/ Scams

Monzo spoofing scam: how we helped a victim get their money back

After an initial plodding response, Monzo refunded a fraud victim in full. Here’s how we helped, and why banks have a responsibility to protect your money.

The last thing Scott wanted to hear after being furloughed was that his bank account had been targeted by fraudsters.

He received emails, calls and texts from his bank, Monzo, all warning that his account needed to be secured.

Scott was initially sceptical, but the caller was professional, calling from the digital bank’s phone number, and insisted his money was at risk. Scott carefully checked all the details before reluctantly handing over his account information.

He was horrified to later discover that all his money – £12,000 – had vanished. The emails were convincing fakes, and the calls and texts were spoofs created by scammers.

‘I’m savvy about these things, but the set up was so slick,’ said Scott.

Contacting the bank

He contacted Monzo immediately for help and was stunned by its response. He told us that its customer services ‘filled him with fear and uncertainty’ about whether he would get his money back.

“There was no support or empathy. I was made to feel it was my fault, and that the bank probably wasn’t going to do anything about it, I didn’t expect violins, but I did expect reassurance. I thought Monzo would be on my side”

Scott heard nothing from Monzo for weeks, despite him following up his initial complaint several times. After getting nowhere and being worried that he would never get his money back, Scott turned to Which? for advice on what he could do next.

We told Scott that he should be reimbursed by Monzo because he hadn’t given permission to make the transaction. He wrote to Monzo demanding a refund. Only then did Monzo reimburse Scott for the full amount, plus compensation for the inconvenience.

In response to a call for comment on Scott’s case, Monzo said:

“It is clear cut that Scott was entitled to his money back. We never declined his request. We just took too long sorting this out. We have apologised and compensated him for this”

Protecting your money

Banks have a responsibility to protect your money and they should do everything within their power to recover losses that are due to fraud.

In this case, the transaction was unauthorised and therefore had to be refunded in accordance with the Payment Services Regulations.

These are the same regulations that cover you if your card is lost or stolen and used fraudulently.

Sometimes banks might attempt to wriggle out of reimbursing customers in these situations, but you should never be held accountable if you can prove you didn’t give permission to send the money, as was the case with Scott.

Have you struggled to get your money back after a sophisticated scam?

Comments

How can it be said the payment was unauthorised if the customer handed over the account details presumably necessary to access the account and remove money. Exactly how was the bank to blame and how should it have prevented the transaction?

Of course the scam was convincing; the people involved are not amateurs. My bank warns me about such matters; do Monzo not? Do people take no notice of the many reports of such scams? They should.

I agree with you malcolm.

This story is so full of holes:
He received emails, calls and texts from his bank, Monzo, all warning that his account needed to be secured
We have 3 methods of communication all in the plural, so multiple times before he handed over his account information.

Scott carefully checked all the details before reluctantly handing over his account information.
What details exactly could have been ‘carefully checked’? If he had carefully checked all the details, he would have contacted Monzo directly in the first place and not acted after multiple contacts.

When he discovered the money was gone, then He contacted Monzo immediately for help
So now he contacts Monzo? This should have been the first thing he did, their phone number is easy enough to find.

If he expected to be reimbursed following the scam, he must have know about the scam in the first place, so there really is no excuse.

I can’t see how the bank was to blame in this instance. Was it only because of the involvement of Which? he was reimbursed?

The Monzo website has a section called How we protect you and the first scam they tell you about is Pretending to be your Bank
https://monzo.com/i/fraud

Their website has a lot of information on scams, so customers really have no excuse.

There is one unusual aspect to this, Alfa.

“Scott was initially sceptical, but the caller was professional, calling from the digital bank’s phone number, and insisted his money was at risk.”

While I certainly don’t disagree that bank customers have to exercise caution, if the ‘phone number showed as the one Scott used for his banking, then I suspect it’s not quite as clear cut.

The link to the PSR states this clearly:

” If your provider can show that you acted fraudulently, you won’t be entitled to any refund.

As with lost or stolen cards, if you were grossly negligent, then the service provider can refuse to credit any money back to you

Number spoofing is nothing new.

We all get nuisance calls, there has been so much publicity in the last few years, so it would be almost impossible not to know callers use spoofed numbers.

Oh, I agree.

Penelope Maclachlan says:
17 October 2020

Don’t be so sanctimonious. I’m a victim of a scam and am going through hell. Thanks a bunch for making it worse.

Douglas Speirs says:
17 October 2020

I have been scammed also even though my bank has 24hrs monitoring. My bank usually sends me a notification of affirmation on the credit card through codes, anyway these scammers still get through. Could it be a smokescreen for a strategic plan? Perhaps one is genuine about being scammed and have their partner do the scam?,, could it be ex employees of a security analysts doing the cyber crime??,, I don’t trust the security banking system, I ask for letters from them to confirm DD, standing orders,, that way it’s less worry, Google holds the pop up credit card details too, so I just leave my old card details on this window, null and void,,, true what my grandmother says “don’t keep money in a high street bank.

Agree Penelope. I have just been scammed for thousands so I am going through the same. I have internet banked for years and been careful, but so much comes at us now with emails phone calls and texts . For me I had a long hard day was tired and hungry and had just walked in the house when the call came with my bankers number showing . I am also 68 yrs old and not up to the tech know how of younger people. So that one time your guard is down and they are in. Internet banking is a scammers paradise and I am moving away from it now.

