/ Scams

Monzo spoofing scam: how we helped a victim get their money back

After an initial plodding response, Monzo refunded a fraud victim in full. Here’s how we helped, and why banks have a responsibility to protect your money.

25/05/2021: Further spoofing scam victims

Another victim of a Monzo spoofing scam recently told us more details about the tactics being used by the scammers. Fraudsters first persuaded him into transferring money from his other bank account with HSBC, to his Monzo account.

The scammers fraudulently claimed they were collaborating with HSBC on the transfer and sent the victim text messages while he was on the phone to them to make it look genuine:

When the transfer was complete, the scammers asked the victim to confirm the transaction in the Monzo app, which in fact approved a payment set up by the scammers. This wiped his account of £8,000, which included a recent student loan payment. The victim was later fully reimbursed by Monzo.

09/10/2020: How we helped a victim get their money back

The last thing Scott wanted to hear after being furloughed was that his bank account had been targeted by fraudsters.

He received emails, calls and texts from his bank, Monzo, all warning that his account needed to be secured.

Scott was initially sceptical, but the caller was professional, calling from the digital bank’s phone number, and insisted his money was at risk. Scott carefully checked all the details before reluctantly handing over his account information.

He was horrified to later discover that all his money – £12,000 – had vanished. The emails were convincing fakes, and the calls and texts were spoofs created by scammers.

‘I’m savvy about these things, but the set up was so slick,’ said Scott.

Contacting the bank

He contacted Monzo immediately for help and was stunned by its response. He told us that its customer services ‘filled him with fear and uncertainty’ about whether he would get his money back.

“There was no support or empathy. I was made to feel it was my fault, and that the bank probably wasn’t going to do anything about it, I didn’t expect violins, but I did expect reassurance. I thought Monzo would be on my side”

Scott heard nothing from Monzo for weeks, despite him following up his initial complaint several times. After getting nowhere and being worried that he would never get his money back, Scott turned to Which? for advice on what he could do next.

We told Scott that he should be reimbursed by Monzo because he hadn’t given permission to make the transaction. He wrote to Monzo demanding a refund. Only then did Monzo reimburse Scott for the full amount, plus compensation for the inconvenience.

In response to a call for comment on Scott’s case, Monzo said:

“It is clear cut that Scott was entitled to his money back. We never declined his request. We just took too long sorting this out. We have apologised and compensated him for this”

Protecting your money

Banks have a responsibility to protect your money and they should do everything within their power to recover losses that are due to fraud.

In this case, the transaction was unauthorised and therefore had to be refunded in accordance with the Payment Services Regulations.

These are the same regulations that cover you if your card is lost or stolen and used fraudulently.

Sometimes banks might attempt to wriggle out of reimbursing customers in these situations, but you should never be held accountable if you can prove you didn’t give permission to send the money, as was the case with Scott.

Have you struggled to get your money back after a sophisticated scam?

Comments

Back to scams I got hammered in a blog recently for being a racist when I made the quite factual point that (in my experience) an accurate way of identifying a telephone scam was by the accent of the caller. Invariably unexpected cold calls of this nature follow one or other of a small number of patterns or scripts read out by someone with what seems to be an Indian or Pakistani accent (whilst claiming to represent a UK institution). Nothing against gentlemen from this part of the world but SE Asia does seem to breed a number of scam call centres who trade databases containing genuine phone numbers and names (including my own).
I can only put it down to wanting to follow PC guidelines that Which? does not include “accent” / command of English in the published list of things to look out for in telephone scams just as dodgy spelling and grammar in text scams.
One would expect the more sophisticated phone scams to take the trouble to ensure that the accent of the caller was not a give-away.
Happy to hear dissenting views ..

A few years ago, before the scam problem became so rampant, I took a phone call from someone with an Indian accent who told me he was calling from BT’s headquarters. I knew that location in the City of London very well so I tested his knowledge of the local landmarks [St Paul’s Cathedral, the Old Bailey, etc] but he was ignorant of them. After an exchange he told me he was in Crawley [West Sussex]. He told me enough about the local area to convince me that he was now telling the truth.

