/ Scams

Monzo spoofing scam: how we helped a victim get their money back

After an initial plodding response, Monzo refunded a fraud victim in full. Here’s how we helped, and why banks have a responsibility to protect your money.

25/05/2021: Further spoofing scam victims

Another victim of a Monzo spoofing scam recently told us more details about the tactics being used by the scammers. Fraudsters first persuaded him into transferring money from his other bank account with HSBC, to his Monzo account.

The scammers fraudulently claimed they were collaborating with HSBC on the transfer and sent the victim text messages while he was on the phone to them to make it look genuine:

When the transfer was complete, the scammers asked the victim to confirm the transaction in the Monzo app, which in fact approved a payment set up by the scammers. This wiped his account of £8,000, which included a recent student loan payment. The victim was later fully reimbursed by Monzo.

09/10/2020: How we helped a victim get their money back

The last thing Scott wanted to hear after being furloughed was that his bank account had been targeted by fraudsters.

He received emails, calls and texts from his bank, Monzo, all warning that his account needed to be secured.

Scott was initially sceptical, but the caller was professional, calling from the digital bank’s phone number, and insisted his money was at risk. Scott carefully checked all the details before reluctantly handing over his account information.

He was horrified to later discover that all his money – £12,000 – had vanished. The emails were convincing fakes, and the calls and texts were spoofs created by scammers.

‘I’m savvy about these things, but the set up was so slick,’ said Scott.

Contacting the bank

He contacted Monzo immediately for help and was stunned by its response. He told us that its customer services ‘filled him with fear and uncertainty’ about whether he would get his money back.

“There was no support or empathy. I was made to feel it was my fault, and that the bank probably wasn’t going to do anything about it, I didn’t expect violins, but I did expect reassurance. I thought Monzo would be on my side”

Scott heard nothing from Monzo for weeks, despite him following up his initial complaint several times. After getting nowhere and being worried that he would never get his money back, Scott turned to Which? for advice on what he could do next.

We told Scott that he should be reimbursed by Monzo because he hadn’t given permission to make the transaction. He wrote to Monzo demanding a refund. Only then did Monzo reimburse Scott for the full amount, plus compensation for the inconvenience.

In response to a call for comment on Scott’s case, Monzo said:

“It is clear cut that Scott was entitled to his money back. We never declined his request. We just took too long sorting this out. We have apologised and compensated him for this”

Protecting your money

Banks have a responsibility to protect your money and they should do everything within their power to recover losses that are due to fraud.

In this case, the transaction was unauthorised and therefore had to be refunded in accordance with the Payment Services Regulations.

These are the same regulations that cover you if your card is lost or stolen and used fraudulently.

Sometimes banks might attempt to wriggle out of reimbursing customers in these situations, but you should never be held accountable if you can prove you didn’t give permission to send the money, as was the case with Scott.

Have you struggled to get your money back after a sophisticated scam?

Comments
Dermot says:
27 March 2021

What about royal mail demands for package payments when no package has been sent

Dermot – You might find the following Conversation covers your concerns –
https://conversation.which.co.uk/scams/royal-mail-fake-website-text-scam-warning/

It’s mostly about a common scam where people are getting false demands for money – purporting to come from the Royal Mail – for delivering non-existent parcels.

Susan says:
17 April 2021

Watch out for a text supposedly from Hermes saying that they could not deliver my parcel, when none was expected, asking for a £1.00 payment to attempt delivery again. I suspect that our bank would be emptied on giving my card details.

Got one of these yesterday from so called Hermes asking for payment to redilever for parcel that I haven’t bought anything

SUSAN SHARP says:
8 May 2021

Obviously if you have not ordered anything you will not need to pay for a package payment. Surely a NO BRAINER

I completely agree with Susan S. if you know that you have not ordered anything do not answer to any texts, there are so many scams out there and we all need to be vigilant.

Yvette Taylor says:
29 March 2021

I was caught by the fake Royal Mail Scam. But I also questioned if it was real. Up to now, no reply. I think it’s ‘People’ who’re down on Their luck while this ‘Pandemic is on.

Joan Evans says:
1 April 2021

If you don’t recognise the number let it go to answer phone

One thought that occurred to me when confronted with a scam demand is to query – to myself and to the caller – whether the caller would normally know my telephone number. The most recent call I had was from “Open Reach” who were claiming that there was a problem with my router and that to fix this they needed to have access to my PC. I doubt very much if OR know my mobile number nor if there is a problem with my router for which they are not responsible. Same with the Microsoft and Amazon Prime scams. Putting this point to the caller usually results in the conversation being terminated by them.

Richard says:
27 May 2021

I have had one of these recently. When they asked if I used Windows or a Mac I gave the wrong answer. I then said I was logged onto my computer (while I was loading the dishwasher) and said “yes” a few times to their questions. Eventually they gave up and went away, but I enjoyed wasting their time while I got on with other things.

I too keep scammers on the phone pretending I am ignorant and don’t understand what they are asking me because I am elderly. I am completely aware of their tactics because I work with the police as a volunteer and know all the tactics used. I feel that while they are on the phone with me trying to persuade me to give them my personal details they are not speaking to someone else for a while. I then end the call with a few expletives to them then hang up.

I’ve lost count of the number of times I have had texts, voicemail messages and e-mails from scammers about my non-existent Amazon Prime account. I was told my internet was being turned off and to connect to my provider via (the following link) to resolve the issue. AS IF! I’d just phone them. I’m also getting e-mails saying I have won a free gift. Thank goodness for Which? warnings.

Sheila Barnes says:
8 April 2021

I had a text from Royal Mail – there was a phone no. On it, so I texted back “What parcel?” I have not received a reply.

Mike says:
25 May 2021

I wouldn’t even be doing that. Worst case is you have confirmed your number is real and live which could lead to more spam.