Jonathon Harrington says:
17 October 2020

Malcolm R, The reason is this: Loads of people have my bank account details, most of them my clients and customers who wish to pay the invoices by BACS. In fact the details are on every invoice I send out!
Every time I send someone a cheque it has my sort code and account name and number!

That does NOT entitle them to take money out of my account!

That is why the bank was at fault.

In Scott’s position I would have contacted Monzo to establish if there was a problem with my account or if this was an attempted scam. In my view, the Monzo site could make it much easier to do this.

@lmerryweather Hi Lauren – Please can you explain how passing on account information that allowed the fraudulent activity did not make Scott at least partially to blame in this case.

The problem here is that we expect banks to be safe places where we can keep our money. But we also expect them to give us access to our money when we need it.

So banks allow us to set up authentication data, including secret passwords, and then tell us to never share them with anyone, not even the bank themselves.

Here we see a case where the scammers tricked Scott into revealing his login data.

So Scott fell victim to that crime.

So saying that Scott didn’t deserve to be compensated because, with hindsight, he could have not succumbed to the scam is a bit like saying a house might not have been burgled if better locks had been fitted.

I am keen that terms such as ‘secret password’ and ‘secret PIN’ are used to emphasise that this information must never be passed on, even to a family member or bank.

If a burglar knocked on your door, asked you for your front door key and you handed it over, would it be your fault if you came home and found your house burgled?

What is the difference between that and giving away your account information.

I’ve used a similar analogy in the past, Alfa, but in this case I suspect the recognised ‘phone number was the defining difference. Perhaps instead of a burglar there’s a uniformed police officer, explaining that it’s vital the house is evacuated promptly because of a potential bomb threat and offering to lock up for you.

It’s irksome for those of us who are extremely diligent about such matters, and who essentially won’t trust anyone we don’t know personally.

We need to know what is meant by account information, Alfa. Account name, account number and sort code are not secret information and are on cheques and debit cards. They are handed out so that we can accept payments into our accounts. Presumably the only secret information is a password and a PIN and knowledge about the accounts we hold, balances etc.

Until we are told more about Scott’s case we will remain in the dark.

Ian mentions the recognised phone number. I expect that most of us know that phone numbers can be spoofed but would this be remembered during a call about an account? Everyone needs to learn that unexpected calls or emails could be fraud, and the only safe action is terminate the call and make contact with the bank using genuine contact details.

Do people really carry their bank’s number for telephone banking around in their heads and recognise it if it comes up on the phone screen? I would imagine most people have such a number stored and merely look for the name in the contact list and then press the ‘call’ key.

In my experience when banks call you they always go through a set of security questions. The problem is that any scammer would also do that and accept all the answers given, right or wrong. There ought to be a reciprocal process so the customer can ask the bank to give some information that only the specific customer would know to be correct.

The best protection is to stop the call because it is not convenient and ring the bank directly using the number on the back of the debit card.

We have caller ID so the name of the person or organisation calling appears on our screens before we answer. In addition, the ‘phone actually announces the name “You are being called by Natwest”. That’s dependant on our having stored the numbers and associated each with a name, of course.

We also have caller ID [the butler makes the announcement] but I have never thought about how it deals with calls from spoofed numbers. It would be interesting to find out.

@lmerryweather, hello Lauren. In my view Scott is responsible in that he did not contact Monzo to check the authenticity of what he was being asked to do. As alfa pointed out, he knew enough to contact Monzo when he found the money had gone.

Fraudsters are clever. That is how they trick people. Banks tell people they will never ask for this sort of information over the phone. Perhaps people who ignore such warnings should have restrictions placed on what they can do with their bank accounts.

Thanks Lauren. The rules for refunding unauthorised payments are here: https://www.fca.org.uk/consumers/unauthorised-payments-account It seems that a refund can only be refused in limited circumstances.

And why was Scott “reluctant to hand over his account information”; presumably he was unhappy about the call or suspicious. This was not just a spur of the moment action; there were, it says, emails, phone calls and messages. Time to think. The sensible response was ignored – contact the bank.

Part of the FCA advice is about “if you did not authorise a transaction”. Well, giving all the information necessary to someone over the phone that enables them to move money from your account seems rather like authorising the transaction to me.

I’m not an expert, Malcolm but I am trying to understand the current legal requirements in cases. of fraud. I presume that because the transaction was fraudulent, Scott’s action does not count as authorisation. I share your concern that if people know that they can be refunded they might be less careful, but I don’t know if that works. If I ran a bank I would not want to continue to provide services for those customers that were not behaving responsibly, in the same way that insurance companies can decline cover for bad risk customers.

It would help if the banks developed a reliable way of recovering money from the accounts of fraudsters – something that NFH suggested in another Convo.

Lauren – You wrote in your other comment below [https://conversation.which.co.uk/scams/monzo-bank-fraud-victim-refund/#comment-1608976] that Scott “unwittingly gave out his account details”. Surely, he knowingly gave out his account details – admittedly under a degree of duress and in a state of confusion.

I cannot support Which?’s interpretation of this case. I acknowledge that Which? now has to defend itself because its conclusion has been widely reported both here and in the October Which? magazine, but I really do think it should rethink its position on such cases.

