/ Scams

Monzo spoofing scam: how we helped a victim get their money back

After an initial plodding response, Monzo refunded a fraud victim in full. Here’s how we helped, and why banks have a responsibility to protect your money.

25/05/2021: Further spoofing scam victims

Another victim of a Monzo spoofing scam recently told us more details about the tactics being used by the scammers. Fraudsters first persuaded him into transferring money from his other bank account with HSBC, to his Monzo account.

The scammers fraudulently claimed they were collaborating with HSBC on the transfer and sent the victim text messages while he was on the phone to them to make it look genuine:

When the transfer was complete, the scammers asked the victim to confirm the transaction in the Monzo app, which in fact approved a payment set up by the scammers. This wiped his account of £8,000, which included a recent student loan payment. The victim was later fully reimbursed by Monzo.

09/10/2020: How we helped a victim get their money back

The last thing Scott wanted to hear after being furloughed was that his bank account had been targeted by fraudsters.

He received emails, calls and texts from his bank, Monzo, all warning that his account needed to be secured.

Scott was initially sceptical, but the caller was professional, calling from the digital bank’s phone number, and insisted his money was at risk. Scott carefully checked all the details before reluctantly handing over his account information.

He was horrified to later discover that all his money – £12,000 – had vanished. The emails were convincing fakes, and the calls and texts were spoofs created by scammers.

‘I’m savvy about these things, but the set up was so slick,’ said Scott.

Contacting the bank

He contacted Monzo immediately for help and was stunned by its response. He told us that its customer services ‘filled him with fear and uncertainty’ about whether he would get his money back.

“There was no support or empathy. I was made to feel it was my fault, and that the bank probably wasn’t going to do anything about it, I didn’t expect violins, but I did expect reassurance. I thought Monzo would be on my side”

Scott heard nothing from Monzo for weeks, despite him following up his initial complaint several times. After getting nowhere and being worried that he would never get his money back, Scott turned to Which? for advice on what he could do next.

We told Scott that he should be reimbursed by Monzo because he hadn’t given permission to make the transaction. He wrote to Monzo demanding a refund. Only then did Monzo reimburse Scott for the full amount, plus compensation for the inconvenience.

In response to a call for comment on Scott’s case, Monzo said:

“It is clear cut that Scott was entitled to his money back. We never declined his request. We just took too long sorting this out. We have apologised and compensated him for this”

Protecting your money

Banks have a responsibility to protect your money and they should do everything within their power to recover losses that are due to fraud.

In this case, the transaction was unauthorised and therefore had to be refunded in accordance with the Payment Services Regulations.

These are the same regulations that cover you if your card is lost or stolen and used fraudulently.

Sometimes banks might attempt to wriggle out of reimbursing customers in these situations, but you should never be held accountable if you can prove you didn’t give permission to send the money, as was the case with Scott.

Have you struggled to get your money back after a sophisticated scam?


Scammers need their own account to which they can transfer the victim’s cash. The bank that gave the scammer an account had not done its job properly because its verification procedures were lacking, ergo that bank is at fault.

I was a victim of the HMRC scam and lost £6k. It’s a bit of a tale but the long and short of it was I contacted my bank within 30 minutes to ask the payment to be stopped (too late). I reported it to Action Fraud minutes later, not heard anything since. My bank’s Fraud Team were alerted and when I phoned for an update 2 months later, there was “no progress”. I asked my bank the name of the bank my money was transferred to then phoned that bank (APS Financial) inquiring about opening a personal account with them. I asked their employee what documents were required to open a personal bank account with them. To open a personal account at APS Financial you need to provide OVER THE PHONE:
Your name
Your email address

You DON’T need to SHOW proof of ID, home address, utility bill, passport, driver’s licence, financial criminal record (if any), citizenship of a country.

This snooping took me less than 15 minutes. I phoned my bank’s Fraud Team and told them what I’d found out. This bit is so astonishing: MY BANK’S FRAUD TEAM WERE UNAWARE IT WAS SO EASY TO OPEN A BANK ACCOUNT AT APS FINANCIAL! THEY HAD SENT THEM AN EMAIL WEEKS AGO AND WERE WAITING FOR A REPLY.