Lizzie says:
27 May 2021

Usually the texts do not support replies so you won`t get one !

One would think that the most common scams – Royal Mail / other carrier, HMRC, one’s own bank quoting “suspicious activity ..”, Amazon, Microsoft .. – would have become so well known by now that any messages would instantly cause alarm bells to ring.
Does giving one’s credit card details give more security than debit card if either gets into the wrong hands?

Ian – Any criminal fraud attempt can have very serious consequences ultimately wiping out all the money in an account or racking up a huge level of expenditure charged against the credit card.

When a criminal uses another person’s account information (e.g. a credit card number) to buy products and services it is called takeover fraud and it is also used by scammers to extract funds from a person’s bank account.

For a debit card the scale of the potential loss will depend on how much money there is in the current account and for a credit card on what the credit limit is. It will also depend on the extent that the bank’s or card issuer’s system intervenes in the event of an unusual payment or withdrawal [debit card] or in the case of an unusual commitment [credit card].

Bear in mind that current accounts can also have overdraft facilities on top of the balance and credit card spending limits are sometimes eased to enable higher commitments. Once criminals have gained access to one account they might also be able to get access to others with the same bank or card issuer.

In neither debit card nor credit card crime is there a guaranteed form of recompense and, if the bank or CC company has not been negligent in allowing unauthorised access, the account holder is entirely reliant on the goodwill of the organisation and should not expect reimbursement unless the destination of a bank withdrawal is discovered. Note that s.75 of the Consumer Credit Act 1974 offers no protection against this form of fraud.

Some specialist law firms offer to assist with a compensation claim but their ability to do so is heavily qualified and it will be on a ‘no-win, no-fee’ basis [under a conditional fee agreement]; in other words they will only pursue a claim with a high probability of success [in their opinion] and, if it is successful, will deduct a substantial fee out of the proceeds.

There is some Which? guidance on card fraud here –
https://www.which.co.uk/consumer-rights/scams/card-fraud
It is in the form of a menu that links to specific advice on the various circumstances.

The implications of what you have written could logically be not to use a credit or debit card – at all??? To make perfectly legit online purchases (eBay, Amazon etc) I have to provide certain “security” items as standard. If by doing so I expose myself to being hijacked, what is the solution if any?

There is some advice on making claims against credit and debit card providers on this page: https://www.which.co.uk/consumer-rights/regulation/section-75-of-the-consumer-credit-act-aZCUb9i8Kwfa I am not keen on giving my card details to a trader I have not heard of, so I prefer to pay small amounts by PayPal, and I rarely have more than £100 in my account.

It is unclear to me just what protection one is entitled to from Section 75 etc in the case that one is victim of an out and out Royal Mail / Hermes type scam. Assuming that one uses one’s credit card details not Paypal – I had heard previously that if Paypal acts as an intermediary then one loses one’s rights under Section 75

Ian – PayPal is a money exchange facility, not a credit card issuer, so it is not covered by s.75 of the Consumer Credit Act 1974. Unlike with credit cards, PayPal does not have joint liability with the trader for the purchase. As Wavechange says above, it is a wise precaution to pay only small amounts this way to a seller you have no knowledge of or not done previous business with satisfactorily.

The scams you have identified involving parcel deliveries come via e-mail messages and are unlikely to involve credit card payments. I have not seen one so I don’t know what the payment arrangements are. They could request a cheque [which will show your account details], or have a PayPal account, or ask you to make a payment transfer to a nominated bank account. The initial payment is set low [just two three pounds] so as to look reasonable and not spook the customer, but what they really want – because there is no parcel awaiting delivery – is other personal and bank details so that they can steal your funds. You will find good advice about mail delivery scams if you read the comments in response to previous complaints in this Conversation.

No transaction on the internet can ever be completely secure in all respects, and other means of payment also have their risks and drawbacks, but if you deal with reputable companies with a known substantial presence, via a website you have opened yourself [i.e. not by following a link in an e-mail or through a social media site], then it will be as safe as is reasonably practical and, in the event of default or attempted fraud, the bank or card issuer is more likely to respond favourably to a chargeback or s.75 claim than otherwise.

As you say, as a registered customer with an account there is a degree of protection when dealing with Amazon or e-Bay and other reputable companies through their security protocols. Note that when dealing through Amazon the customer always pays Amazon even if the trader is one of their marketplace affiliates. With e-Bay it is often necessary to deal direct with the seller who might not be in a position to accept payment by credit card and there will therefore be less protection, although e-Bay will investigate customers’ claims in the event of default. PayPal is a useful facility for making such payments but if a large sum is at stake it is safer to use a credit card for payment. Bear in mind that if a seller is not authorised to take credit card payments there could be a good reason for that; on the other hand, private sellers making only occasional sales could be perfectly honest and there will be no problems. Only you can make the judgment whether or not to buy in those circumstances and you should not rely on reviews to guide you.

Another relevant point is that a lot of false sales are priced at under £100, so are below the threshold for protection under s.75, and there is no particular advantage in using a credit card in those cases. Unfortunately, using a debit card carries higher risks because, in the possession of a criminal, the card details give access to your current account if your password has been hacked.

Thanks John. Which? provides the following advice about Section 75 and PayPal (see the link I posted above):

Payments through PayPal
There are legal arguments that having another party involved in the transaction process takes away the Section 75 protection. However, if you use your credit card to pay for something through PayPal and the funds go direct to the seller, then as long as the company you’re buying from has a ‘Commercial Entity Agreement’ with PayPal you may still be able to claim against your credit card company under Section 75 for any misrepresentation or breach of contract by the seller.

There are arguments that having another party involved in the process takes away the Section 75 protection.

PayPal also offers its own buyer protection scheme, called PayPal Buyer Protection, so it’s worth checking if you’d be covered by that if you have a problem with your purchase.

