How one ‘push’ from bank fraudsters can lose you thousands of pounds
We’ll send you a myFT Daily Digest email rounding up the latest UK Finance news every morning.
The “push” comes out of the blue. You receive a call or email from a seemingly plausible official who claims to be from the fraud department of your bank. Your details have been compromised, they say, and request that you urgently transfer your funds into a fresh account for safekeeping.
In other cases, the “official” may claim to be a solicitor or from a business you have dealt with.
They know about a big transaction — you are about to buy a house, a car, or pay the builder for work you have had done. Unfortunately, they say, the account details that you were about to use have changed. Would you be so kind as to put the money into the new account? And can you do it now?
More Britons are falling victim to bank transfer scams and the sums lost are significant: the average loss is more than £5,000.
The tricks are sophisticated. Once you transfer money into the rogue account, your chance of seeing it again is low. Real-time payments, authorised in good faith by the customer, are irrevocable. How could your bank know you were transferring your life savings to a fraudster?
While digital banking makes it easy for customers to authorise large transactions, it is a different story when you realise you have been conned and try to get the money back.
From next month, however, new rules will mean that banks give more help to victims of “authorised push-payment fraud”.
FT Money examines the changes, hears from victims who have lost large sums and sets out how to protect yourself.
The statistics behind ‘push payment’ frauds
Last year, 43,875 people reported an authorised push payment fraud. Customers instructed their banks to send a total of £236m into fraudsters’ accounts. They lost an average of £5,379 each.
Just £60.8m, or 26 per cent, of the stolen money was reimbursed to customers, says UK Finance, the industry body.
Consumer groups fear that push fraud is more prevalent than the data suggest because not all clients report it. Some are too embarrassed; others believe there is no point because the chance of getting the money back is slim; customers are also daunted by having to get through to banks’ fraud teams.
From next month, all UK banks will have round-the-clock fraud-reporting lines. They will also be expected to respond quickly and fully.
The changes cannot happen soon enough, say consumer groups. They campaigned for banks to give more help to victims and to tighten up systems to make it harder for criminals to open the accounts that are used to spirit away ill-gotten gains.
Until now, banks have avoided paying compensation to most victims of push fraud because the customers themselves authorised the payments, typically by keying in a code generated by the online bank to pay funds into a rogue account. The customer might have been tricked, but the banks argued that this was beyond their control.
Two years ago, Which?, the consumer organisation, made a super-complaint to the Payment Systems Regulator. It wanted banks to reimburse the victims of push fraud unless they had been fraudulent or grossly negligent. Which? also wanted consumers to be protected when banks fell short by not managing the risks associated with fraudulent payees.
The PSR agreed there was “evidence to suggest more could be done to identify fraudulent incoming payments and prevent accounts from being under the influence of scammers”. It said banks needed to improve how they worked together after a scam.
Many victims complain that banks do little to chase money transferred as part of push frauds.
They also believe that the banks’ security systems had been breached before the push payment took place: the fraudsters knew so much about them personally.
Jenni Allen, managing director of money content at Which?, said it made the super-complaint because 100 people a month were calling to say they had been scammed. It felt consumers had too little protection and that banks were not properly equipped to deal with fraud cases.
“There seemed to be insufficient incentive for the banks to do more,” Ms Allen said. “There is no clear liability for the banks and we are calling for greater liability so that consumers are better protected.”
UK Finance said that while banks must follow strict rules when opening an account for a new customer, “if a criminal uses fraudulent information . . . it can be extremely difficult to detect”.
The banks’ next move
From next month, banks have said they will respond more quickly to customers who report push fraud.
New standards introduced by UK Finance will mean that all the major banks will have specially trained staff manning round-the-clock reporting hotlines.
Crucially, customers will deal with their own bank only — and not the bank into which the funds were paid. The customer’s bank is expected to act as intermediary and should be the victim’s sole point of contact.
“We have introduced new standards on how banks respond to victims of authorised transfer scams,” said UK Finance. “We know, however, that there is always more to do. This is why we are working with the [government’s] Joint Fraud Taskforce to deter and disrupt criminals and better trace, freeze and return stolen funds.”
The task force is working on a funds repatriation scheme with the aim of following money across payment systems. The proceeds of fraud can then be retrieved and returned to the victim.
Banks will collect more details on the scope of the problem. They will develop a common approach on responding to authorised push payment scams. Eventually there will be a “confirmation of payee” tool so that customers can check that a bank account belongs to the genuine organisation or person.
More victims should receive compensation
The approach favoured by the PSR is a “contingent reimbursement model”. This would mean that payment service providers — banks and companies such as PayPal and Worldpay — would compensate victims if they took due care and the payment companies did not follow best practice.
Under this model, either the customer’s or the recipient’s bank could be held to account. This should lead to more push fraud victims being compensated. The proposed code goes out for consultation next month.
“We are working hard to protect people from these types of fraud,” said the PSR. “We want to see a new industry code, including a reimbursement model, giving everyone greater peace of mind that their money will be better protected and that, if they fall victim to this type of scam, their complaints will be given much greater consideration.”
The regulator hopes the code could be refined early next year. “We have set a challenging timeline but it is essential that we see, as soon as possible, a model that is effective in protecting people,” the PSR said.
