/ Scams

Monzo spoofing scam: how we helped a victim get their money back

After an initial plodding response, Monzo refunded a fraud victim in full. Here’s how we helped, and why banks have a responsibility to protect your money.

25/05/2021: Further spoofing scam victims

Another victim of a Monzo spoofing scam recently told us more details about the tactics being used by the scammers. Fraudsters first persuaded him into transferring money from his other bank account with HSBC, to his Monzo account.

The scammers fraudulently claimed they were collaborating with HSBC on the transfer and sent the victim text messages while he was on the phone to them to make it look genuine:

When the transfer was complete, the scammers asked the victim to confirm the transaction in the Monzo app, which in fact approved a payment set up by the scammers. This wiped his account of £8,000, which included a recent student loan payment. The victim was later fully reimbursed by Monzo.

09/10/2020: How we helped a victim get their money back

The last thing Scott wanted to hear after being furloughed was that his bank account had been targeted by fraudsters.

He received emails, calls and texts from his bank, Monzo, all warning that his account needed to be secured.

Scott was initially sceptical, but the caller was professional, calling from the digital bank’s phone number, and insisted his money was at risk. Scott carefully checked all the details before reluctantly handing over his account information.

He was horrified to later discover that all his money – £12,000 – had vanished. The emails were convincing fakes, and the calls and texts were spoofs created by scammers.

‘I’m savvy about these things, but the set up was so slick,’ said Scott.

Contacting the bank

He contacted Monzo immediately for help and was stunned by its response. He told us that its customer services ‘filled him with fear and uncertainty’ about whether he would get his money back.

“There was no support or empathy. I was made to feel it was my fault, and that the bank probably wasn’t going to do anything about it, I didn’t expect violins, but I did expect reassurance. I thought Monzo would be on my side”

Scott heard nothing from Monzo for weeks, despite him following up his initial complaint several times. After getting nowhere and being worried that he would never get his money back, Scott turned to Which? for advice on what he could do next.

We told Scott that he should be reimbursed by Monzo because he hadn’t given permission to make the transaction. He wrote to Monzo demanding a refund. Only then did Monzo reimburse Scott for the full amount, plus compensation for the inconvenience.

In response to a call for comment on Scott’s case, Monzo said:

“It is clear cut that Scott was entitled to his money back. We never declined his request. We just took too long sorting this out. We have apologised and compensated him for this”

Protecting your money

Banks have a responsibility to protect your money and they should do everything within their power to recover losses that are due to fraud.

In this case, the transaction was unauthorised and therefore had to be refunded in accordance with the Payment Services Regulations.

These are the same regulations that cover you if your card is lost or stolen and used fraudulently.

Sometimes banks might attempt to wriggle out of reimbursing customers in these situations, but you should never be held accountable if you can prove you didn’t give permission to send the money, as was the case with Scott.

Have you struggled to get your money back after a sophisticated scam?

Comments

I have had a long running dispute with HSBC it was not a scam but a large amount of money which I was trying to transfer to an online savings account just “disappeared ” it was taken out of my current account on the Wednesday but never arrived in the savings account and despite countless phone calls and emails NOTHING!!! The bank assured me that the money had been transferred but since it didn`t arrive in the savings account the deadline for investing money expired and I was not able to do anything about it. After several days of stress and worry, the money mysteriously re-appeared in my bank account. I was given a paltry sum to cover the cost of countless phone calls to HSBC and as far as the bank was concerned that was the end of the matter. I had been a customer of HSBC since the Midland Bank was taken over by HSBC and had NEVER been overdrawn and that counted for nothing. I have now transferred to a different bank.

it may be that you entered a digit incorrectly or was incorrectly given to you. Even so recent changes in the law mean that the banks must trace and refund the money. At one time if someone paid say £500 into your account by mistake they could not make you pay it back as no crime had been committed by you, however the moment that you spent it or transfered it a crime was committed and action taken. Now i am sure they just take it back as it should always have been.

After a long delay, the larger banks now use ‘Confirmation of Payee’ to identify where the name of a payee does not match the number and sort code for an account. Prior to this, one digit wrong in an account number or sort code could mean that a payment could go to John Smith instead of Ian Jones. Here is information about CoP from HSBCs website: https://www.hsbc.co.uk/help/confirmation-of-payee/ Even now, not all banks have implemented CoP though there is pressure to make them do so.