If you particularly want to have the protection of Section 75 then try to pay the trader direct with your card.

This relates to problems with sellers and there is uncertainty about whether you could make a successful claim. It does not answer Ian’s question about scams.

In my view the major protection against scams is to make it a personal rule never to pursue a link in an e-mail where payment is involved but contact the organisation concerned direct. People also need to learn how to detect a dodgy e-mail [and there have been copious warnings and advice on that].

In these cases we must ask ourselves –
Has the communication received given any identification details for the consignment or the recipient?
Am I expecting a parcel or delivery?
How does the carrier know my e-mail address or phone number?
Why have they not left a card?

If a delivery is expected, contact the consignor and find out which carrier has been used and when the item was despatched. If no delivery is expected, ignore the message.

It is not unusual nowadays for the carrier to have the recipient’s contact details because they are often acting as a fulfilment agent on behalf of the supplier. It would not surprise me if such information has leaked out of the carriers’ databases and is available within criminal circles; the notion that every employee of the parcel carriers is totally honest is unsustainable given the pay and conditions of service that prevail in that business. We have to be highly aware and doubly cautious.

We could be approaching a point where the internet is so untrustworthy that it ceases to be useful.

Just what risk(s) am I exposing myself to if I use my credit or debit card to make purchases in the nomal way, but without revealing any password details? Ditto in the case that I send someone a cheque. How does a scammer hack into my account?

Ian – I don’t think you are at any particular risk when using your credit or debit card in the usual way to make purchases, i.e. physically with your PIN. But I believe there are risks if you make card payments by telephone and read out your card details including your personal security number from the back of the card; this data can be copied and used for criminal purposes. Similarly when completing mail order forms in writing for purchases and giving all your card details.

I believe card transactions are relatively safe when made through a secure website that you have chosen to open rather than being diverted to via a link, and when using a telephone key pad to give the card details provided that is an encrypted process.

Having to use a one-time pass code sent to an alternative device within a limited period while ordering a bank payment transfer has improved the security of such transactions and the need to reconcile the name of the account holder with the sort code and account number is a further step in that direction, but scammers are constantly coming up with more ways of tricking people into handing over their details [for example, the “if this wasn’t you”-type scams where false jeopardy is set up to panic people into giving access to their computer]. Once this data is in the criminal domain it can be resold and used again unless people are aware of it, inform their bank or card issuer, and change their card and account details.

Millions of passwords and access codes have been leaked or stolen and criminals have ways of matching them up with account details or just trying it on. Many banks and other companies have experienced data breaches which have either been accidental or criminally inspired and have had to advise their customers to change their passwords. Many people have unwittingly given criminals access to their computer through a scam and found that their funds have been raided or goods ordered on their credit card accounts. ‘Phishing’ attempts and the unintentional circulation of private e-mail addresses all add to the volume of useful data that is available to hackers and scammers. Social media has also become a rich source of data for the criminals as it is made for sharing and some users have been too free with their personal information.

Keypad ‘skimming’ at ATM’s is not heard of much these days and it has probably declined considerably as improved security systems have been installed by the banks and as other easier ways of extracting useful data have become available.

Banks, and Which?, issue helpful guides to staying safe on-line and advice on how to avoid being scammed or enabling computer access when contacted by phone or e-mail.

Beware that caller’s phone numbers are easily faked to make it look as though the call is coming from your bank/HMRC/PO, etc. This scandalous situation has been highlighted on two recent eisodes of Radio 4’s Money Box. Ofcom have admitted that at present there is no way to prevent this, so basically you cannot believe any caller ID to be genuine. As others have said, calling separately to a known number is the safest way, making sure, of course, that the scam caller has already hung up.

If you can “listen again” to R4 Mon 26th April programme You and Yours around midday, there is a description of a very sophisticated scam that combines 3 elements of ordinary scams. The end effect was that what started off with responding to a Royal Mail request for postage payment ended up with the lady in question being charged £10 K on her Halifax credit card for a Swiss watch which she neither ordered or received. It sounded like she was in the end refunded by Halifax but more out of goodwill (caused by the publicity?) than Section 75. Nasty

Here is a link to the programme on BBC Sounds: https://www.bbc.co.uk/sounds/play/m000vh53

I forwarded this link to the fraud department of my bank (First Direct) to ask for their comments and advice to prevent me inadvertently falling into the same trap. Regrettably they were not prepared to follow this up due to their systems preventing access to external links reportedly. Not even one of their staff accessing it from home. It is not impossible to spot some of the more common scam “warning signs”, but for something as sophisticated as this I think further lessons have to be learned. Just what and how I don’t know.

Credit card payments are generally held to be more secure than bank transfers. With the latter can a fraudster get access to my account (apparently by setting up a direct debit…?)? Just as if I had given him my sort code and account no? This seems to be a grey area.

I don’t understand how a sort code and account number would allow fraud, Ian. If you pay someone by cheque it will show this information.

Ian – Only the customer can set up a direct debit and it is usually done by completing a form manually or through the website of the payee. Even if they know your sort code and account number a third party cannot set up a direct debit unless they fake your signature. It would become apparent when checking the next bank statement.

Bank transfers are reasonably secure because you have to be logged in to your bank account to make them and there are security controls during the process to check the authenticity of the payee, the amount involved, and the destination account [which has to reconcile with the payee’s name].

As I said previously, nothing can ever be 100% secure other than cash in the hand – but not so many years ago people would be robbed coming out of the post office with their pension money.

Direct debits are subject to many safeguards as summarised here:-https://www.directdebit.co.uk/FAQs/Pages/YourRightsAndSafeguards.aspx

So only preauthorised organisations can submit direct debits on behalf of customers.