The good news is that Scott has got his money back, but largely because Monzo accepted that its handling of the case had been deficient and because Which? took up Scott’s case meaning that denial of a remedy would have caused reputational damage.

Banks used to lose a lot of their customers’ money through bank raids, hold-ups and break-ins. These would often lead to deaths or injury, and certainly created terror. That is now mainly in the past, but banks should not take relief from those perils as an excuse to be too liberal with their customers’ money nowadays.

I agree with Malcolm’s comment that “perhaps people who ignore . . . warnings should have restrictions placed on what they can do with their bank accounts”.

Strict judgments on refund cases will act as a more persuasive deterrent to lax security by customers than any number of warnings. I would suggest that in cases where a full refund is not properly justified, especially where there are genuine mitigating circumstances like those that might have applied in Scott’s case [“it was a stressful time for him”], a partial or nominal refund would be appropriate.

What we really want to see is some evidence that banks are doing something active and effective to stop fraud and to prevent criminals from using bank accounts to receive stolen money.

I very much agree that the banks should be tackling fraud, John. In the past year or two we have seen evidence of increased security that could have been in place sooner. I would be happy with compensation depending on attribution of blame between customer and bank but it seems that the law gives full protection for customers except in specific circumstances.

When we buy goods without having seen them we now have the legal right to return our purchases and recover our money if we act promptly. Perhaps introducing a delay of two or three days during which funds can be recovered if there is evidence of fraud could help tackle crime.

Penelope Maclachlan says:
17 October 2020

hear hear

Penelope Maclachlan says:
17 October 2020

hear hear

GrahamB says:
17 October 2020

I’m sorry DerekP, I largely disagree with your burglary analogy, although you do raise some valid points. If I have a home with state of the art locks and an alarm, but I let it be known that the keys are under the plant pot along with my alarm code. Would you really expect my insurance company to fully compensate me for my losses in the event of a burglary? Or was I at least partially negligent?
Others have already stated that if there was any suspicion, call the bank yourself using an independently verified number etc.

Graham, thanks for your contribution. My burglary analogy was provided to help stimulate debate here, which I think it has done.

As you say, we are expected to get insurance to cover us against burglaries. However, Which? seem to want banks to automatically insure all customers against many types of scam, including some in which hasty and ill-considered actions by customers enable the scam, while banks have only acted correctly.

At risk of using a further analogy, this is a bit like expecting car dealers to provide all their customers with free car insurance.

The insurance analogy is useful.

As I have mentioned below, we are well protected if a credit (or debit) card is lost or stolen. The card company is effectively insuring us from the risk of major loss unless we act fraudulently or with gross negligence. We might have to pay a charge of £50. The charges for reimbursement of those who are unlucky or careless are shared with those who are careless and have been for many years.

DerekP says:
17 October 2020

From the FCA page linked above by wavechange:

“Your bank can generally only refuse a refund for an unauthorised payment if:
* it can prove you authorised the transaction – though your bank cannot simply say that use of your password, card or PIN conclusively proves you authorised a payment
* it can prove you are at fault because you acted fraudulently or because you deliberately, or with ‘gross negligence’, failed to protect the details of your card, PIN or password in a way that allowed the transaction
* you told your bank about an unauthorised payment 13 months or more after the date it left your account, so make sure you contact the bank as soon as possible.

So, from the 1st and 2nd items there, if criminals can find ways of getting us to disclose our passwords without making us “grossly negligent” then they can take our money but our banks must then refund us…

That sounds like good news for scam victims but bad news for banks and other bank customers.

Exactly Derek P. But I would argue if someone gives all the details necessary to a third party, that allows them to extract money, that amounts to authorising a payment. People need to heed all the warnings banks put out their and think about what they do.

The outcome, if compensation becomes weighted in favour of the customer, will be that banks may become more circumspect about who they offer banking services to. What I would hope is that they introduce different kinds of accounts, with a range of facilities, limited for particular groups of people who may be deemed less able to control their affairs, or to those who have already been scammed.

I do not want to pay for those who are irresponsible. I doubt an insurance company would see scams as a risk worth taking on but, if they did, I am sure they would have very stringent terms and conditions to ensure only the very clearcut cases with no fault whatsoever from the customer might be considered. Otherwise the system would be wide open to fraud. Just as I’d probably not be compensated if I leave the keys in my car and it is stolen, if I leave a window or door unlocked and my house is burgled – in other words if I aid the loss, inadvertently or not.

Malcolm, if we try to interpret the above rules, it all comes down to the exact meanings of “if you deliberately, or with ‘gross negligence’, failed to protect the details of your card, PIN or password”. No matter where we set the boundaries, there will still be borderline cases.

In Scott’s case, it seems he divulged his data believing that he was talking with his bank and not a third party. So was that grossly negligent or not? How does one distinguish “gross negligence” from other forms of “negligence”?

As I understand the story the scam was in several stages, and he could (should) have checked directly with the bank during the exchanges. We have been repeatedly warned about such scams. I accept he believed he was talking to his bank, a common fraud. His mistake was not to use common sense and talk directly to his bank. He appears to have realised this, but too late.