I subsequently had a similar conversation with somebody who was actually in Wembley but claiming to be in the BT technical department in Reading.

So you cannot assume that scammers with an Indian or another Asian accent are not operating in the UK under the control of criminals in the UK. The caller’s accent is not a reliable guide to the origin of a telephone call. I do not now receive many scam phone calls but over time I have encountered all sorts of accents and would not wish any one race or nationality to be stigmatised by association with fraudulent activity. The corollary is also true: that a caller with a foreign accent is not necessarily a scammer. Incidentally, many people of Pakistani origin speak impeccable English in diction, intonation and vocabulary . . . and Pakistan is not in South East Asia.

The real scandal is that so many scammers are operating in the UK but, despite their proclaimed efforts, the authorities seem incapable of catching them and stopping this despicable crime.

I take your points including that Pakistan belongs to South (not East) Asia. This highlights the dilemma: I had yet another such call just this morning – the caller was offering me a partial refund of the incorrect cost of purchasing my washing machine due to an error … When in actual fact the purchase was well over 10 years ago so the object of the call was to get me to divulge my bank details. Like all such calls that target me the giveaway was the Asian accent which put me on my guard as soon as the caller started his spiel.
There must be many Asian people of the utmost integrity who might have the occasion to phone me and whose command of English is arguably better than mine. The fact remains however that statistically, based on the incoming calls on my phone (landline and mobile), there is an almost 100% correlation between the Asian accent and the non-authenticity of the call. Sufficient for the accent to act as strong a warning sign as any of the reported ones. Is it possible to flag this up without being accused of racial bias???
PS This is separate from the true location of the caller which for many non-tech savvy people such as myself cannot be determined correctly from the displayed phone number.

The loft insulation scammers have very ‘English’ sounding voices. When I looked up the last one I received from a lady with a northern accent, the phone number had been quite busy with a number of other scams reported.

This is where is gets subtle: My observations were NOT meant to imply that all calls from Asian accents were suspicious. Just that in my experience when these have been “cold” the probability of being scammed was very high. Similarly with (cold) calls from UK accents though the distinction is not so clear cut. The persistence of these guys would seem to indicate that the operation is lucrative with many unfortunates falling victim.

Unpleasant thought: Any evidence to date of scammers using people’s justifiable sympathy, concern and generosity towards “Ukraine” as an incentive to make fake charity payments with perhaps less than the normal amount of caution? Even with this in mind it is not easy to come up with specific guards against being taken for a ride when one’s guard is down. I hope to be wrong but if anyone has been targeted in this way I hope they will share the experience and lessons with us.

I have had 2 calls in the last month, both times it was an automated female, the first said it was the security department from my bank (no name of the bank given) and that a payment for £300 was made to Amazon, at which point I put the phone down. The second time I was told something different, I cannot remember what was said but I knew it was a scam and it was the same voice as the first. The only time we get a call on our landline is a scammer, usually telling us they are from Sky technical department, even though we have said repeatedly we don’t have Sky we are still getting them.

Sandy says:
15 March 2022

We used to get calls and e mails about H.M. tax, saying we needed to dial a certain number or face the consequences. Quite intimidating to a couple of pensioners, but we spoke to other people who got the same thing. We ignored it they dissapp eared after a time. Now waiting for the next scam, we know never give anybody our bank details.

I have found this web site for making donations to the Ukraine Red Cross.
https://donate.redcrossredcrescent.org/ua/donate/~my-donation
But I have heard that “Ukraine” is a happy hunting ground for scammers and phishers. How can I be sure that donations to this site do in fact reach their intended destination?

Iain — It’s not easy to tell how, in the present circumstances, any Ukraine website will be secure and effective in delivering aid, but the one you have quoted looks good.