My understanding is that given the “victim’s” name and bank details, no more and no less, a fraudster can gain access to the bank account by setting up a direct debit. Depending on the circumstances and the speedy cooperation of his bank it may or may not be possible to block this, or to reclaim stolen funds via the guarantee scheme. Were this not so I don’t see how the scams work – unless further ID is provided.
My same reservations apply when making a purchase (phone, online) with a credit card where it is usual to provide the security number.
May be a retailer’s terminal is less risky where the purchaser inputs only his PIN number as secretly as he is able.

I had someone try to set up a standing order on a Treasures Account I manage. 3 different attempts were made but the Bank wrote to me each time asking me to update my signature. They were crealy fraud attempts but HSBC would take no action even though it had the destination account details. Probably a mule persuaded of easy money.. In the end I put a marker on the account that no standing orders could be made on the account unless I presented myself in person at the Bank.

doreen nash says:
8 May 2021

Through the Post i received a Word search which I thought was genuine, did the
Wordsearch got a letter saying I had won. I got my telephone Bill which they had charged me £35 now for entering. Now I find out its an american telephone number to ring them to Cancel it , it is a Scam. They have put an american phone number on my Bill which I cant afford to ring them being a Pensioner. So every month £35 comes out of my Bank account. I have notified my Bank but i haven’t got much further with the Complaint. It’s so awkward when you cant speak one to one about these matters.

I fell victim to the royal mail scam 3 days ago, I did fill in my details. I was awake all night worrying so I called my bank First Direct at 5am on Sunday morning to tell them. One of the first things I said to them after security was “is the £27,800 still there that is a deposit for a house and cannot be touched” First Direct confirmed it was. My house purchase is due to complete in 3 weeks. A stop was put on card. I then told them that I had a new iphone delivered and I did not know how to deactivate the security code to set it up on the new phone. I asked if somebody from the bank could talk me through it later provided my account was now safe because I had to leave the house at 6am but would be back between 2-3pm. I cannot remember if they said they would call me or I had to call them. Anyway 2pm I got a call, I was driving at the time and asked them to call back between 2.45 – 3pm. At 2.44pm I got a call from First Direct Customers Services from the banks digital phone number. They asked me confirmed by place of birth and DOB then made reference to my recent call reporting fraud. They advised me that a DD had been set up for £238 to Currys and a payment for £1080 to a Mr Patel in Bradford starting the next day. I said this was not me. The caller said I needed to reset my internet banking. I explained I didnt know how to do that as I had a new iphone. The caller talked me through it and I did give them some codes thinking it was the digital banking section of First Direct – it wasnt. The call then went dead but I just thought it was because the network isnt very good. 33 mins later I called First Direct on the very same same number I was called on. I explained what happened and they advised that two large payments had been sent internally from my savings account, and account that had not been touched for 9 months £13,000 and £10,200 to my current account and two payments out for £12,105.12 & £8,512.58 then out to a Mr Ion Trestianu. The fraud team tried to trace the account but I was told the money had gone and nothing could be done until 9am yesterday. I called at 9am yesterday and was just told the fraud team have all the information they need. I was not given given any reassurance, what “all the information they needed” meant. I asked if I would get my money back and I was told “maybe” but you authorised access to your online account. Indeed I was tricked into doing that, but I did not authorise these payments, and at 5am the day before I had already alerted the bank of a possible fraud risk and that no money should go from the savings account it was a house deposit. I am still waiting to here from the bank but I live alone and I have been truly traumatised by this event. I am a working professional by the way so like the real life story I do consider myself relatively savvy but not on this occasion, but they are so clever. I was just so worried about the house deposit but now the scammers have got it anyway. I have been up for last 48hrs researching and researching I just cannot function. There is a possibility I will lose the house even if long term I may stand a chance of the bank paying up. Absolutely devastating. Thanks for reading and I am happy for which to use my circumstances as a case example and read any further advisory comments.

Gaynor – Thanks for telling us what has happened. It must be very distressing.

It is important that readers note that this particular scam, that starts with a request for a trivial sum in order to have a parcel delivered, can develop into a major crime with potentially ruinous consequences. The follow-up sting – with the scammers impersonating your bank’s fraud team under the guise of helping you – is especially cruel and shows the extreme lengths that these people will go to in order to rob innocent citizens.

I hope everyone heeds the warnings.

Sorry to hear this Gaynor.

I feel First Direct must know and should have warned you the fraudsters would likely contact you again purporting to be them. You did the right thing and told them about the fraud before your money disappeared, so they should have given you better advice and protection. I hope they reimburse your house deposit.

I expect you now know to only call businesses on trusted numbers and not return calls as phone numbers can be spoofed. First Direct are also my bank, and if they do call me, I tell them “I don’t go through security unless I instigate the call, so I will call you back, and who do I ask for?” I then call them back on another phone on my trusted number or call another phone in the house to make sure the line is clear of the previous call before calling them back.

Hi Gaynor, really sorry to hear this. I do hope you can get your money back.

Thanks for your detailed account. I think it shows typical features of a so called “Authorised Push Payment” scam. See:-https://www.which.co.uk/consumer-rights/advice/what-to-do-if-you-re-the-victim-of-a-bank-transfer-app-scam-aED6A0l529rc

As your money was taken, even after you contacted your bank for help, I think we can conclude that your bank did not do a good enough job of providing the help that you needed.

As your case shows, it is easy for scammers to impersonate your bank, if they already have your contact and account details. I’ve heard that the scammers spoof their caller display number, e.g. to correspond to the helpline number shown in the small print of bank cards. I’ve also heard that banks do not not actually make outgoing calls from those numbers, but not enough folk seem to know that. Perhaps this important fact should be printed on all our bank cards?

In the responding to the scam text, I guess you will have clicked on a link to a fake site like ” postfee co uk” instead of “royalmail com”. After a few days, these scam sites are blocked by internet security, but in advance of that, it pays to be careful if you choose to follow internet links.