These cases are difficult to analyse without a lot more information and I, of course, sympathise with people who have fallen for scams. That does not mean I think their lack of care, for whatever reason, should automatically be compensated. The receiving bank should be pursued to try to retrieve the funds on the customer’s behalf and, if the receiving bank showed negligence in opening an account for the recipient then they should pay (some) compensation.

Not quite right. If you answer the phone to someone claiming to be from your bank, tell them you will contact them shortly, but from a different phone. They may keep the line open, so when you ring back from the same phone, you will still be connected with the scammer, irrespective of what number you dial. If you do not have a second phone, try ringing a relative. If you reach the scammer, you know the line has been held open. Too often, Banks do not fully check out organisations applying for bank accounts – this may be why scammers are so successful.

Jenny says:
18 October 2020

John – we also have to remember that the spoof number people can also hang on the line (they phoned you so can keep the line open) and add sound effects so that when you have hung up and picked up the phone to dial your bank, their sound effects sound as though you have got through to your bank, and they can then reply as though they are your bank. I’ve seen it said that we have to go and use another phone completely – not easy a) in this day and age with these restrictions and b) very not easy if you are older/ill/disabled/alone as well.

Jenny – There is a limit to how long a landline will stay open after the called party has terminated the call at their end; I can’t remember exactly how long it is, but leaving a couple of minutes between calls will give a clear line.

I take your point about some people not being able to use an alternative phone, but I would guess most people have more than one phone these days, or have someone else with a phone in close contact. Nevertheless, as you say, a significant number will not have that facility so pausing for a few minutes before calling the bank would be sensible; it gives time to review the scam call and rehearse the dialogue with the bank.

If you only have one phone and need to make sure the line has been cleared, phone a friend so you hear a voice you know and trust.

The time before disconnection was reduced to a few minutes some years ago: https://www.ispreview.co.uk/index.php/2014/03/bt-changes-uk-phone-call-clearing-procedure-stop-fraudsters.html

Thanks for that, Wavechange. It seems that BT’s intention in 2014 was to reduce the call-clearing time before disconnection to 10 seconds initially and later to reduce it even further. I don’t know what eventually happened though and cannot quickly find out, nor do I know what other telecom service providers do on their networks.

Perhaps the best way is to conduct our own tests, John. For example call a mobile from a landline or vice versa and end the call from the receiving handset. When I have carried out tests, disconnection has been very rapid.

Glynne V Williams says:
10 October 2020

I received a phone message from the bank requesting account material. I explained very gently that I had been told never to respond to an unsolicited phone call. She agreed and I put down phone and then phoned the bank. They put me through to the ‘fraud team who eventually told me the initial call was genuine! It seems I was possibly having a fraudulent use of a card. Thus I canceled a card, changed password and eventually got back to normal! Seems you can’t always win if goalposts are moved!

The bank may well phone but would (should) never ask for information that would compromise your account, simply enough to identify you are the customer they need to talk to. You did, of course, do the sensible thing by calling your bank on their published number.

Unless in Scott’s case there is information we haven’t been made aware of, I am concerned that Which? should support such cases where a defrauded customer has not been responsible. Who pays? We do.

Glynne did the right thing and made the effort to contact her bank directly.

We, the customers are the ones who pay for all these reimbursements.

The big problem here is that there is no established secure method for the bank to positively identify itself to customers when they ring you. The only safe thing to do if your “bank” phones you is to hang up, look up the number and ring back, or call into the branch. It used to be the case that fraudsters would hold the line open, particularly on land line calls. My understanding is that this could never be done on calls to mobiles, and telecom companies have closed this loophole on landlines. If in any doubt, wait, and dial a random number before calling the bank, or ring the bank on another phone.

Perhaps the fairest way to protect bank customers against scams is via insurance rather than expecting banks to repay money where the customer was to blame – either partly or fully.

It is interesting to compare this with the well established system for credit card losses. If you lose a credit card or have it stolen you could lose £50 of any expenditure before the loss been reported stolen, but that might be waived: https://www.which.co.uk/consumer-rights/advice/my-card-has-been-lost-or-stolen-and-used-to-purchase-goods

The money to reimburse card holders will be paid from the fees that card providers charge companies that provide us with goods and services. I cannot say that I am happy that careful people are effectively subsidising those who are not.

The cost to the credit card issuer of reimbursing holders for transactions on lost or stolen cards ultimately falls on cardholders collectively through the price of goods and services or selectively through interest rates covering the card administration costs. This is to some extent disguised because it is arguable that businesses accepting CC payments will attract higher turnover and are therefore able to offer better prices or terms on purchases. There are limitations on the form of damage accepted for a claim.

The same applies to the reimbursement or replacement that some credit cards will provide for damaged or stolen goods within 90 days of purchase provided they were paid for entirely with the card. There are various versions of this type of cover and some cards also provide flight or car rental insurance if paid for using the card.

We should concentrate on educating customers and on offering different types of facilities on current accounts that depend upon the customer’s ability to deal responsibly with financial transactions. Insurance will simply take away the responsibility of a customer to deal their finances correctly. Just as does a general compensation culture.

If the bank is culpable, they should give redress. If not, it is a hard lesson. Leave your keys in your car and if it is stolen your insurance company won’t pay out. Give someone the keys to your bank account……

The final sentence in my first paragraph – an afterthought – should have appeared at the end of the second paragraph. I didn’t spot the misplacement until it was too late to edit the comment.