It has been said before that implementing CoP by every bank, large and small, may not be the simple job some think. I would like the banks to explain just what is involved. CoP involves two banks, your own and the payees. It may be different banking software needs to be changed to accommodate the change. Just a guess. But I do remember reading of complications when it was being proposed. Lets just have some facts.

Before CoP you could check the correctness of a payee by sending £1 initially and checking it had been received by the right person.

Perhaps CoP should have been a requirement at the time we were provided with online banking facilities. A reasonable person would assume that if they made a payment to a named person or business there would be way of ensuring that it would not go to a different person.

Why did banks not insist on customers making trial payments before transferring larger sums as a temporary solution until CoP had been implemented?

Much has been said about the need for customers to behave responsibly but perhaps the banks could set an example. I’m very pleased that banks have done so much to help their customers protect their money over the past couple of years but – in my opinion – this could have been done sooner.

Perhaps CoP should have been a requirement at the time we were provided with online banking facilities. ” As I suggested above it may be down to compatibility of the various banks disparate software systems. If so, considerable work may have been required to get a common system that worked. Best to criticise when we know the facts?

”Why did banks not insist on customers making trial payment”. Many people did realise this was a sensible way to handle significant transfers to a new payee. People do have to take some responsibility for their actions.

However we need to look at how to improve things, not use hindsight.

With respect, I’m entitled to my own views. I am not alone in believing that CoP should have been introduced sooner: https://www.moneysavingexpert.com/news/2020/06/confirmation-of-payee/

Of course you are, as are we all. I was saying I would like to see the facts before criticising, and we have not, to my knowledge, been given the banks views. If they have deliberately avoided introducing CoP for no good reason then criticism may well be due.

I also am very pleased that banks have done much to help their customers protect their money over the past couple of years, but I am also mindful of the fact that the banks have also closed branches and withdrawn facilities at an unprecedented rate. I would say half the bank and building society branches in Norwich have closed over that timescale and the position in the smaller towns and larger villages is far worse.

The closure of branches in particular has made it much more difficult for millions of customers to manage their financial affairs. I know people who always go into their bank branch to make any substantial payment transfers and now have to travel further to continue doing so; they will not do it on-line.

And WHICH banks are these dilatory slow coaches? The person making a payment has no control over the organisation which is receiving his funds. Unless we know the names of these non-joiners there is no adverse publicity. It is time the system was mandatory!

Grandma x says:
28 May 2021

Well done, Phil!

I was a victim of a sophisticated scam, and allowed £5,500 to be taken from my account. My bank, First Direct, was very helpful and managed to recover £5000 but couldn’t recover the remaining £500. This was paid into a branch of the Monzo Bank in the Bahamas. I obtained the account number of the person paying the money into the bank and contacted them to let them know that this client was a fraudster and asked them to contact the police both in the Bahamas and in the UK. They refused to do so, saying that this client’s account was confidential and protected like any other client.
I thought that international banks were required to prevent money-laundering ,to refuse to accept
money obtained illegally and to co-operate with the police but it would seem that the Monzo bank have opted out !

We have been trying to follow all the advice for avoiding scams, in particular, not giving any information over the phone to anyone who claims to be calling you from your bank. So why are banks still cold- calling customers in the middle of this scam-fest? And having refused to give such information we now get letters from the bank threatening to restrict access to our accounts if we don’t provide the requested information! Catch 22!

Who do you bank with? None of my bank’s are cold calling me…

Nor mine. If they wish to communicate they send me an e-mail informing me that there is a message waiting in their on-line banking site to which I would have to log-in through the secure process in order to access it. Any messages on-line have been responses to enquiries I have initiated. I cannot recall any spontaneous or un-anticipated messages.

If your bank persists in cold-calling you, either formally request them to stop doing so or cancel the telephone contact facility. If urgent contact is required, they should agree to send an e-mail [containing agreed identification details] to which you can respond securely [i.e. not via a link] or by telephone to a named individual involving a reciprocal ID check.

To Trish B, were it not that there was a follow-up in writing, apparently, I’d wager that the cold calls had scam written all over them. What information could they possibly have been asking for in a letter??? If scammers are now progressing to faking letters / letter heads / HO addresses this is taking scamming into a new dimension. Otherwise a case for switching bank accounts like quick.