In general, any unexpected phone call, text or email is most likely to be from someone who is after your money and should be treated accordingly.

Hi Alfa – thank you for your kind comments. How do you know if a number is a trusted number. The call I received came up as “First Direct Customer Services” which is how it is saved in my phone. When I called 33 mins after the event I called the exact same number. I have learnt the hard way from your latter comments though.

Hi Derek – again thank you for your kind comments. I am reading all these comments in tears and have been like this since Sunday afternoon. Friends are doing what they can. I am absolutely beside myself. I think they got me because I said I was available to talk again at 2-3pm, so the call was not really unexpected. First direct do sign up to APP scam code and I do agree given I had already told them at 5am fraudsters had my details then surely any big transactions on a Sunday (transactions that are unusual from my account) should have flagged a warning. It is just a waiting game but a truly horrific one

Thank you John – yes I hope readers do heed these warnings. Your use of words “ruinous consequences” is very accurate. I am just praying the bank do the right thing.

Hi Gaynor,

The absolute safest way is to find the number on your cheque book or on the reverse of your debit and credit card and dial the complete number. I have an entry in my contacts/phone book and use that rather than return a call from my recent call list unless it is someone I know. If you have FD set up in your contacts, you might want to check the number is set up correctly.

I am guessing you have some sort of automatic caller ID that tells you who the caller is even if they are not in your contacts – I do on my Samsung phone. I assume these caller IDs can be faked and just use them as a guide.

You can always give the contact name a slight twist so you know it has been identified from your contacts and not by automatic caller ID e.g. Firzt Direct or First Direct mylist.

Scammers can pretend to end a call by playing the right noises to give that impression, so you do need to take precautions by not immediately calling back on the same phone.

Do you know the phone number that called you or the number you called thinking it was FD?

Hi Gaynor – I’m sorry to hear about your problems and hope that the bank will help you. Just a couple of other points that have not been mentioned.

It’s worth calling Apple if you have problems setting up an iPhone.

It is well worth storing contact numbers for banks (and credit card companies) in your phone, as suggested, so you can contact them immediately. On the other hand, numbers can be spoofed, so don’t assume that an incoming call is from the bank.

Gaynor, I’m really sorry and that is so distressing for you but I think the fact you informed the bank of possible fraud on your account, and your call to them is obviously recorded I would ask them for a copy of this recording as it was negligent of them when they went ahead with transactions without contacting you first to establish they were genuine. Please don’t give up on chasing it up, every day if you need to, and let them know you will pursue it as far as you can.

As a First Direct customer myself I called FD to ask if they could read through Gaynor’s detailed account and let me / others know what lessons could be learned and precautions taken other than what she did. To my disgust they refused, they claimed on account of “data protection” and the fact that it was not myself that was the topic of the scam. I have much respect for FD but on this occasion where their performance may not have been perfect I feel that their brush off approach is pathetic. It is all to easy to foresee others including myself being in the same scammed boat.

>> Do the means exist for Which? Conversation to elicit a more constructive response from FD???

As an aside I don’t use mobile banking in principle, and only occasionally generate codes to access my online account “to keep my hand in”. Too many horror stories …

Iain – I am not surprised that First Direct did not respond to your enquiries.

Gaynor shared her story with the participants of Which? Conversation. I don’t consider it appropriate for any of us to then pick up her report and interrogate her bank about it, even for the purposes that you suggested for assisting other customers.

I would not be happy if my bank publicised something to do with my account that I had asked them to act on – and this is still a live ongoing investigation, don’t forget. Gaynor wasn’t asking for anyone else’s help, she just wanted to alert people to the awful consequences of a particular scam through a forum that was considering such matters.

If Which? – with Gaynor’s permission – wanted to ask First Direct for any guidance on how to avoid being scammed I would be supportive, but I do not criticise First Direct for not responding to your enquiry. I am sure the bank would wish to keep the number of its own staff aware of the case and dealing with it to the minimum number properly required to ensure that extraneous activity did not compromise the investigation.

In my opinion, all the advice that bank customers need to protect themselves from having their accounts raided is available in the comments given in this and other relevant Which? Conversations.

I beg to disagree – as a First Direct customer myself. If Gaynor chose to share her experience – publicly – with others on this forum, then the motives must surely be 1. to seek advice from anyone who can offer it to suit her circs (what if anything did she do wrong???) and 2. to do us a favour by pointing out what can happen if one is equally unfortunate. In the circs which she described First Direct did not appear to come over with much credit (unusual). Which prompts the question: “There but for the grace of God …”. I think it is entirely reasonable for FD customers to seek reassurance from the organisation as to what can be / should have been done – by either side – to avoid a repetition for themselves. If First Direct are not even prepared to read let alone comment on the freely publicised facts then in my book that smacks of complacency not to say arrogance. These were the words I used when speaking to them.

With great respect I fear that this case doesn’t give me the confidence (that it couldn’t happen to me) that would be implied in your last para. These guys are constantly up to new tricks and the only counter is for the facts to be aired and commented upon as widely as possible in forums such as this one.

Thank you, Iain. You have asked First Direct for more information but been denied. I am not surprised. I have no further comment.

I had a very believable scam (I think!). He said he was the police and not to worry as it was not serious but they had just arrested a man who has long been doing it and they knew and arrested him
The long and the short of the tale was that the man had all my bank details, who I was dealing with and had I had any odd messages on my internet. I just said that I was getting a lot of fake scams which seem a bit odd and ones I have not seen before. He told me to ring the bank.
It seemed real because he was an older chap, spoke really well and did not ask for my bank details. I thought it was real but my neighbour said she thought it was a fake, she is usually right but it took a while to realise it might be fake after all. Nothing else happened.