Malcolm – Where is the evidence that insurance would make people less careful? Do we have more accidents in the home or car because we have insurance cover? If you do claim on insurance you may find that you end up paying higher premiums in future. Expecting customers to insure losses would push customers to become more responsible or risk becoming. uninsurable.

Without knowledge of how compensation is awarded in fraud cases I don’t believe we are in a position to say whether it is appropriate or not. I would be surprised banks are happy to refund money if the customer is entirely to blame, though I have provided the example of credit card companies not charging people who lose their credit card.

John – I’m not very happy that credit card companies will pay out on Section 75 claims when customers are buying from unheard-of companies selling goods online. That pushes up costs for us all. Thankfully the £100 minimum limit excludes small purchases.

I agree with you on both points, Wavechange.

Unfortunately, in my view, Which? has an ongoing love affair with compensation [and haggling] that I believe affects its rational judgement on the overall interests of consumers.

I suspect insurers covering scams would taker a harder line than Monzo when determining the degree to which their client might be responsible in dealing with the transaction.

That’s what I would expect. We have not yet been given the full details of this case. It’s possible that Monzo would have done the same without the intervention of Which? Legal, and Lauren wrote: “It is clear cut that Scott was entitled to his money back. We never declined his request. We just took too long sorting this out. We have apologised and compensated him for this”

John: I don’t have any problem with Which? encouraging people to claim compensation that they are legally entitled to. When we and others encourage people to claim under their consumer rights, we hope they will effectively claim compensation. I do wonder if the compensation rules for rail travel are appropriate because the large number of claims pushes up prices for everyone. In this case, I see the problem lies with the compensation rules rather than whether consumers are encouraged to claim.

It would be very helpful if Which? would explain, with examples, how compensation is decided in scam cases. That may not be easy because some banks are more generous, on average, than others.

As I’m sure you know, I am not keen on haggling because it disadvantages those who are not up to haggling, including the disadvantaged and many (but obviously not all) older people.

With credit cards, most of their use is out of your hands.

Credit card providers authorise the businesses to accept payments so take more responsibility for misuse. Fraud reimbursements are probably much less than bank reimbursements as credit cards have limits. I do think they consider cardholder negligence a lot more than they used to.

Access to bank accounts is very much in the hands of the account holder.

I agree with John when he says Which? has an ongoing love affair with compensation. Lower broadband speeds, increased train fares, increased holiday costs, the price cap on energy increasing energy costs, is PPI and bank compensation the cause of closing branches & cash points and lower interest rates on savings? Which? has brought about many changes for the good, but wherever compensation is involved, they do not consider the consequences.

In the case of PPI claims, these should have been checked for evidence that it had been mis-sold. Legal companies advertised that it was worth making a claim even if you were not sure. It has been suggested that many received payments that they were not entitled to.

I always haggle with insurance companies. My claims across car, house and building insurance in my lifetime is probably around £6,000 – one stolen car repair, one burglary and one water leak are what immediately come to mind. Travel insurance which is by far the cheapest is where I have had the most benefit from several times in the USA.

Two car insurances, house and contents insurance, AA – un-haggled well over £1000 a year, so yes I haggle.

There is, I believe, a move by the FCA to stop insurers offering better rates to new customers and upping the premiums to existing ones. It will be interesting to see how this affects haggling. I’ve already had this excuse used when I renewed my car insurance with a Which? favourite. Breakdown cover is the next on my list.

Will we see an increase in premiums for new customers, a reduction in renewal premiums for “loyal” customers in consequence and less switching? Or will everyone suffer, as happened in the outcome of the misguided campaign on authorised vs.unauthorised overdraft charges?

I hope Which? will watch what goes on.

Paul 6 says:
17 October 2020

The single most important thing the banks need to do is to verify that the account to which the suspect payment is made actually belongs to the intended payee. My bank does this (Santander) – Paul

This problem is not only confined to insurance companies. Energy companies are also offering unrealistic low quotes to procure new customers who find on receiving their first bill, the real amount is hardly any different to the one charged by the previous company.

If the scammer called using Monzo’s digital phone number then either he was calling from the bank and it could have been an inside job or he was smart enough to use the banks number which presumably came up on Scott’s phone.

The bank would carry out their own investigation which could have revealed a dishonest member of staff who would be dismissed on the spot without reporting it. This does happen in banks and it is never reported as the banks reputation is sacrosanct.

If this was the case the bank would pay up without any further ado.

Also, Beryl, if a dishonest employee was working from home, as so many are at the moment, they might have been able to perpetrate frauds unobserved and undetected using the bank’s technology to make telephone calls showing the Monzo number to the called party’s screen. Scott’s case could have been one of a number of attempts.

I think inside information could well be a significant factor in such scams and, as you say, the banks never reveal the extent or outcomes of such investigations. Internal disciplinary action can be hushed up but it is not so easy with dismissals, so I do wonder how they prevent them becoming public knowledge; there is usually a price [to the employer] for that in terms of compensation for making a non-disclosure agreement, not depriving the individual of their pension rights, and providing a reference to prospective employers. I cannot recall any prosecution cases appearing in the media.

