Fraud: how I was scammed and you could be too
Authorised push payment frauds, where people are tricked into transferring money into criminal-controlled accounts, are growing fast, with £354mn stolen last year. FT journalist and fraud victim Joe Sinclair talks to readers about how they've been duped and what the banks, customers and businesses should be doing about it
Produced, filmed and edited by Joe Sinclair; additional filming by Petros Gioumpasis; technical advisor Andrew Georgiades
You can enable subtitles (captions) in the video player
A journalist working for the Financial Times should know how to handle their money. But I threw away £4,300 with the press of a button.
Thank you very much.
This is my decorator, Perry. I'll let him explain what happened.
I did send you an invoice. You paid the invoice. You paid the funds. I didn't receive the funds. So what happened was, that email I sent to you was intercepted by a fraudster, and then sent to you. So what they'd done, they changed the bank details, then send it to you. You paid into the wrong account.
Authorised push payment scams are one of the fastest growing types of fraud. It's where you're tricked into paying money into a criminal's account. It might be a fake invoice, a fraudster impersonating your bank on the phone, or even an online romance scam. £354m were stolen in this way last year.
It took me a while to find out. But because I pressed the button on the payment, I was liable, even though I paid from a Barclays account to another Barclays account, which the criminals controlled and drained. After I wrote about it for the FT, many readers got in touch with their own stories, comments, and questions. We're going to hear some of those stories, ask what more the banks should be doing, and learn how not to get duped.
This is Kelly Taylor and her nine-year-old daughter, Isabella. And this is their dream home. But they're not living there, because Kelly paid her £89,000 deposit into a scam account after her solicitor's email was intercepted and changed. Ever since, she's been battling to get her money back.
Is there any hope that you will one day be able to move into that new home?
I don't know. I've obviously got hopes. I wouldn't say high hopes. I would say very low hopes. But my philosophy in life is don't give up, and I'll try not to. So every day I wake up, and I just think, I can do this. I can't give up. I've tried to give up. And then my friends and family pull me back and say, don't. You got to do this.
Because I want to look at him in his eye in court and just think how much he ruined my life. You've totally destroyed me. You destroyed my faith in humanity. But there are a lot more nicer people in the world than these horrible people that are hackers and scammers. And hopefully they get their comeuppance. What comes around goes around.
Our stories are remarkably similar, in that the emails were sent as part of a chain. And they came from a genuine email address. And I didn't realise, like you didn't realise, that something like that could be intercepted and changed.
And I'm relying on the Financial Ombudsman, because I'm a victim. I'm innocent. I've done nothing wrong, except to just do what I was told in an email, send this money, and that's it. I haven't done anything wrong, and all I want is my money back.
Kelly believes the bank should do more to question people making large payments at the point of transaction, whether that's online like me or in person at the branch like her. The banks themselves have delayed a step that could stop these frauds.
OK, so we're up here on the FT roof with the City of London behind us. It's the home of the UK's big banks. And Claer, you've been campaigning for action on this. What should the banks do about it?
What I think could really make a difference is for the banks, the regulators, and the payments authorities to act together fast to introduce something which has got a very boring name, Confirmation of Payee technology, but a very important role. Now at the moment, if you pay somebody online, you put in their sort code, their account number, but crucially not their name.
There's a space to put something as a reference, but the bank doesn't take any notice of that. But under Confirmation of Payee, you would get a green tick to confirm that the person who you think you're paying is actually the person who you think you're paying. Because it seems obvious to me that the level of these frauds and deceptions can be so sophisticated that banks really cannot expect to just pin it all on the customer for much longer.
One victim's son got in touch to show how he's fighting back against scam phone calls.
I'm on my way to meet a former police firearms officer, who was tasked with protecting the royal family. But he got in touch because he said he couldn't protect his own family, his dad, from common fraud. And now he wants to do something about it.
Cumbria in the northwest doesn't look like a tech hub, but a team of business friends here is developing an app called Keepel that uses artificial intelligence to identify fraudsters. It's designed to hang up on anyone who might be pretending to be from your bank or the police, who's trying to get you to move money into their own account.
So here I've got a couple of photographs of my dad, in the army, second world war obviously. So that's him sitting at the front.
Simon got the idea after his ageing father was scammed out of £650 by a hoax caller. It may not sound like much, but it had a profound impact.
He found it difficult to answer the phone after that. He found it difficult to go out on occasion, as well, after that, because he lost confidence in his ability to judge what was happening. It's a very sad thing, and it angered me a huge amount. It attacks people where they feel most secure, which is in their own home. And it's not a physical attack. It's an emotional attack, and that hurts just as much. And I'm determined that, with this product, we can and will have an effect. We can do something about this problem, because no one else appears to be.
So you're going to show me the app. I'm going to pretend to be a fraudster and you're going to be my victim.
I am. Let's try.
Hello, there. Is that Mr Smith?
Hello, I'm calling from your bank.
I just wanted to check, because there's been some fraudulent activity on your account.
Yes, and I need you to take some action immediately.
The call's terminated. The red text has been allocated a high risk and is associated almost certainly with the kind of speech pattern that fraudsters are using on a daily basis. And it will pick up stressors, such as: we need to act fast. It will pick up the tone of voice, the change in the tone of voice.
Industry body UK Finance says banks were investing billions into tackling economic crime, and a new voluntary code of conduct will make it easier for victims to be reimbursed. They say the technology to implement Confirmation of Payee is not as simple as it sounds, and it is vital that we get it right. In my case, Barclays said it had acted quickly to try to recover the funds and that no bank does more to protect customers.
But what about the scammers themselves? In my case, they moved the money out of one account and then the next. The banks won't tell me anything more because of data protection rules. It's up to the police to investigate further. We did a little digging ourselves and here's what I now know. A Google search locates the bank in Chester.
But fraudsters often use mule accounts set up by legitimate customers, who are either tricked into taking part or do so willingly. The PDF of the invoice was wiped of its metadata. But we can see that it was made with some pretty expensive software that can only run on a corporate server. The email, supposedly from Perry, was actually routed via Austria. Though it's likely the criminals were using a VPN to shield their actual location, so it could have come from anywhere.
So it's not easy to follow the money. But we can say that this appears to have been a fairly sophisticated operation. And these operations are often hard to defend against.
It's a domino effect. I'd already paid wages. I'd already invested in materials. So I'd paid money out of my pocket. And I've not got a large bank balance. I'm a small company, as you know. I've got a few guys around me. We're not a big outfit.
In the firearms unit I went against the most dangerous people in the country, so I could rationalise violence. So I could deal with it in my head. What I couldn't understand and what I couldn't rationalise was the way my father was victimised. It preyed on his decency, and it preyed on his vulnerability.
They need to say: here's our account details, on headed paper, not through emails, anything like that. They need to send a package out with their exact account details. Then you should send a pound over. Then they confirm they've receive the pound. And then you send the rest of the money.
I've been struck by how many people I've spoken to have been affected by this sort of crime - friends, relatives, and colleagues. Yes, we should all check the bank account details in person with whoever we're paying. And yes, businesses big and small have a responsibility to protect their email accounts. But I believe the bank should shoulder their share of responsibility, too.