You might prefer to donate to the British Red Cross which is undertaking emergency relief work in Ukraine and is likely to be a more assured agency. Go to —
https://donate.redcross.org.uk/appeal/ukraine-crisis-appeal

Another safe route would be the UK’s Disasters Emergency Committee’s humanitarian appeal —
https://donation.dec.org.uk/ukraine-humanitarian-appeal

You might find it useful to read this UK government website on donations for aid to Ukraine —
https://www.gov.uk/government/news/ukraine-what-you-can-do-to-help

John, Tks for your advice part of which I had followed previously.

Change of topic: I have just received an Omicron txt msg as follows:
“NHS Alerts: You’ve been in close contact with a person who has contracted the Omicron variant. Please order a test kit via:
htps://nhs.uk-pcr-test-kit.com/nhs
From +447745524182
Looks fairly innocuous at first glance but I did a quick google and such texts as scams have been recorded in the recent past. I have not visited the web site they talk of (yet). It could be kosher and important, or not. How can one tell without exposing oneself?

Hi Iain – The .com domain is a giveaway that this is not genuine.

The gov.uk site is a safe starting place to look for official information and services. This includes requesting PCR tests: https://www.gov.uk/get-coronavirus-test

The NHS website is safe too and includes this page, which has a link to the above page: https://www.nhs.uk/conditions/coronavirus-covid-19/testing/register-a-test-kit/

It’s best to be very wary of links in text messages and emails.

Hi John, I would not myself have spotted anything wrong with the domaine name so my suspicions are confirmed.
It’s one thing to seek info on the subject oneself, something different when one gets an alert as i understand the system is designed to provide. Dodgy.

This is one of the risks of letting the NHS have our mobile phone numbers. It is essential for an effective test and trace system but leaves a door open for scammers. As Wavechange says, it’s best to be very suspicious of such contacts and to use an official site for getting a test kit.

I should clarify that I don’t believe the NHS database has been hacked by scammers. I think what has happened is that, as soon as there is any sort of important communication by text or e-mail by official and commercial bodies, scammers latch on to it, mimic it, and try to deceive people into believing they need to do something or pay something. False urgency and the risk of adverse consequences feature strongly in these approaches.

The scammers have their own lists of phone numbers and e-mail addresses which have been hacked by criminals and sold on to small time fraudsters desperate for some extra money. I have little sympathy for such people although they have themselves been exploited by having to pay silly sums for their scripts and contact lists with little hope of any return as these scams become well known. These ploys have been behind the parcel delivery, Amazon Prime, lapsed appliance insurance, HMRC rebate, and similar types of fraud attempt.

Covid-19 and the risks of infection have given a further boost to this nuisance. The scammers’ only intention is to obtain bank details by tricking people into making a payment. They have no conception of the anxiety they create or any concern for the plight of their victims if they lose lots of money to the fraudsters at the top of the chain.

All that makes sense and ties in with my own experience. One wonders if there is some kind of “common factor” or ID linking these various scams. At the risk of being criticized again I can say that so far without exception all the verbal scams that have contacted me have been voiced by callers with a good command of English but whose mother tongue was not English. From what I could tell Asian / Far East accents have been the giveaway. Text scams are of course another matter.

Valerie Beeby says:
14 April 2022

I hear all these complaints about scams from overseas call centres, but it puzzles me why nobody is trying to close these criminal call centres down. Surely the Indian, Pakistan or wherever governments must know about them?

Since taking out a free 30 day trial of Amazon Prime recently the number of Amazon Prime calls has increased exponentially. I wonder if that is pure coincidence?
As in the past the call starts off with a pre-recorded text in a US accent following which one is switched to what sounds like an Indian or Pakistani call centre (or even private number). The intention is to get me to download a “cancellation of subscription” form. If I say that my PC is out of action or would they send the form by email, the conversation comes to a quick end.
Downloading malware is one thing. Passing on one’s bank details, as is often demanded, is a less obvious risk since my bank is adamant that without passwords and debit card details the “bare” bank account details are harmless. Strange.