Two years ago I fell victim to a scammer who claimed to from Nationwide fraud department. He stole over £18,000 leaving me penniless. This occurred 2 days after I was diagnosed with leukaemia, so could see how devastated I was, I was inches away from ending it all.
Nationwide did absolutely nothing to try to get my money back, all they did was to give me a case number and that’s it.

Mike – I am sorry to hear about your loss and your medical condition, but you don’t say how the Nationwide BS contributed to the fraud. Presumably you provided the criminals with some information that enabled them to access your account and transfer your funds into theirs. They must have pretended to be you and it is difficult to know how a bank could have prevented that.

John,
Thanks for your comment, the scammer called me around 7pm on my mobile phone stating that he was from the Nationwide’s fraud dept. and that they had picked up on 3 attempts to gain access to my account. At no point did I give him any information about my account, he knew them already. There were times when he was doing things like setting up a “new account” and I took the opportunity to use my landline to call the number on my debit card to check if he was legitimate, but all I got was an automated message saying the office was closed. I then told him about this and I was not happy to transfer all my funds to a new account, and I hung up on him. I even had time to call my daughter-in-law, who works at Barclays, to ask her advice and she did say not to carry on with call because I might be seen as being complicit with the scam. He called me again explaining that the office was indeed open but their telephone system was switched to outgoing calls only. In the past I have worked in places that had the facility to switch the telephones to outgoing calls only, so I didn’t think much more about it.
I told him that I was still unhappy to make the transfers and would like to visit my nearest branch to take things further, but again he went on about making my money secure right away in case there were further attempts to gain access to my account. He seemed to have plausible answers to all my concerns and eventually he persuaded my to make the transfers. Had I known there was a website where it’s possible to check which banks used which sort codes, I would have been able to see that the sort code for the “new account” was in fact Barclays Bank and I would have known it was a scam. He even claimed to have set up an appointment for me at my local branch in Bury St Edmunds so I could finalised everything. Needless to say when I went the the bank next day for my appointment, the whole thing was laid bare. The branch manager called the fraud dept for me and I told them my sorry story.
A few days before all of this happened, I had paid a deposit for some building work to be done on my house and was fortunate enough to cancel the work and get my deposit back, otherwise I wouldn’t have two pennies to rub together. Looking back on it all I had a gut feeling that the scammer was either an employee or ex-employee of Nationwide, to have the knowledge and wherewithal to make scam work. Of course I have no proof of this, it’s just a theory.

Mike – I am very sorry to hear that you have been lost a large amount of money. I do not know why Nationwide has not attempted to recover your money from Barclays. These are two companies based in the UK, not in distant countries.

Which? have reported cases of recovering large sums of money and I hope you will consider joining Which? Legal for advice on how to proceed. The cost is small and you do not have to be a Which? subscriber. I would not pursue the possibility that there could be inside knowledge without evidence.

I would like to see all banks delaying payments to new payees’ accounts for several days to allow possible fraud to be reported and investigated. This would be particularly useful for victims of scams who may realise what has happened very soon after the event.

I would expect all banks to provide a 24/7 service to report a missing card or suspected fraud.

Nationwide, and presumably others, do give the facility to choose to delay a bank transfer. The customer has the choice. If they are uneasy about moving money they should not start the process until they are content.

OK, easy said when there is pressure but a lot of warnings have been made about such scams – opening a “new” account is an old one. And if you think about it, should your existing account be defrauded without any contributory action by the account holder the bank will be totally liable to restore the loss. As far as I know.

I would like to see the facilities offered with bank accounts to be tiered, to suit different kinds and abilities of account holders. Selecting from, for example, limited payment amounts, limited daily or weekly withdrawals, a whitelist of payees with new ones requiring a second persons authorisation, payments above a certain figure to payees made only with a second persons authority. My initial aim would be to limit losses from scams.

Banks are not always to blame for someone’s naivety, lack of care, irresponsibility, panic, or whatever and should not automatically be required to compensate them for those failings. Requiring them to pay out our money – where else does it come from – when they have had no part in a transaction and have not been negligent is no way to deal with this problem. It is, of course, a popular and headline grabbing approach.

There needs to be a delay by default to allow time for suspected fraud to be investigated because many people do act in haste. Banks can delay payments as you know, so the mechanism exists.

Delay of payment of money to new payees could help deal with the problem you are concerned about. I don’t want to contribute to the cost of reimbursement of bank customers who have lost money because my bank acted too hastily. Perhaps Mike might not have lost £18,000 if Nationwide had delayed the payment as I have suggested.

Thank you, Mike, for providing further information.

On the basis of what happened I feel that Nationwide BS should have investigated the case further and, as Wavechange has said, worked with Barclays Bank to return the fraudulently transferred payment and, so far as possible, deal with the criminal implications.

This is a case, though, where the Nationwide did not do anything wrong whereas you were the target and victim of a particularly pernicious fraudulent act that put you under duress to the extent that you facilitated the payment transfer to the new account. You were completely deceived, the money was taken from your account under false pretences, and the criminal has got away with. This surely should have led to police action and if the Nationwide did not contact the police then I consider them to have been negligent. For the banks just to do no wrong is not really good enough; they should also be accountable for failing to do what is right.

We can only speculate how the criminal had knowledge of your account details but I would be thinking along the same lines as you. Whether the Building Society followed up on that aspect will never be known.

One of the problems with this particular type of fraud is that the caller has thoroughly rehearsed their position and their lines whereas the target is possibly in a mild state of shock and has to think on their feet rapidly because of the pressure they are being put under. With the benefit of hindsight, you probably realise that the way for the Nationwide to protect your account from any further “attempts to gain access” would have been to put a block on it and that a genuine bank official would have advised that.

