85,000 banking customers lost £354m to fraudsters
Metro Bank says it has a range of safeguards in place but even the savviest customer can be caught out.
Nearly 85,000 banking customers lost £354m to fraudsters last year after being tricked into revealing bank details. The scam, known as "authorised push-payment fraud", typically deceives customers into thinking they are communicating with their bank so that they disclose vital security information, or with a legitimate trader to whom they owe money.
Michael Johnson and his business partner had struggled for a month to open a new account with Metro Bank, despite the fact that he was already a customer. So it was a relief to receive a phone call apologising for the delay and promising that the new account could be set up then and there. The caller took him through Metro's standard security questions and Johnson received authorisation codes texted from Metro to enable the transfer of his payees from his old account to the new. That afternoon he received another call. It was Metro Bank informing him that he had been scammed out of £9,200.
Johnson's case is remarkable because of its sophistication. The caller mirrored Metro Bank's security protocol, customer service style and terminology, and was already primed with personal information about him and his company.
Tickets: can you trust the new wave of resale sites? "At no time did I suspect that I was not talking to someone from Metro Bank despite being alert to the risks because my father had been scammed a few weeks earlier," he says.
The scam began with a genuine tweet from the bank asking customers to share their experience of its customer service in an online survey. Johnson's business partner tweeted back to report the difficulties setting up the new account. The fraudster saw her tweet, Googled her details and called her via her company contact number posing as a Metro Bank customer service operative called "Neil". She was told that the call was in response to her tweet, and that the bank wanted to rectify the poor service and get the new business account set up immediately. She was asked for details of the business as part of due-diligence checks required by the banking regulator and she named Johnson as a co-director.
By the time "Neil" had obtained Johnson's number from the company website, he already knew enough details about the business and its banking facilities to convince Johnson he was genuine.
Alarm bells might have rung if "Neil" had asked for full passwords, but he didn't. "He told me he'd just got off the phone from my business partner and that the person who had been dealing with the account request had missed the fact that I was already an account holder, which should have made the procedure straightforward," he says. "He then asked me for two characters from my password and user name and explained that he would need to switch my existing account from 'personal and business' to 'business online' so that he could set up the account. This is all Metro language.
"He told me I would be receiving some texts - which came from Metro Bank and therefore raised no suspicion - and I would need to give him the codes contained in them so he could transfer the payees to my new business account."
"Neil" rang off several times in order to "run some checks" and each time he called back he repeated the same security procedure. "I am assuming he asked for a different two characters from my password each time until he had the whole log in," says Johnson. "I now know that instead of transferring payees to a new account, he was setting up new payees on my old one and transferring my money to them as soon as I gave him the authorisation codes."