The fact that the bank’s number showed up on caller display is likely to be simple number spoofing, which has been commonplace for years. I can remember having a couple of calls where the number shown was my own phone number. I presume someone was trying to be clever.

Once the legal eagles become involved banks will usually pay up. This is one occasion when Duncan Lucas might have been able to advise how someone can use someone else’s number without access to their phone.

I have experienced, on more than one occasion, my landline phone goes dead which can last a whole day. A message will show “The line is in use, calls cannot be made.” I phoned BT to establish who was using my phone. They said they would check the line and phone me back, which they did but found nothing amiss. About 5 mins after receiving their call I checked the phone again and hey presto! it was connected again, which seemed highly suspicious.

Since I am the sole occupant there is no one else who could have access to any of my phones. Thank heavens for mobiles.

Here’s an article about number spoofing, Beryl: https://www.which.co.uk/news/2019/10/whos-really-calling-you-an-investigation-into-the-worrying-rise-of-number-spoofing/ Caller Display has not been a reliable indication of who is calling for many years, other than with family and friends.

You won’t find any prosecutions popping up in the media John.Banks have their own ways of hushing up any internal adverse events within any of their branches.

At one time banks strenuously denied that it was possible for ‘phantom withdrawals’ from ATMs to take place but eventually had to admit that this is possible. It’s very uncommon and unexplained withdrawals usually have a reason, but I wish the banks had been honest in the first place.

Thanks for the link Wavechange. This article demonstrates the extent to which scammers will go to rob the public of their savings, using every known media channel to achieve their objective.

Dependency on the internet leaves little comfort to people who find it intimidating and threatening and who struggle with its frequent updates, algorithms and technological acronyms used by the people who are specially IT trained to manage it.

I am not aware of Scott’s circumstances or how well informed he was on the vagaries of the increasing number of global scammers, who operate with no regard to the feelings or welfare of ordinary unsuspecting people who, once targeted, become mere objects in the minds of people without conscience.

We have come a long way since banks were using complex technical language in their terms & conditions. I remember a group of computer scientists telling me that it was not reasonable for members of the public to understand the expectations of my bank. Within a year or two the document had been replaced with one that was fair and fit for the purpose. I am encouraged by the action that banks have taken to protect customers from scams etc. in the last year or two but it has been too late for some of them.

I think we need to examine exactly what Lauren has said:

“Which? thinks you should be refunded if your bank account has been targeted by scammers. Banks take responsibility for your money and must put measures in place to stop criminals getting their hands on your cash.”

I think that’s at the heart of the matter: the banks need to do more to protect their customers’ cash. If that means more onerous security at each transaction, then so be it. I have to jump through hoops when setting up payees, and I’m more than happy that my banks are protecting our cash.

I agree, Ian. I’m happy to take these precautions and wish the recent efforts by banks had come in time to have saved customers from losing money. I’m particularly annoyed by the procrastination over introduction of Confirmation of Payee, which could have been implemented years ago. The need to use the payee’s name goes back to before online banking, when we were using cheque payments.

What encouraged me to take the plunge and use online bankings was the fact that a friend using the same bank as me was reimbursed promptly when money was removed from his account.

Lauren wrote: “It is clear cut that Scott was entitled to his money back. We never declined his request. We just took too long sorting this out. We have apologised and compensated him for this”. It seems evident to me that Which? is supporting the requirements of the Payment System Regulator.

Whilst confirmation of payee takes some responsibility out of the customer’s hands it was far from essential. I, like others, for many years took the sensible precaution of transferring £1 to ensure the account it went to was the correct one before transferring the whole amount. Common sense, an attribute we want to engender.

The fundamental question that never gets answered is how a bank is supposed to know a transaction is fraudulent when it is not involved, other than by following a customers instructions. And why it seems that when a customer falls for a scam they are never to blame so someone else (you and I) are expected to give them back the money that they may have unwisely lost.

To repeat what I have said several times, it is not always possible to make a test payment. I gave the example of purchasing an ISA, where only a single payment was allowed. Online retailers are not set up for test payments. Organisations could have facilitated test payments and recommended them, but I am not aware of this being done. I am very happy with how my bank has implemented Confirmation of Payee and if I choose to make a payment without the payee’s name being confirmed there are dire warnings. This could have been done ten or fifteen years ago.

I agree that a bank will not know that a transaction is fraudulent, Malcolm. What we need is a system that allows recovery of money that has been paid to a fraudster. One possibility, which I have suggested, is that money is held for two or three days before it goes into the recipient’s account, giving time for anyone who thinks they may have been scammed to take action. That would only be necessary for new payees. There may be other possibilities.

I don’t recall ever having made a bank transfer to an online retailer; it has been a credit card purchase (some may prefer debit card). The point I am making is we have been able, in most cases, to take a common sense precaution; even my solicitor was happy to take a test payment – indeed, did not think it at all untoward.

I am nor sure whether the systems were in place 15 years ago to allow confirmation of payee, at least, from what I read, it is not the straightforward change some think. But nor was it such a problem then; this sort of fraud seems a more recent phenomenon.

Now we do have it it is if course a good step forward.

Maybe retailer was not the best choice of word but it’s not uncommon to pay online, even for the windows to be cleaned or the grass to be cut. I made a test payment to a solicitor too, but that was on my initiative and not something I was invited to do. I sent an email to explain what I had done.