A significant aspect of how this sting occurred is the basic set-up: you were called on a mobile phone at a time [7:00 pm] when the offices were generally closed and you were tricked into accepting that you couldn’t call in to verify the transfer process. Your daughter-in-law gave you good advice, which you no doubt followed, but the perpetrator persisted and called you again on your mobile phone to press you to agree to the transfer. I think most people would have cooperated in the circumstances. As you say, these confidence tricksters are all very plausible because they have acquired the skills needed to manipulate people and they have enough knowledge of the individual and the process to make it work.

It would seem that the banking industry does not have an answer to this so a mandatory pause on payments to a new account – even in cases where funds are alleged to be at risk – is possibly the only way to defeat the criminals.

We only hear one side of the story, most times, from the victim and not the bank involved. We do not know what Nationwide did, or did not, do. Having listened to advice from someone in the banking industry but then ignored it seems to be a contributory factor and certainly a share of responsibility at the very least.

Delayed payments by default? Maybe. To see whether this was useful I would look for evidence that people taken in by a scam would, in fact, continue to think about it and seek advice in the day, or two, afterwards. Or, if they are convinced by the scammer, whether they just put it out of their mind. Some supporting evidence would be useful.

As I’ve said before I would like to see all cases investigated to decide whether there is a case for compensation. Maybe this is already happening. As you say, we only hear about one side.

I am very encouraged by changes that banks have made to protect customers in the past couple of years, but these could have been introduced sooner. As well as delaying payment to new payees by default (perhaps customers could be allowed to waive this protection at their own risk), banks could set a modest maximum payment by default, requiring customers to take time to decide whether to authorise larger payments. I agree that we don’t know how effective delaying payments would be, Malcolm, but perhaps trials could be run. I would be happy to sign-up.

I suggest that we have to acknowledge that people do not always behave as rationally as might be hoped. Young people tend to lack experience and older people can become more vulnerable. If customers have no protection and lose their money you and I might end up contributing to their benefit payments. 🙁

Thanks John,
I did report the scam to the police and I had a visit from them several weeks after the event, ( I did take the opportunity to see what a Norfolk Constabulary warrant looked like before they arrived)
When I visited the Nationwide branch on the day after the scam, and I gave all the information to their fraud department , they did check Barclays account the scammer used and of course it was empty.
Surely there must be some sort of digital paper trail the banks could follow in these cases, even if the money is transferred to another account wherever it may be. Barclays must know where the money went, the fact that this didn’t happen to one of their customers maybe they were less inclined to pursue it further.
The banking system makes it far too easy for anyone to open and close accounts at will, there isn’t any incentive for them to “police” their customers who do this sort of scam and close any loopholes scammers use.
As you may see from my tone it’s still raw for me even after 2 years, I’m still suffering the consequences of the scam. I’m a 68yr old pensioner and I’ve had to max out my credit cards in order to keep my head above the water, so my credit rating is now a joke. The money the scammer stole was the remainder of the equity release I had taken out on my house, so that avenue is closed to obtain money to pay off my credit cards.

The reluctance of the receiving bank [Barclays in your case] to pursue the money or the account-holder is the loophole in the code of practice to which most retail banks have signed up. Any recompense due to you should come from Barclays Bank because (a) they allowed criminals to operate an account for receiving stolen funds, and (b) they did not cooperate effectively in identifying the offenders. They could have plausible defences against those accusations but that is how it looks to me on the basis of the information available. Nationwide Building Society will stand their ground that they were not negligent and made no contribution to the perpetration of the fraud.

I am glad the police did come to see you , but do you think they are going to pursue the case through the banking system?

It is clear that this episode has had a seriously harmful effect on your well-being as well as depleting your savings which will make for a less comfortable retirement.

I stupidly fell for scammer on my HSBC account for £9,200. HSBC were brilliant and refunded my account on the same day I reported it. HSBC Customer Services were polite, sympathetic and helpful. My internet account was suspended and it was very time consuming to get it reinstated – but the rigour of their checks was reassuring.

This all adds to what I’ve been wanting for years!! For BT and other phone networks to make number spoofing impossible. In fact, I would like to take things further: it should not be possible to hide behind anonymity – full stop! That should stop trolling, online abuse, scams and nuisance calls.
I’ve talked to Which? about this idea and they were really interested but that’s all I’ve heard or seen about this. Reporting and explaining scams only goes so far…

I was recently contacted by phone text asking me to pay postage on a parcel
I looked up my local sorting office to find that there wasn’t a phone contact at all I googled it and dialed only to be told that I should get in touch with customer service and began to give another number
The Royal mail are not looking after their customers at all WHY no phone number so we can contact to see if a scam is being committed
I believe it is because of the cost of (a) a new telephone line (c) the cost of manning it.
Due to the rise of Royal Mail Scams,
you would think that they could put a bit of effort into helping their customers

I was getting these call on a regular basis. so instead of just terminating the call, I started using a different approach. After they have said their first sentence, I interrupt and say calmly “Let me stop you there, we both know you’re a liar and the fact you are trying to steal from me, we also both know that you’re a thief.” I then raise my voice a tad and say “Now Pee off and don’t call this number again.” The number of calls I receive has diminished considerably. You can of course use your own expletive instead of Pee.

As a police volunteer for the last 9 years, prior to that, I was an identification officer so have always been aware of fraud. I do participate regularly in meetings regarding Fraud and Cyber Awareness Crime but I still find that no matter how careful we try to be it’s quite daunting and worrying that these scams are so believable that you need to be on your guard constantly when responding to those kinds of calls. As savvy as I am I constantly check my accounts because I know that fraud can be committed through all sorts of ways for the fraudsters. Before I open an email I check at the top who it has actually come from. I don’t use my landline, in fact, I don’t even know the number. I regularly get calls supposedly from Amazon and HMRC on my mobile and I usually let them ramble on before I throw expletives at them. In fact, one fraudster told me the call is being recorded when I made a racist comment to him and I laughed and said report it to the police then. He hung up. I think it’s a case of the government needs to flood the TV with adverts advising people of those kinds of scams and frauds. It really is frightening and I do still worry that I may be taken in one day.

