The call comes from your bank’s number. The friendly lady doesn’t ask for any account or password details. Feel safe? Big mistake . . .
As Catherine, who fell victim to the most sophisticated banking scam yet, reveals
My heart was pounding. ‘There’s been suspicious activity on your account’ Crisis averted, I thought. How wrong I was!
AFEW WEEKS ago, I broke down in sobs in front of my bank manager. Other customers eyed me curiously as the blood pounded in my ears and nausea crept over me.
I had just been told I was £2,000 overdrawn, despite having transferred £4,000 into a new account the day before. No, I wasn’t coming to terms with having indulged in a sudden spending spree. I had been scammed.
It’s not just pensioners and the vulnerable who fall victim to scammers these days. I am neither gullible nor a Luddite. I’m a middle-aged mother-ofthree who considers herself to be sassy and alert.
I thought I would always be safe from such cons: I know not to give bank details over the phone and scoff at emails purporting to be from HMRC or Paypal, with links to ‘get your refund now’.
But what my experience shows is that we all need to be aware that things have moved on from ‘phishing’ — the term for when criminals use fake email or bogus websites.
We’ve since had Smishing (SMS phishing via text messages) and we’re now on to Vishing — phone calls where fraudsters impersonate bank staff so plausibly they are able to talk you into transferring money into their account.
Officially known as ‘Authorised Push Payment fraud’ or APP, this is how my money ended up being transferred into a random Barclays Bank account, now empty.
APP is one of the fastest growing types of fraud. There have been 19,370 reported cases in the past six months, with an estimated £101.2 million transferred to fraudsters in that period.
With APP, the average loss to an individual is around £3,000, although these figures are just the tip of the iceberg, as many people don’t even report it because they fear they will be ridiculed or dismissed as stupid.
The sad fact is, defrauding people like me — and you — is ‘ big business’. According to one fraud analyst: ‘ These people work for large organisations in an office like yours, with a photocopier in the corner and a plant on their desk.
‘They’re trained in how to use sophisticated psychological techniques to exploit consumers and are completely heartless — and they are always one step ahead of the banks.’
Not long ago, I was cooking supper for my teenagers when I received an automated text saying a new phone number had just been registered with my NatWest online account. Five minutes later, the bank rang.
The 0345 number that came up on my mobile’s display was the main switchboard number for NatWest — I had it saved in my phone a while ago so I could be sure.
‘We suspect some suspicious activity on your account and I need to check a couple of things with you,’ said the lady who introduced herself as one of the NatWest fraud investigation team. She sounded a bit like my mum, very well spoken and with a tone that was concerned, yet calm and professional. ‘We’ve noticed a direct debit has been set up for John Lewis for £1,150 and one with the mobile phone network GiffGaff for £45.’
My heart began pounding. No, I hadn’t set them up, I gabbled.
‘We’ve noticed an IP address from Bristol has logged into your account a few times today. Was it you?’
‘No it was not,’ I said, worried but also relieved that my bank was on the case.
Four years earlier I’d been scammed when someone got hold of my bank details —possibly by intercepting a statement — and set up a banking app in my name, using their own phone number.
Whoever it was then told the bank they had lost the bank card and needed to get cash out, so they were given a four-digit code.
The fraudster then used the fourdigit code instead of a bank card to withdraw money from a branch in North London. I had £2,000 taken out of my bank account — £500 a time over four days — in this way.
NatWest refunded me on that occasion, but now it sounded like the fraudsters were back.
I switched off the hob and gave the lady my full attention. I’m aware many emails and phone calls are from scammers and so usually ignore them, but as it says on NatWest’s own website: ‘If we hold your mobile number, we will send you an SMS to confirm some activities on your account and check that it was you that made the transaction or changed some of your information . . . If we suspect or become aware that your account may be subject to fraud, we will attempt to contact you.’
This was my follow-up call from the bank after that preliminary SMS warning — wasn’t it?
It’s usually at this point in the story that friends ask: ‘But why did you give her your account details?’
And this is the strangest thing about it: I have never given my account details on the phone to anyone. The woman knew all my details already. At no point did she ask for my account number, sort code, even my name. The only thing she asked was for the first and third letter of my password — just as any bank does during a phone call.
She was already in my account, looking at my transactions. ‘There’s one payment to DVLA at the end of December — was that you?’ Yes.
‘There’s a direct debit going out to Wealden Leisure, and I can see £10 was taken out of a cashpoint in central Brighton yesterday.’
‘That’s fine, that was me,’ I told her, but as ever I wanted to err on the side of caution. ‘Sorry, but can I just check this is NatWest I’m talking to?’
‘Of course,’ she said calmly. ‘We always advise people to call the number on the back of their bank card. I’ll call you back in five minutes.’
So I rang the number on the back of my bankcard from my landline, which corresponded to the number she’d phoned me from, and got though to the familiar NatWest switchboard welcome message — informing me that due to the high volume of calls, I could be kept waiting ‘longer than usual’.
Was this deliberate? Did the fraudster know I’d be too impatient to wait? Had I stayed on the line and spoken to an advisor, perhaps the scam would have unravelled. That said, there are cases of fraudsters intercepting such calls.
Five minutes later, she rang and talked me through what NatWest could do to keep my money safe. We were on the phone for 15 minutes as I set up a new ‘safe NatWest holding account’ under her instruction.