I should add that as a customer of First Direct, whose operations have been built on telephone banking, I have on occasions had calls from the bank but mostly pre-arranged. I seem to remember that some form of personal ID was called for each time.

Trishb, surely the sensible thing to do is call your bank and find out what information they want from you. Make sure you call on a trusted number either from a bank statement, another trusted document or the back of a bank card.

Like Ian, I am with First Direct. They haven’t had reason to call me for a few years now, but if they do I always tell them I don’t go through security unless I instigate the call so will call them back. They understand completely and put a note on my account so I am put through to the correct department when I call back.

If they have to call you back, either do the above or if they are really difficult to get through to, give them a password so you know it is definitely the bank calling you.

You always need to make sure the line has been cleared when calling back just to be sure you haven’t been talking to scammers. So call back on a different phone, call another phone in your house and make sure it rings or call someone you know and hear their voice.

We want banks to be more vigilant with who they let set up accounts therefore making it tougher for scammers to operate, so we shouldn’t moan at any extra steps or info they request that help keep our accounts safer.

Give your bank a call. That way you will know for sure if the request is genuine.

In my case I was called by the “Nationwide Fraud” dept, the caller at no point asked me for any information as he had it already. Obviously he obtained my information somewhere, maybe from hacking other internet sites, it certainly wasn’t from me. I lost around £18000 and haven’t seen a penny of it back.

Mike – I am intrigued to know why you were called if the fraudster already had all the information required. What do you think they were after, which they didn’t already have, that would enable them to successfully raid your account?

First Direct customers will be aware that the “first line of defence” (unquote) is now their reliance on voice recognition technology. This should make it all the less likely, one would think, that they would “cold call” customers. A hacker doing this would have to have access not only to the technology but also to the interface with the customer’s account. Quite a tall order unless I have missed something.

Hi my name is abraar I’ve got scammed altogether I have lost 13k I thought I’ll get paid this person on Snapchat were working on behalf of forex trading he manipulated me to do the trading abs transfer the money to his and other people bank account as soon I’ve done it he said I’ll get double money and now he blocked me abs left me with nothing does anyone here know if monzo can refund the money to me or no ?

What negligent part did Monzo play that contributed to you losing money? Why do you think anyone, particularly someone you did not know, would double your money?

Hi Abraar – Your bank may be able to recover the money from the bank used by the scammer.

A lesson we all need to learn and constantly bear in mind is that banks just keep our money; they do that dutifully but they don’t care how we dispose of it.

The general advice is never ever to disclose one’s credit / debit card PIN number to third parties. But the same does not apply to the security number on the back of the card which is essential for most online purchases. There must be some logic in this somewhere.

Iain — I have also wondered about that.

The original intention of the security number on the reverse of a credit card was to demonstrate that the person placing an order by phone actually had the card in their hand so they could turn it over and read out the number. That was at a time when PIN entry devices were being routinely skimmed by criminals to reveal the codes so that purchases could be made by phone without the card being present.

With most transactions now being made on-line the value of the security number has probably diminished but I don’t know what other verifying details it might contain and it might still have some basic crime prevention uses.

While hundreds of thousands of cards can have the same CSC [card security code] the combination of the PIN and the CSC is likely to be very rare. People are not asked for their PIN when buying on-line so the CSC in combination with the sixteen-digit card number and the date of expiry is as close as the banks can get to a unique identification. Good retailers use an encryption system [using the phone’s keypad] for taking a customers’ card details for a purchase.

The security number on the back of the card is sometimes referred to as the CVC [card verification code].

I delete the CVV on my cards with a black marker. It is unlikely but possible that someone could order goods and have them delivered to another address. Why give them the chance?

Why cannot we return to the old fashion way of processing a cheque or a bank transfer over a period of 3 days? What is all this ‘modern’ rush about it being really ‘swish’ (that’s an old fashioned term) having Banks, got to, got to impress, by transferring money between somewhere between, instantly but, no more that 2 hours? What is all this ‘rush’ about?! Surely this would give an acceptable bridging period, for everyone to make security research checks on all money transfer actions, therefore giving us mortals, time to consider; time to question the bank; time for us to cancel the transfer; time for the bank to research the validity of the payee and the recipient; etc….What is the necessity of all this ‘rush’ about transfering money !?