This is what happens: An organisation opens 1,000 APS Financial bank accounts then phones people scaring them into parting with money (on some pretext: tax payment overdue, payment in arrears, insurance scam…you name it) by convincing the victim providing some of their details (home address, Companies House ID, tax codes, amount owed etc). The scammer convinces the person to pay money into one of these 1,000 bank account numbers. When the money has transferred to the scam account it is transferred to another account and another account etc and the original scam account is closed. Victim complains to his/her bank. The bank contacts APS Financial and they say the only contact they have is the email address…and guess what? That email address no longer exists! LEGITIMATE BANKS SHOULD APPLY PRESSURE ONTO THESE BANKS THAT ALLOW THIS SCAM TO HAPPEN TO STOP THIS SLACK PRACTICE AND DEMAND REFUND TO GIVE TO THEIR LEGITIMATE CUSTOMERS. It’s easy: Barclays, Lloyds, Net West, TSB, Santander etc contact APS with the demand “Tighten your security or we will not deal with you because our customers are getting scammed by yours and our customers will want compensating by us so we want the money we pay in compensation back from you”.

The HMRC scam costs UK tax payers ca £80m per year (to put it in perspective, the Brinks Mat robbery was £26m – THREE TIMES LESS – and look at the effort they put in to recover that amount!)

The advice I would give here is that if you receive these kinds of messages “from your bank”. Then contact your bank directly by the phone number or other means that they gave you to verify that there is genuinely a problem with your account.

And use a different phone if you can as the fraudsters stay on your phone line

I prefer a bank with people (humans face to face) for anything other than routine payments to people I know, otherwise its credit card only never transfers, even of it costs a bit more.

However banks are not interested in preventing fraud, neither are the police or government. Each case is one of thousands and the victims are just a number. Its amazing how anyone can seem to open an account and commit fraud. Any transfers to foreign accounts should go through special checks and anyone opening a UK account should be photo, passport and tax-checked at a branch of the bank and then address checked by letter.

Also advice should be not “take 5” to “make sure the caller is genuine”…cold callers are never genuine. The government advice and banks should run TV ads – “never respond to any email or phone call”..Ive never had a call or email from my bank ever. They either send a text to say to contact them using my name and to call the number as written on my bank details, or send a letter. The Government is protecting the cold call industry.

Scammers are not giving up lightly in their quest to steal from unsuspecting individuals whose life savings can disappear in a flash.

If this unethical trend is allowed to continue unabated, the only safe way of contacting their customers would be for banks to resort back to the days when snail mail would be the only effective way of communicating with them.

The disruption this would cause would be catastrophic for banks who would ultimately depend upon customers to phone them which, in turn, would increase their frustration, waiting in long time consuming call queues becoming even longer before being answered.

It is becoming abundantly clear we are increasingly in danger of becoming the victims off our own invention.

A safe way for banks and customers to communicate is by customers logging into their account and by secure messaging. Banks can ask a customer to do this when there is information they need to impart. A financial institution I am with emails me to alert me that there is new information about my account and I then login to read it.

My bank (Santander) does that. I thought it was standard practice.

Some of these scams are not really that sophisticated and can be avoided by following a few simple rules.
Never, ever give any information to an unsolicited caller however persuasive they may be and whatever number they ring from. This includes any identification data and account details. This is the prime rule and will stop most scams in their tracks.
Don’t ever pay money out to an account given by a caller not known to you or by email. Ring the person you are paying to check any account numbers and on a different phone.
Banks can freeze accounts and cards, and if necessary transfer money to a safe account. They do not need you to do anything if they think it is a fraud and are quite competent at stopping frauds in progress that they spot.
Finally if you are not confident with technology then don’t use online or mobile banking.

Scott did not check all the details as thoroughly as he claims! A simple call to his bank?

I am concerned that bank customers should be helped to avoid scams and, where a bank is negligent, to refund the customer.

However, I am also concerned that we should be fair to both parties. If a bank refunds a customer it is usually other customers’ money that, indirectly, is being used unless they recover it from the receiving bank– lower interest rates on deposits, higher rates on loans and overdrafts, higher charges. So, I believe we need a responsible approach to deciding who pays and what proportion of the money lost.

Which? list these conditions for banks to observe. However, they are very general and, I believe, Which? should flesh them out so we know what the rules really mean in practice and when they are relevant. I’ve put some comments in italics.