The Financial Conduct Authority, the regulator for financial services companies and the markets, published a separate plan in June that is out for consultation until September 26. It wants banks to step up fraud prevention, with stronger checks to stop criminals opening accounts. It says the Financial Ombudsman Service should be used to give more help to victims.
“We found that receiving-payment service providers could do more to identify fraudulent incoming payments and prevent accounts from being compromised by fraudsters,” the FCA said.
It has recommended that victims of push fraud should be able to complain to the ombudsman if they believed that the banks receiving fraudulent payments either did not do enough to prevent the fraud or make an adequate response. According to the FCA, some victims did not receive a reply to their complaints.
What you can do to protect yourself
Speed is of the essence if you fall victim to push fraud. The faster you tell your bank, the quicker they can find out which bank has received the money. There will be a better chance of getting the account frozen or qualifying for compensation under the new scheme.
Ms Allen said many people were quick to realise they had been scammed, often as soon as they put the phone down. The banks, though, did not deal with the complaint quickly.
When reporting a fraud, customers should record who they talk to and when. They should check progress frequently. Which? said the people who persevere appear to have more success in getting money back. In future, improved co-operation between banks should mean more money is recovered.
Customers can protect themselves by being extremely wary about financial calls. In some cases of push fraud, the crooks have the details of your bank accounts and even recent bank payments. How they obtain this information is a mystery.
Some appear to be calling from the number on the back of your bank card. This is known as number spoofing — the caller ID on your mobile or landline has been tricked into appearing as your bank’s number.
Other scammers might suggest you hang up your landline and call back to satisfy yourself that you are speaking to your bank. The fraudster merely remains on the line and pretends to answer your call. Always ring back from a different line or wait for more than 30 seconds.
Many fraudsters rush customers by saying that their money is in danger and must be switched immediately. Banks never do this — nor will they ask for security details such as a personal identification number or a password. You should refuse to give such information to callers.
If you are about to pay a big bill — to an estate agent, builder, solicitor or car dealer — you may be anxious that the deal will not go through. Keep your emotions in check to avoid being off guard should a fraudster strike.
Customers should cross-check details of how to pay the bill with the business’s official number. Do not take the fraudster’s word for what that number is. You can already check bank sort codes on the Faster Payments website to establish that the one you have been given matches the bank.
And the golden rule? If something feels wrong, trust your instincts.
I was conned into transferring thousands to a fraudster
Last March, Sophie Spencer was driving when she received a call on her mobile purporting to be from her bank, NatWest. She told the caller she could not talk. But before she arrived home she received an “activation code” on her mobile phone, which she had not asked for.
Soon, the same man called again. To persuade her that he really was calling from her bank, he gave details of an insurance premium that Ms Spencer had paid that morning via telephone banking.
He said there was no time to lose because her bank account, which had more money in it than usual, had been compromised. She was urged to use the authorisation code to enable the bank to move her money to a safe account with NatWest. She used the code — then immediately questioned what she had done.
Using both her own mobile phone and her son’s, she started calling NatWest. As a long-term Premier banking customer, she first tried to report it on the Premier line but her call was rejected because the bank mistakenly said she was no longer a Premier customer. It took another 30 minutes to get through to the bank’s fraud line. In that time, more than £19,000 that she had in her accounts plus overdraft facilities totalling £12,000 were taken.
“How did the fraudster get my mobile number and bank account numbers and know the last payment I had made?,” Ms Spencer asked. “He did not ask me any questions. He told me. There must be some security leak within the bank’s systems.”
Which?, the consumer group, warned that the methods used by the fraudsters behind authorised push payment scams were “increasingly sophisticated”. It is aware of similar cases where fraud victims believe their account details have been compromised.
Ms Spencer pursued the lost money with vigour. She was told her money had been switched to a TSB account. After seven weeks, NatWest refunded just over £12,000 to her business and personal accounts because this money was taken from her overdraft facilities, which are protected under the Consumer Credit Act.
Two months later, at the end of July, the NatWest Premier team called to say that £5,676 had been recovered from TSB. Ms Spencer was still more than £13,000 out of pocket, but NatWest said it regarded the case as closed.
NatWest said the bank sympathised with Ms Spencer and appreciated that this had been “a very distressing experience for her”.
Urging vigilance, the bank said customers “should never make a payment or divulge full security credentials at the request of someone over the phone purporting to be from their bank”, stressing that it would “never ask a customer to move money to another account to keep it safe from fraud.”
“If a customer receives such a request, they should decline this and report it to their bank immediately on a phone number they can trust. We would also recommend that they call back from their mobile phone or wait 30 seconds before calling back from their landline if they do not have a different device.”
TSB said: “We work extensively with other financial institutions, industry bodies and law enforcement to stop fraudsters and to recover stolen funds as quickly as possible. We encourage customers to report suspected fraud as soon as they can. The earlier they do, the quicker it can be retrieved.”
From next month, all banks will have to provide customer fraud helplines that are manned by trained staff around the clock, seven days a week.
However, customers in this situation can make a claim to the Financial Ombudsman against their own bank if they believe there was negligence in the way they handled their reports of authorised push payment fraud.
NatWest said it “fully supported initiatives to improve the protection offered to customers” and was “working directly with other payment service providers and industry partners to identify suspect transactions to increase the chance of returning funds to victims” as well as “investing heavily” to raise staff and customer awareness of push payment fraud.
Get alerts on UK Finance when a new story is published