I too check any dubious email I receive to see who it’s from, it’s so easy to do and often the sender’s email address is just nonsense. I empty my spam folder daily of the 50+ scam emails I receive.
As for my landline phone, I never give the number out, although I still do get the odd scam phone call usually from “Amazon Prime” even tough I do not have an account. It’s much easier to block/filter unwanted calls on my mobile with the installed software I have.

I wonder if as a rule of thumb one can simply regard any communication, however genuine it seems, to “move money to a different account” (ostensibly on account of the well-vaunted “suspicious activity”) – to regard any such communication as most likely fraudulent – period? Are there any genuine circumstances where a bank would make such a request, as opposed to temporarily blocking or restricting an account as documented above?
If moving funds was really justified I suspect that the bank could do so internally without asking the account holder for passwords and PIN numbers etc. Under what circumstances hackers can do this is what worries me. [Alongside mobile banking in general for non-trendy types like me.]

tom says:
28 May 2021

I am a pensioner and no techy. I have been told that these telephone scammers cannot be traced and I am having difficulty understanding why NOT. For instance I feel sure thousands like me have recieved the Amazon telephone scam call more than once. I presume the perpetrators of these scams must be paying for the call once you engage in a conversation and for this reason I like the idea of keeping them on the telephone and playing them along before putting the telephone down as sugested in some of the posts.
But these scam calls are a nuisance, frustrating, and time wasting. I think if the technolgy has been developed to put a man on the moon it should be possible to trace where these calls are coming from
in order that they can be blocked .
This being the case I can only asume that it is not in the Telephone Companies interests to instigate this as they would lose income. However, I do wonder how quickly the problem would be solved if they where made responsible for any loss incurred once it became obvious ( beyond resonable doubt) their customers where being subjected to this criminal activity.

I also get scam calls on my landline, if the number isn’t withheld I go to a website called “Who Called Me” and report the number. You can see other people’s experience with that number and if it is a scammer or legitimate.

How many times do the banks have to say we will NEVER ask you to move your money to a SAFE account or ask you to hand over your details over the phone .If you’re account was under genuine attack the bank could just freeze it .

I was on the point of making this very point myself having checked with First Direct 10 minutes ago, but you have pre-empted me. However It doesn’t explain why, as reported elsewhere on this forum, asking for one’s account to be frozen does not always have the desired effect – which is worrying when it is not unknown for a fraudster to hack into an account without passwords being revealed.

I have not yet had the opportunity to ask one of these fraudsters by what means they have identified and defined “suspicious activity” on my account. May be someone can enlighten me.

That’s an interesting point, Iain. Are banks under any obligation to put a block on an account at the account-holder’s request? Or would they say “Yes, we can do that, but where would you like your income to go?“?

If I contacted my bank and told them I thought there had been some suspicious activity on my account, would they take that as an instruction to freeze it temporarily, or would they insist on carrying out their own checks before taking any specific action? And if the bank’s checks proved negative, what then?

John – I appreciate the point you are making, but I am not sure the banks do go far enough to tell people that they will never ask a customer to move their funds to a safe account.

I expect the message can be found in all the verbiage that emanates from banks from time to time but it isn’t graphic and direct enough to register with people. Many customers no longer receive a paper statement each month; that was a golden opportunity to include advisory notices. Now, the advice might be found within the boxes that appear on the websites but which, through familiarity, have lost their impact.

My building society includes all the necessary warnings and guidance in the small text surrounding the pro forma for making a payment transfer. I can’t say I haven’t been warned – so they have fulfilled their obligation adequately – but equally I can’t say I’ve paid much attention to it [so if anything goes wrong it’s bound to be my fault].

To address John’s points:
Account block: This has to be seen as a short term measure triggered for example by the account holder fearing that (s)he had been scammed such as elsewhere reported, whilst the facts were investigated – by the bank. My brief conversation with First Direct lead me to believe that this would be quite possible, indeed logical, though it seems from previous comments that such action is not always waterproof. Obviously if the checks revealed nothing untoward then normal activities such as income payments could resume once the all clear had been given. Or not as the case may be.
The term “suspicious activity” seems to be part of the scammers’ vocab. This triggered the thought on my part to query just what activity this could be that aroused suspicions in the first place, as reported by the scammer as the motivation to move funds to the safe account.

Indeed; how would an external party, including one’s own bank, know what sort of activity was or was not suspicious?

I suppose in the many real cases of people getting an e-mail purporting to come from their solicitor asking them to send payment to a new bank code and account number, and that account was already under investigation by the banks or the police, their bank could reasonably phone them to inform them of suspicious activity and request confirmation of the payment and its intended destination.

Tracey Q says:
28 May 2021

We had £1,650 taken out of our account apparently a 65 inch Samsung TV had been ordered from Amazon in my name from my account. We did not order a TV and we did not receive it either. We reported the matter to The Nationwide who initially reimbursed us and then 21 days later asked back for the money and accused us of being fraudulent. We contacted the police as well as the alleged seller via Amazon who insisted that the phantom TV had been delivered and handed over to us which clearly it had not. We felt frustrated that our building society did not believe us and the person at Nationwide who was dealing with the issue straight out told me that because I had been searching for TV’s on Amazon that it was clear that I had ordered it and was now trying to make a fraudulent claim. Consequently we closed our account with the Nationwide because clearly they weren’t protecting us when such a large amount of money was withdrawn without our consent from our account. I did get our money back from Amazon although initially they were trying to fob me off. I simply emailed Jeff Besos the CEO of Amazon and explained the situation and he insisted that I got my money back. Whenever I purchase anything from Amazon now I always remove my card as a means of payment.