“How are banks supposed to protect you from these scams?

A voluntary code of conduct was introduced in May last year, which would see you reimbursed by your bank if you fell victim to this type of scam, and you aren’t to blame.

Banks also have duties to protect you and should reimburse you if they’ve fallen down on any of these steps, including:

1. Educating customers about APP scams
What should count as acceptable education and how should this be transmitted to the customer?
Would a general warning on the customer’s online account, visible each time a transaction is attempted, be adequate?
Clearly a bank cannot foresee a new scam.

2. Identifying higher-risk payments and customers who are vulnerable and so have a higher risk of becoming a victim
Identifying a higher payment done online is easy but how does the bank assess the risk attached?
How does a bank know a customer is vulnerable unless they have had an assessment provided by, say, a family member?

3. Providing effective warnings to customers if the bank identifies an APP scam risk – these could be messages when you go to make a payment or set up a new payee
How is a bank expected to identify an APP scam risk

4. Talking to customers about payments and even delaying or stopping payments where there are scam concerns
Following from 3. This can only happen if there is an effective way of identifying a scam risk.

5. Acting quickly when a scam is reported to it
Agreed. But what action should be taken other than contacting the receiving bank to try to recover funds and reporting to the authorities?

6. Taking steps to stop fraudsters opening bank accounts.
This is, of course, the key to success. How does a bank identify a fraudster and deny them banking facilities? The receiving bank should repay funds, whether or not they can be recovered, if they cannot demonstrate due diligence in sanctioning the account opening.

Read more: https://www.which.co.uk/news/2020/10/post-brexit-law-change-could-help-banking-scam-victims/ – Which?

In reports by Which? of scams the presumption seems to often be that the victim is not to “blame” at all. Yet, frequently, we see they have ignored (or never taken note of) scam information, they have often initiated a payment in response to a request (often very sophisticated) and they may have given away essential information (contrary to their contract with their bank) to allow their account to be used or have simply instructed their bank to make a payment. Their bank has simply obeyed their instruction, as the are obliged to do.

So, it is not a question of “blame”, in my view, but of being responsible, to a greater or lesser degree, in making a personal transaction. And being given a bank account with facilities most appropriate to the account holder.

I’d like to see this insistence on the banks being responsible moderated so it is fair to both parties. And where a “victim” has acted irresponsibly they should accept the consequences of their actions.

Equally, if a bank behaves irresponsibly, negligently or contributes to the victim’s loss then they should provide recompense.

The danger of an almost automatic compensation scheme, however much the victim is responsible, is the probability of contrived claims, of a relaxation in some customers’ vigilance, and extra costs to responsible customers.

In the consultation on APP scams it was considered that the receiving bank should be made responsible for the repayment of scammed funds, in that they were responsible for opening the account of the fraudster. I agree with that approach in that it should make banks much more careful in the checks they make when accepting a new account holder. Clearly the receiving bank would need evidence from the sending bank that a genuine fraud had been committed.

I also believe that banks should offer accounts with different facilities to different people. For example, placing smaller limits on a withdrawal or transfer amount; limiting a daily total withdrawal; requiring a second person to authorise a transaction, or one above a pre-determined level; imposing a time delay on all transactions above a level but with the bank questioning the transaction.

We should also, perhaps, be made to earn an account with “normal” facilities by completing an assessment of our understanding of how to operate it correctly. Difficult to do unless in branch of course. Alternatively, our account could be downgraded if we use it irresponsibly or fall for a scam.

In relation to random call generators which often ask (Amazon ‘Prime’ payments etc.) the recipient to switch on computer so that problem can be fixed (by gaining control of same)) I find that it helps to explain to caller that the batteries are flat and I must search for charger, but can they stay on line as it is important to me. I have managed to spin out calls for above ten minutes during which time their plaintive calls , ”Hello, are you there ?” gives some satisfaction and amusement….

Barbara Price says:
1 December 2020

I love scam calls especially the ‘Microsoft’ ones. I keep the caller on the line for as long as I can by having a very slow to boot up computer, power cuts, blackouts, crashes and me being an old lady and very deaf so it’s hard to hear the first time. Also I need to get new batteries for my non existent hearing aids. Works every time and my record is 45 minutes. I only stopped because I got bored!

