‘Robbed of £17,500, and the bank got me back 10p’
As fraud soars to new records, Your Money calls for banks to step up their customer protection. Richard Evans reports
NatWest customer Annette Jefferys was tricked into sending £17,500 to fraudsters after they were able to generate a genuine “activation code” for her online banking account. Exploiting a frightening weakness in the procedures of one of Britain’s biggest banking groups, fraudsters were able to first lock the victim’s online account and then obtain an access code to unlock it – simply by using publicly available information.
In a cruel twist, Ms Jefferys was later told by the fraudsters’ bank that they had left some money behind. The sum turned out to be just 10p.
The case comes to light as new figures show that fraud now accounts for more than half of all crime.
Telegraph Money today calls on the banks, the police and the Government to dramatically increase the measures they take to protect bank customers and to defeat fraud.
Worrying new tactic: fraudsters generate genuine activation code
Annette Jefferys lost £17,500 after criminals targeted her in a wellplanned fraud perpetrated over the course of two days.
The exact sequence of events that led to her losses is complex, so Telegraph Money enlisted the help of fraud expert James Freedman to piece together with Ms Jefferys what is likely to have happened.
The criminals, who posed as NatWest employees, first called Ms Jefferys, a businesswoman from north London, on a Friday night last month. They said her account was under attack by fraudsters and that she would need to transfer money to another account.
This ruse is commonplace. What was different this time is that they did not ask Ms Jefferys to make the transfer there and then. She was in any case suspicious, and challenged the callers to prove that they really were from the bank.
They pointed out that the number from which they were calling, displayed on her mobile phone, matched that on the back of her bank card. However, software that allows criminals to display a number of their choosing is readily available, according to Mr Freedman.
Ms Jefferys then did as experts advise in this situation and tried to call the NatWest number on the back of her card from her landline. But she did not actually speak to anyone.
“It took ages to get through, because there were so many options, by which time the fraudsters were calling me again on my mobile,” she said. “They phoned me on my landline and mobile approximately six times.”
During these calls they added to their plausibility: they asked Ms Jefferys to agree a “password” that they could use in future to prove their identity and told her that they would send a new bank card and identification number because her account had been “compromised”.
In what was perhaps their most convincing touch of all, the criminals also asked her to log in to her online banking while they remained on the line. Because the criminals had previously frozen her service she could not log in, and they were able to promise that they would send Ms Jefferys an “activation code”, which would enable her to regain access. This would come the following morning by text message, they said.
Meanwhile, the criminals had generated the code themselves by impersonating Ms Jefferys on NatWest’s website.
To do so they had almost certainly gleaned enough information about her from social media and other online sources, Mr Freedman said.
Banks that allow activation codes to be generated in this way by someone who lacks full security details for online banking rely on the fact that the code should be seen only by the account holder, who will previously have registered their mobile phone number with the bank.
The code duly arrived in a text that was sent to Ms Jefferys’s phone the following morning.
When the fraudsters called Ms Jefferys a little later, they had convinced her that they were not impostors and given her the means to regain access to her account.
All they had to do then was repeat that her money was at risk and that she should move it to a “safe” account, whose details they gave her. This she duly did.
“After that, the caller said he would add compensation to my account, for all the inconvenience caused, of £1,000,” Ms Jefferys said. “It was then, after I had done the transfer,
that I realised it was fraud as I could not believe that NatWest would give £1,000 compensation.”
She immediately ran to her local NatWest branch. She was asked to call the bank’s fraud team from the branch but it proved too late to recover the funds from the Barclays account to which they had been transferred.
She turned to Barclays, which said in a letter: “We have been able to recover some of the funds that were in the account and are therefore in a position to return £0.10.”
A spokesman for Barclays told Telegraph Money: “As soon as we were alerted by NatWest, we acted swiftly in order to recover any remaining funds on the account.
“Regrettably by the time we were made aware of the fraud no money remained and the account has since been closed.”
NatWest said: “Regrettably our customer was a victim of a scam. Unfortunately there was no opportunity for the bank to intervene and the customer paid funds away to another bank.”
What the victim should have done
Ms Jefferys’s key mistake was to allow the fraudsters to harry her into giving up her attempts to contact NatWest independently.
Mr Freedman added: “With these frauds, there always comes a point when the victim ‘ buys’ the story. From that point, evidence to the contrary is ignored or explained away. It’s vital to give yourself time to step back and ask yourself: ‘Is this reasonable?’
“In cases such as this, it is not the bank’s system that has been hacked, it is the victim herself.”
His other tips include:
limit the personal information you put online
Use a password management system and update passwords frequently.
Consider whether you really need online banking. The easier it is to use, the easier it is to abuse.
What should banks and the authorities do to protect us from fraud?
Telegraph Money calls on the Government, the banks and the police to step up their efforts to defeat fraud.
The new joint fraud task force, which brings these three bodies together, should investigate ways in which frauds in progress can be halted. An emergency number along the lines of the 999 service could be one option.
Where banks receive out-of-theordinary payment instructions from clients, they should phone or text to check – and check also whether clients have received unsolicited calls from other “bank staff ”.
A far more comprehensive and visible public information campaign highlighting the dangers and explaining how customers can protect themselves is needed.
Annette Jefferys ran to NatWest to report the crime but her money had already gone