-up I mention that I am registered with the TPS, which can elicit odd replies such as: “We are not members”.

Not wishing to appear racist but it is a fact that a very high proportion indeed of what I take to be scam calls are obviously from speakers with a South East Asian accent (who claim to be based in Manchester, Windsor, SE London or wherever). Someone once told me that they are in fact local call centres who one suspects acquire a list of target UK phone numbers together with a well rehearsed sales script – as evidenced by what happens if you try to get them to deviate from the words in front of them.
The value of a forum such as this is that on the one hand a record can be kept of the most well worn scams:
– DHL, Royal Mail, Hermes
– Microsoft Help Line
– Amazon Prime
– Bank … “suspicious activity on your account”
– Pay Pal and just recently Netfix – “we have frozen your account”
– Consumer Marketing Survey questions
etc etc
and on the OTHER hand flag up new additions which by their novelty are likely to keep folk such as myself off guard.

Hello,I think that you are not racist at all,the plain and simple fact is that most scams targetting this country is done by non English thieves. ,and a lot of the crime is done by immigrants ,just look at the faces wanted on crimewatch every programme.

It is likely that the hackers or scammers have managed to obtain the PIN for the account. It concerns me that a PIN is a mere four digits. A CVV is three digits and actually printed on debit and credit cards. I don’t have a lot of confidence.

I expect people keep over £1,000 in their current account because they can, and because it makes them feel good.