Let’s agree that it’s a good step forward.

It’ is becoming more difficult to gain access to your own cash at the moment.

I have had to contact my bank on two separate occasions to gain access to my debit card, which was recently blocked as a result of my reporting an unrecognised phone number. It took a second call to their fraud department with all the numerous security questions before they agreed to unblock it.

The more pressure you can put on them to take the necessary steps to safeguard their customers accounts, the sooner they will take action to prevent the increasing number of reimbursements to them, even if it involves the assistance of a legal team such as Which? Legal.

john says:
13 October 2020

Which are too keen to have the banks reimburse everyone regardless how careless they have been – it is clear here that Scott ought to have rung Monzo himself to have checked the call was genuine. The way Which is going the banks will have to reimburse everyone regardless – and this makes the rest of us have to pay up for the lack of security of others’.

There are basic precautions everyone ought to have to take – publicize those as a minimum and penalize people who don’t. Otherwise it’s a race to the bottom.

@beryl, if your debit card is blocked then it will be difficult to get access to cash, unless you have a passbook account. Using a credit card involves a fee. However, initiatives are underway to make access to cash generally easier: https://communityaccesstocashpilots.org/

I suspect the more the banks have to pay out to customers as compensation, particularly when some might see some payments as unjustified, the more difficult they will make moving money by putting in additional layers of security. I wonder how the less capable people will find that.

On this occasion I was able to use my credit card Malcolm and could still remember its PIN!

You can unblock a card at an ATM by first entering your PIN – selecting Services and then – unblock. It didn’t work for me as my card was still under investigation by the bank, hence the second phone call to the fraud department. I was relieved to hear the account was still intact.

I wondered why a debit card could become blocked because I have not had this happen. Entering the wrong PIN three times at an ATM or when making a purchase are obvious ways but there may be others.

What I have discovered is that I can use my bank’s mobile app to block and unblock my card. That might be useful if a card has gone missing and I am not sure if has been lost/stolen or just mislaid.

My debit card was blocked several years ago following a trip to London. I had used it to purchase some souvenirs in an art gallery shop and, apparently, attempts had been made to spend on it fraudulently in a different part of the country within a few minutes of my use of it. That transaction had been intercepted by the bank which, as a precaution, had also blocked the card account. A new debit card was quickly issued and life went on. I never heard what happened next with regard to the misuse of the card numbers. This could have been before the introduction of the security code on the reverse of credit and debit cards.

That was a lucky escape, John. Does that mean that payments by online banking were temporarily blocked?

With a debit card, the number, expiry date and CVV are all shown on the card, so there is nothing to stop someone else using these details to place an online order and ask for it to be sent to another address. That concerns me, so I delete the CVV with a permanent marker.

It was in the days before I used on-line banking so I don’t know whether that would also be blocked.

The CVV was introduced to make it necessary for the person placing an order and paying remotely to have the card in their hand at the time. Being on the back of the card also meant it could not be read by the skimming devices used by criminals to capture card numbers at ATM’s.

As you say, the weak link is if a debit card falls into the wrong hands and is used to place an order for delivery to a different address. It used to be a requirement for delivery to be made to the cardholder’s address but that was changed some time ago so now it is easy to arrange for an order to be delivered elsewhere, and there are no checks in place when people set up alternative delivery addresses on company websites. I take advantage of this facility to have groceries delivered to a relative; she doesn’t look much like Mr Ward but no van driver has ever queried the delivery.

I well remember the restriction that required goods to be delivered to the cardholder’s address. I explained to my credit card company that this a problem for a single person who was at work during the day. From memory they allowed me to change my home address to my work address for one of my cards. That meant that I could order expensive items such as a laptop and have it delivered to our postal room at work.

In a previous email I explained the banks security were monitoring an online transaction by providing the last 4 digits of my phone number, requesting that I click on it if I didn’t recognise it as mine, which I didn’t, so I clicked causing the transaction to fail and the bank immediately blocked the card.

It was a first for me which, although a little inconvenient at the time, indicated the banks are now taking the problem of security more seriously.

lorna mciver says:
17 October 2020

I worked for a bank for 37 years. Any suspicious activity was resolved immediately by placing a stop on the account, meaning no transactions allowed. You then contact the customer and explain what has happened. This still happens, recently my credit card was frozen and I ended with a new one. Banks never move your money around! Why is this not made more public? Also setting up a new payee, even paying an existing payee involves a lot of box ticking, are you sure about this transaction, are you under duress to do this etc. Anyone who manages to ignore all the warnings is really irresponsible

Monzo operates via an App. I have several such accounts. I never respond to emails or telephone calls. I do get push notifications and when i do i open the App. If something is amiss it will be flagged in the App. I do not understand why in this case the client simply did not sign into the App. If nothing is indicated within the App it is a scam.

Charles PRESTON says:
17 October 2020

Why does anybody think that their money needs to be ‘moved in scams like these? It’s not as if your money is being stored in a labelled ‘bag’ , it’s just an account along with many others!

Denis James says:
17 October 2020

I am getting at least 2 land line telephone calls day in day out
from a fake ” Amazon ” boiler room .
I have even written to the real Amazon UK HQ in a bid to get
the fraudsters stopped with no reply from them .
I would have thought that it would be in Amazon’s own interests
to get these fraudsters stopped from bringing them into disrepute
and with Amazon’s vast resources it would be fairly easy to do so !