Mr. Jackson — When I make an on-line money transfer using the Faster Payments Service I can set the date on which payment will be made, and I usually do allow a few days if only to make sure my account is in funds.

I believe most of the money transfer frauds are when people have been deceived into diverting a payment to a different account or have received a payment request from an unexpected source and panicked without stopping to check whether it is a genuine request.

I agree with you that there is an artificial sense of urgency about these days, but that could be because so many people find themselves living on the edge. Scammers take advantage of that.

I agree with Mr Jackson and have previously suggested that in the case of new payees, payments should be delayed for several days by default to give time for suspected scams to be reported and investigated. Victims of scams sometimes realise their mistake before they put down the phone.

Yes we can delay an online payment if we wish, but how many people are likely to do that under pressure from scammers.

I do not object to a mandatory delay for new payees. That won’t come to pass in a hurry, so in the meantime, people can use the existing available tools to pause a payment. Of course, if they then had second thoughts they couldn’t just cancel the transfer: they would have to contact their bank.

I wonder why we could not achieve this sooner, John. I would like to reduce the amount lost to scammers and also the amount that banks refund to customers following scams.

My bank had a limit of £20,000 on payments but this has recently been reduced to £5,000, which I see as a useful change, particularly since I can increase or decrease this amount if I can wish. What I really want to see is a default delay on payments to new payees. As with other measures to protect customers it could be inconvenient but it would reduce the amount of money lost to scammers.

It is my personal view that this cannot be implemented sooner because the banks do not agree that such a change is necessary. Presumably the Payment Systems Regulator could impose a change if it would be in the public interest and for the reasons you have given. It is possible that no one has asked.

It would be useful to have some information on the amount of Payment Diversion Fraud that is still taking place. The number of instances was probably not the highest among scam attempts but the sums involved, first on the outright theft of the diverted money and then on the subsequent raid on the victim’s funds, could have been very large.

Unfortunately we don’t have access to anything other than published information, so we can only guess what the banks and the regulators are discussing.

The voluntary agreement by the main banks to reimburse victims of scams under the Contingent Reimbursement Model (CRM) Code provides some urgency to limit banks’ losses: https://www.psr.org.uk/our-work/app-scams/

My opinion is that, unlike other businesses, traditional retail banks should be run primarily to serve the needs of our citizens. (For me, public interest should come first and I would like to see the same requirement placed on suppliers of gas, electricity, water, phone and broadband services.) I know that others have different views. 🙂

Arguably a little off topic: My AV supplier is trying to get me to take out additional “I D Protection” – at a price of course. I was struggling to see just what the “protection” in the case of a hacked identity amounted to. It does not seem to include any kind of indemnity insurance. I would not classify this as strictly speaking a scam but unless there is some meat to it, to something borderline. Has any reader any experience of the merits or not of such IT packages?

Pamela Humphreys says:
14 July 2021

I received a text supposedly from Vodafone saying they couldn’t take my next payment. I started to fill in the form but got fed up with it and thought I’ll phone them instead. Very soon after I received a phone call from a number I recognised as HSBC telling me they’d spotted unusual activity on my account and had I just made a purchase from a well known store for £800. I hadn’t of course and thanked the guy for his vigilance. He then went through procedures to “protect” my account and to put almost £10,000 into a holding account. I duly did this and kept thanking the fraudster for helping me. What a fool I was. I was completely taken in. After telling a friend what had happened he said, hang up and phone the fraud line. You’ve been scammed! I couldn’t believe it. It took almost an hour to speak to someone at the bank and went through my story. The lady said we’ll investigate and get back in touch within two weeks. In the meantime I sent letters to the banks involved using the Which? Template. I really thought that would be the last I see of my money and had resigned myself to that fact.
However I was wrong. Two weeks after my initial call to the bank I received a call, went through my story again but had remembered on that afternoon I’d just returned from the hospital after having an echocardiogram and was a little concerned about it. Within an hour the money was back in my bank account. I couldn’t believe it. A couple of days later another call from the welfare department of the bank to make sure I was ok. Again I couldn’t believe it. I was ok and surprised HSBC went so far as to check on my welfare.
I’m 72 and consider myself to be tech savvy and friends found it hard to believe that I’d been scammed.
My story had a happy ending and am great ful to HSBC for their quick response and follow up phone call.