Nice one Barbara. I used to do that too, but I’m currently receiving hardly any scam calls. I think my record was only about 30 minutes though. I have sometimes even let the scammers connect to a specially prepared PC, so I could see exactly what they want to do.

One or two YouTubers seem to be making a living by winding up scam callers, not least Kitboga, see:-https://www.youtube.com/channel/UCm22FAXZMw1BaWeFszZxUKw

Adrian Anwyl says:
7 December 2020

My best was 7 minutes Well done

Sanchez Maquina says:
10 November 2020

Can ou help me? I’m in a similar predicament whereby I got a call imitating Natwest bank. They managed to access my online banking and make a payment. The next morning I noticed a new payee was set up but my account was blocked so I called up Natwest and they asked questions and just sent me an email on prevention tactics etc. They’re saying they’re doing an investigation but seem very reluctant to make it known whether I’ll be getting that money back. Please instruct me on what to do to get my money back.

How you gone on with the said bank.same happened to me still waiting on the banks investigation.

How long before we get scammers, scamming other scammers with whom they are in cahoots with & dividing the “profits” ? This goes back to previous comments re banks thoroughly checking out potential customers before allowing an account to be opened.

My santander account has been hacked,rang the bank they said i allowed the scammers to get my funds.what are my rights on this.

A.G.S says:
17 November 2020


Matthew Bristow says:
28 November 2020

I have just been stung by the same scam .. this cost me £300, I checked the number calling against the fraud number on my bank card. They had access to my banking app and were transferring money from one account to another… I phoned the fraud line and was on for an hour and a half last night, I felt stupid and embarrassed by this. I’ve later found that they used a Santander account to transfer money .. in the name Sol Midgley.. I will report it to Santander today to see if that helps further

Rex Goad says:
1 December 2020

When I get a cold call I simply say “I don’t take cold calls so goodbye” and ring off immediately.

Best way to handle them Rex.

A woman has called regularly for a few weeks now wanting to ask me ‘just a few simple questions’. I recognise her voice now so yesterday said ‘What you again? Don’t you ever give up?’ After a short pause, she assured me she had never called before .

Perhaps one should say “I’m sowwy, but I hev a code in the nodes and cannot hear you”, then sneeze loudly down the phone [sanitise it afterwards, of course].

Agnes says:
19 December 2020

I was scammed recently and my bank Nationwide were marvellous I was treated with extreme courtesy and even though I emphasised how silly I felt they reassured me as it was a clever ruse

As the treasurer of a sports club and formerly treasurer of the local branch of a political party, I have found it very difficult even to change the signatories on a bank account, let alone set up a new account! How do fraudsters manage it, I wonder?

Our treasurer had a similar problem when our existing bank stopped offering club accounts and it took weeks to sort out an account with a new bank.

Has anyone analysed the number of scammers’ accounts that have been held by which banks, here and overseas? I wonder if there are clear culprits.

I enclosed a cheque in a Christmas card to my daughter on 17th December which has gone missing in the post, so I phoned the bank on Thursday 31st December, to block it. Fortunately it had not been cashed, but I have cautioned my daughter to keep a close eye on her bank account in case her identity is used by someone to open a new account in her name. My bank assures me they will do the same as my name, account number, sort code and initials are all displayed for prospective criminals to utilise.

Beryl, Sorry to hear of the lost cheque. I distributed Christmas money online from my account as it is so easy and reliable. Your sort code, account number and signature will be available to anyone to whom you give a cheque. If you had your cheque book stolen then someone could perhaps steal money. They also have your daughter’s name and address but no other personal details presumably. So I wonder how this would lead to identity theft. Did your bank tell you how this might happen?

Chances are the card just got lost in the Christmas post, of course. I hope that was all that happened.

Happy New Year. Let’s hope with the arrival of vaccines and the departure of Brexit some kind of normality will return over the next few months, before we forget what real life was like. However, my parents went through the fear and deprivations of five and a half years of war and put up with it. We are resilient.

I’m sorry to hear that, Beryl. Hopefully the card and cheque will eventually arrive. Some of the cards I have sent and received have arrived long after they were sent.