Bucks Birder says:
17 October 2020

I am fed up with my Bank calling me and asking to go through security which I refused to do unless they answer security questions from me. Some times they have got a bit shirty with me why! what do they expect

John says:
17 October 2020

How many times do the banks have to say never divulge your details to anyone . Especially cold callers .They tell you that they would never just ring you up .This is not a new scam ,it’s been around for years.Logic tells me that if my account really was ” under attack ” The bank could and would suspend it to secure it . They would not have to move it anywhere Then they would call you in to the local branch to sort it out. There is a simple way to stop this and that is that is to put a time lag of say 3 days on anything over 1k before it leaves the account .Sure that might require a bit more forward planning but this would be nothing compared with the hassle of getting your money back .

A story very much lacking in detail.

“Scott carefully checked all the details before reluctantly handing over his account information”

What ‘account information’? Obviously that must have included, at the minimum, passwords & security check information. Did the criminals (lets start calling them what they are – criminals, organised crime members) already have his account number & sort code? If not, why did he give that information too?

Without further facts of the case it rather beggars belief that these financial organisations give in and recompense customers who have been grossly negligent with their a/c information.
As it is highly unlikely they got the money back from the criminals, (probably used to finance terrorism, child trafficking & other nefarious activities around the world) from what pool of money do the banks compensate these crime victims? I can only surmise it’s other depositors money at worse or at best a fund set up for the purpose taken from profits. How long they can continue to do that without charging more for the service from us all?

I dont underestimate the problem for law enforcement of tracking down criminals operating, most probably, from foreign lands, bringing them to justice, recovering stolen money and ensuring they receive the severest punishment befitting the crime. However apart from one or two headline cases per year I dont hear enough of what extra efforts are being made by the authorities to hunt them down and bring them to justice.

Lynda says:
17 October 2020

Both my husband and I are retired bank managers and there are two things we have observed in all these reports of scamming bank accounts. Firstly, and most obviously, if your account is supposedly under threat and supposedly ‘needs to be moved’, a bank wouldn’t need the customer to do it – who runs bank accounts on a day-to-day basis, well I never, it’s the bank itself. So any caller suggesting that must, by definition, be a scammer. Secondly, if the banks are really serious about preventing scams, then they must return to taking up two references on any individual wishing to open a bank account, instead of accepting forged identity documents as they’re obviously doing at the moment, albeit the forgeries may be very good. An additional measure could be building something into their systems which does not allow new customers to transfer or withdraw sums greater than a certain amount, say £1000, within the first six months of the account opening, which would prevent them from accessing the money they have scammed. Of course, there would be nothing to stop the scammers opening accounts well in advance of the scam, but they would need to ensure there was some activity during those six months to avoid it looking suspicious which might be too much trouble. It seems unlikely that this last measure would inconvenience the general public, as who is likely to suddenly need a bank account at the last minute if they are buying/selling a house, undertaking a large business transaction etc?

Merv says:
17 October 2020

I think someone mentioned that a key point is how to stop the fraudsters getting away with the money.
Obviously it is going into an account, how did they open this account? Banks should operate a delay in transferring large amounts into other accounts until the transaction has been verified. Perhaps even the recipient’s ID needs to be known, ie a photo of recipient has to be given to receive the money.
Obviously fraudsters are finding a way to open accounts which they are going to use for criminal use.
Surely ID’s need to be better checked and recorded, photo’s of account holder should be on the part of bank records.

Making the receiving bank responsible for repaying a clearly fraudulent transaction seems the fair way to deal with the opening of dodgy accounts, perhaps. The sending bank is simply obeying the customer’s instructions and I find it difficult to understand why they should be asked to cough up.

This is something that I have expressed concerns about for years. All the security flows in One Direction – we have to prove to the bank that we are who we claim we are, but WE are expected to trust that They are who They claim to be, unless, of course it is a scam. This could be tightened up considerably by one simple precaution. If our bank needs to contact us, for any reason, they should have to confirm a password TO US. It would be quite simple to set up. We would give them a password on the next occasion that we contact them, whether by telephone, or on line, or by returning a card in an envelope. For example, I might ring them up, go through security, and be asked to set up a password for them to give us. A minimum of 8 characters, such as 1212LOSER, or TOMAHAWK, or 062184951732, that we could recall reasonably (or work out quickly!) would be recorded on our account, and if we need reminding they can do so – after confirmation. Then, if they ever do have to call us for any reason, they can announce themselves, saying “Good Morning Mrs Nameiscorrect, this is Agentname from Bankname. I need to discuss your XYZ account with you. Are you ready to receive your agreed password from me?”. That way we will know that THEY are entitled to receive YOUR security information! It may not be perfect, and it may take some time to get everyone’s passwords listed, but it will be a better way of preventing these scammers than the current method, which seems to be keeping your fingers crossed! The banks, and all businesses that hold our information, could easily do this while coming up with something better! My bank holds this in their notes, just in case, but the staff need to be told, and have to search for it, so most of the time I just tell them I will call them back, and hang up. Then I swap from my landline (the only number they have) to my mobile to call back, avoiding the problem of scammers holding the line and playing a recording of dial tone!