“download a ‘cancellation of subscription’ form …” I’ve been there many times (I study these people). They connect to your computer to send the “refund form”; they then have complete control over it (they lie that a “secure server” is connected and they can’t see anything). After you fill in the form (while they collect the details, that’s not the objective) they say a refund has been sent (though the form only asks your bank name, not account details!), and show a message “£5079.99 has been sent”. Oh! An error has happened, £5000 too much! Please connect to your bank account (using 2-factor authentication or PINSentry machine, no protection there) and see how much you have received. I don’t think this is the usual “overpayment” scam where they ask to to send them the overpaid £5000; instead I am pretty sure that after you connect to your bank account they blank your screen with some explanation and can then do whatever they want – I obviously never go so far, but I do see them very carefully setting up the remote control software (usually AnyDesk these days, sometimes TeamViewer and others) in “privacy mode” – enabling blanking the remote screen.

HTH

Hello,

Normally I am pretty paranoid about phone calls I received in regards to my bank. However this person called me knowing all my bank information without me telling them. I am with Monzo bank.

I was scammed out of £5,007. I received a call informing me of fraud activity on my Monzo account. I was then asked to go into my app and look to see if there were any charges I didn’t recognise. There were a few active card checks I didn’t recognise.

I was then told Monzo was going to insure my money. I am still logged into my app at this point. I then see two transaction (£4,500 and £507) appear on my account. Both trans actions were made to a post office travel money. When asked what this was about I was told it was standard procedure in insuring my money. I then asked to speak with someone else and I was hung up on.

I reported the fraud to Monzo right away. I was informed 4 days later that they would not reimbursed me for my money. I was also blamed for this and told I was the one who took the money from my account and they would be shutting f down my account completely.

I have filed a complaint with Monzo. I also filed a fraud report with the national fraud and cyber crime report on centre.

I am at a complete loss of what to do. Is Monzo liable for reimbursement, as I did not authorise this payment?

Please any advice or help

What you describe underlines a feeling of unease that I have always felt as regards mobile banking compared with internet banking. I suspect that mobile banking is by now becoming more and more popular generally. But I personally would not trust my mobile (which does not use the latest technology) with anything to do with banking, and refuse the various offers to download the banking app. I rely instead on telephone banking.

How in your case the scammer was able to hack into your app account baffles me if you did not reveal any passwords. Really worrying. Perhaps one of the other better informed readers can shed some light since none of this will really be of any help in your current predicament unfortunately.

Hi Katie, when you logged into your Monzo app, where were you? Were you connecting at home via Wi-Fi, using the mobile network or using a Wi-Fi hotspot in a public place?

“Wingman asked: where were you?” The original post says “received a call informing me of fraud activity on my Monzo account. I was then asked to go into my app”. So the caller knew the phone number, and was presumably able to intercept the connection to the bank via app (mobile). The call, and knowledge of the Monzo account, implies that this wasn’t just a fake WiFi access point (unless an AP can detect the phone number of a connected phone – my AP doesn’t, and I’ve not heard of this). I don’t understand. Comments from other people have said that the caller knew their account details, but even a bad apple at the bank shouldn’t be able to do this. What I do take away is that I’m not going to do mobile phone banking any time soon.

A pure blind guess: somebody has got hold of a copy of a bank’s customer database. Banks (and other Web sites) can identify devices connected; they offer not to require identity confirmation “if you connect using this device in future”. So chummy has lots of names, account numbers, mobile phone numbers, and device identifiers. They set up a WiFi connection point. Whenever a device connects it identifies itself; if the device is in the bank customer database it notifies chummy, who looks up the name and phone number calls, and then uses WiFi interception. This sounds far-fetched, but does explain everything. Complicated, but worth it for umpteen thousands.

Simpler is a targetted attack: chummy has all victim’s details from bank, including street address. A bit of surveillance finds that they visit XYZ café. So set up WiFi AP nearby and wait.