It had not occurred to me that having a name, account number and sort code could be a risk because they are printed on every cheque.

I stopped using gift cards and cheques at Christmas and switched to online banking. This year it was mobile banking.

I am still hoping the card and cheque will turn up, based on the odds that one in millions of Xmas cards was unlikely to be singled out, unless it was scanned by a Royal Mail official.

The bank representative I spoke with on the phone said they had received quite a few similar inquiries over the Christmas period, but nevertheless agreed they would block the cheque and advised I send another by ‘signed for’ post.

Malcolm, to answer your question, you may be interested in the following as an example of how scammers are able to use your ID on a cheque and steal your money, which often is not refundable by the payer, the receiving bank and also your own bank.

A Happy New Year to everyone 🙂

That link does not work but for me but I think this is the article: https://www.theguardian.com/money/2004/jun/19/scamsandfraud.jobsandmoney1

This is worrying and it would be useful if Which? would give us an update on cheques and security issues.

A few Royal Mail delivery offices have been on strike and I am still waiting for a card to be delivered that was posted on 16th December. After everything people have been through, how can the unions abuse their power to be so evil.

Apparently some delivery offices have mountains of mail waiting to be delivered, so there is still hope they will turn up.

A very disturbing link wavechange and shows how easy it is to open an account with forged documents. Until more personal ID like a photo taken in a bank/building society, eye scan or fingerprints are required, fraudulent accounts will continue to be used for thieves ill-gotten gains.

I see this article is sixteen years old, but wonder what has changed since it was published, Alfa. I agree that banks should be using the best security systems available. What annoys me most is that banks are providing scammers with accounts and card services.

I have just read Patrick’s post below. Nothing has changed as scammers are still opening bank accounts to handle their fraudulent activities.

It seems to have been dropped now, but some years ago, I had to open a couple of accounts with a photo that could only be authorised by certain people who charged £5 for the privilege. That would also be easy to fake, so applicants need to turn up in person at banks, etc.

patrick taylor says:
2 January 2021

Malcolm r’s comments on the customer/bank scam problems are well thought out and deserve some serious response.

The British Bankers Association have for many decades marched in lockstop in managing how to be profitable and this is unsurprisingly not always for the benefit of customers but for maximising the money to be made from customers. Hence the various “scams” of loan insurance, unemployment insurance etc. – not forgetting charges and high interest rates.

Do not trust the banks. Or to be more specific the banks that copy the UK model such as the Australians where some of the scandals are eyewatering. Not to mention the US.

I have my banking exams and know banking law. Opening a customers account is possibly the only time that you will be able to evaluate the cutomer and also ask the questions, and see any documentation you feel necessary. That is the concept. It costs because you need intelligent staff and time.

For banks it is easier to reduce it to copying forms, a tick based process, and opening an account for anyone. This has made it a simple process for those who wish to set-up dubious accounts.

Which takes us to malcom r’s suggestions particularly for a profile for a customer where abnormal sums or patterns of payments would be obviously wrong. This particularly easy to spot with numerous credits into an account or very large sums and numerical triggers.

Going back decades banks have been required to be vigilant as to payments into accounts but that gain is a cost and so things like checking the signatures on cheques was widely abandoned. Making them more responsive and responsible needs heavy financial incentives [costs].

In all of the reported large number cases of those housebuying sums going astray can you recall any bank being named, shamed or fined?

Katrina Mowbray says:
15 March 2021

The same happened to my partner, Monzo said that he couldn’t get his money back. Do you think you could help him? £4000 was stolen from his account.

Hi Katrina. Just this morning Monzo returned £4000 to my sister, who was scammed on 11th March 2021. She was also told that it wasn’t possible to get the money back etc … it requires a fight x


You can also be a part of Which’s upcoming campaign on APP fraud (if that’s what happened) – I spoke with Which last week about it.

Keith Landles says:
23 March 2021

I had exactly the opposite experience from Scott. Having been taken in by a fairly professional scam, I authorised the transfer of £60,000. When I realised I’d been scammed, I contacted my bank. Unlike Scott, I found my bank to be really helpful. They advised of the timeframe to investigate and actually called me a day before they said they would. They refunded me the full amount even though I hadn’t specifically asked them to.

Keith – As a matter of interest, which bank do you use?