I was then given ‘my’ new sort code and account number and went online to transfer £4,000 into this new account under my name — while she remained on the line.
I know some of you will be rolling your eyes at this point, but when you are in no doubt you are talking to your bank, you behave exactly as you would if you were in a branch talking to a bank employee face to face.
‘ Crisis averted!’ I posted on Facebook later that evening. ‘ Watch out people, my bank account nearly just got scammed again . . . NatWest onto it immediately, phew!’
How wrong I was. When I went into my branch on the Monday, the cashier frowned as she stared at her screen and shook her head.
‘There are no notes on your account,’ she said. ‘You’ve made a large transfer but no new account has been set up. You’re overdrawn by £2,000.’
That’s when the bank manager took me aside to explain — and I began to feel like an utter fool.
According to fraud expert Gary Hemming, commercial lending director at ABC Finance, I shouldn’t have been so hard on myself.
He says: ‘These days the scripts are incredibly well-honed as they are usually used by career fraudsters,
so predicting whether it’s actually your bank you’re speaking to or a fraudster is almost impossible.
‘Banks have the technology to stop almost all financial fraud, so now the focus is on fooling the account holder: fraudsters circumvent the systems to attack the weakest link, which is the consumers themselves.’
Looking back, the woman I spoke to must have been working from a sophisticated script based on the bona fide NatWest advice and information you can find on its website. Even the background noise was exactly the same as when I talk to my bank.
Perhaps she had worked for a bank before — apparently it’s a career history of many fraudsters.
The woman had also created a situation where I felt that I was the one in control. At no point had I revealed any details about my account or myself.
In fact, I’d been the one who asked if my account could be frozen so no money could be taken out. I’d been the one who asked if I could open a new account.
Or had I? I began to wonder if I’d somehow been hypnotised: it was preferable to believing that I had authorised a transaction and been tricked.
It wasn’t long before my distress was cloaked by anger. I had fallen victim to a modern type of bank robbery. Where was the security I had been assured by NatWest after the first fraud?
I’d feared it would only be a matter of time before it happened again, but NatWest had assured me my account was ‘safe’ and ‘it would never happen again’. But was the woman part of the same criminal network that had cracked my account the first time?
And why had my bank processed such a large transfer so quickly without question, and so soon after a fraudulent attempt to register a different phone number with my account?
As for that text, no one can tell me if it was really from my bank or the fraudsters. At my local branch, I got differing verdicts.
I complained to NatWest, who washed their hands of the matter immediately. ‘We are not refunding the money to you as you made the transaction yourself … we cannot be held liable for this and we will not be in the position to investigate this issue further.’
I complained to Barclays — the account where my money ended up. ‘The account into which you transferred money has now been closed . . . no funds were remaining . . . Barclays is unable to return any money to you.’
Where a payment has been authorised by the account holder, there is no legal obligation on the bank to reimburse. The sense of a giant buck being passed persisted and I contacted the Financial Ombudsman Service (FOS), from whom I am still waiting to hear.
I won’t hold my breath. A recent investigation by Channel 4’ s Dispatches found that some FOS staff with inadequate understanding of financial products were finding in favour of the banks, without even reading case files.
Some financial industry experts believe British-based banks are lagging behind their international competitors when it comes to security, leaving UK bank customers more at risk of fraud.
Why aren’t they doing more to educate their customers? I had no idea phone numbers could be ‘spoofed’ to look as though they are coming from a bank, for example. Sure, the information is out there, but only if you deliberately set aside time to find it.
I’ve since spoken to others who’ve been similarly frauded. All sensible, intelligent, clear-minded people, just like me.
Federica Pluchino, 44, a carer who lives in Southwick on the South Coast, lost £3,500 when she made a transfer from her bank account, believing she was speaking to someone from Barclays. ‘He was an absolute master!’ she says. ‘My husband was right next to me — he didn’t think there was anything strange about what I was doing as it was the bank’s responsibility to keep my money safe.
‘Of course, I can see now I was taken in, but hindsight is a wonderful thing. I’ve been a loyal Barclays customer for 22 years and I’d never heard of this type of fraud until it happened to me.
‘I consider myself tech- savvy and well- educated. Thankfully. Barclays reimbursed me — and even paid me compensation.’
Others have been less fortunate. Hugh Milsom, 64, a funeral celebrant who lives in Swindon with his wife Erica, lost £7,800 when he believed he was talking to a NatWest employee when he was called one Saturday.
‘I have a degree, I worked in technology for 30 years and pulling the wool over my eyes is quite difficult, or so I thought,’ he says.
‘But my complaint was rejected as I’d been tricked into giving my PIN and authorising the transfer.’
There are various ways the instances of fraud could be reduced. An automatic 24-hour delay on bank transfers would mean the majority of scams could be prevented, while the introduction of a ‘confirmation of payee’ system would massively decrease the number of APP scams.
The more I looked into fraud, the darker the picture became. Yes, I’d lost £4,000 — but some people had transferred their life savings into fraudulent accounts.
I’m trying to come to terms with the fact that I may never get my money back. I’ve now ditched online banking — although with banks driving customers online by closing branches, I don’t know how much longer this will last.
Meanwhile, I’ve made it my mission to warn everyone I know or meet about my experience. I don’t think people realise the true extent of this epidemic.
Why isn’t more done to educate us customers?