How online account led to a £90,000 nightmare as golf club is swindled
WHEN an employee of one of Hampshire’s most picturesque golf clubs logged into its business account one afternoon, she thought it would be a formality. Just another invoice to pay.
But she did not realise that fraudsters were watching her every cyber move. By the time she logged in again the next morning, she was ‘horrified’ to find that £90,000 had been plundered from the club’s funds.
To make matters worse, the club’s bank, NatWest, refused to refund the money. Its intransigence would have ruined Waterlooville Golf Club if it had not secured a ten-year loan to plug its black hole. Ironically, the loan was arranged with NatWest, which means the bank is profiting from the club’s misfortune.
Mark Pinhorn, the club’s chairman, says going cap in hand to the bank for a loan was a ‘galling’ experience. He also believes NatWest was culpable in failing to detect the fraud.
It was committed in August 2014. The employee noticed that NatWest’s website was running slowly, but nothing seemed amiss. At one point she was asked for a special code during log-in, which she supplied, although typically this is only required at the point when it comes to authorising payment.
The next morning, after logging on to the account, she found nearly £90,000 had been withdrawn in two instalments – £9,700 from the club’s standard business account and £80,190 from the linked savings account.
It is thought hackers were able to steal the cash after sending an email dressed up as an invoice the day before. As the employee was used to dealing with invoices from suppliers, she clicked on the attachment, which may have downloaded ‘spyware’ on to the computer. Spyware is software that lets a criminal ‘see’ what a computer user is doing – including the details they enter for online banking.
The bank told the club it would not refund the sum as staff should have downloaded its security software – itself far from infallible – and their inaction amounted to negligence.
But staff say not only were they unaware that spyware was sitting on the computer, but the bank has failed to explain its own laxity over security. The savings account – from which the biggest sum was stolen – has never been used to make an external payment before. Instead, the club’s subscriptions are paid into the current account and transferred to the linked savings account. Money is moved back
monthly from the savings account to the current account to pay bills. Mark says: ‘In our eyes a direct transaction from the savings account was a highly unusual payment that should have been flagged by the bank. Why was it allowed?’
Equally depressing was the fact that the banks in receipt of the funds said they could not divulge details of the accounts held by the fraudsters – because of data protection rules.
Mark says: ‘We are not a particularly well-off club and all feel very let down by NatWest. Its attitude has been disappointing to say the least.’
NatWest agrees that the transactions were not authorised by the employee, but the bank claims ‘gross negligence’ on the part of the club and so says it is not responsible for the fraud.
ROUGH TREATMENT
LAST year the club asked the Financial Ombudsman Service to review the case. The Ombudsman mostly helps individuals, but can step in to help small firms with up to ten staff and turnover of less than €2million (£1.7million) a year.
Waterlooville Golf Club has three or four staff too many, so the Ombudsman was unable to help.
But in a letter to the club, an adjudicator said: ‘In view of what has been provided, if I did have power to instruct NatWest to refund the transactions I would. I don’t think NatWest has presented a reasonable reason
for declining the complaint.’
Rules laid down by the Financial Conduct Authority, which regulates banks, state they must reimburse customers over unauthorised payments taken from their accounts.
There are three circumstances in which a bank can refuse a refund. The first is if it can prove a customer authorised the disputed transaction. For this, the fact a customer’s password, card or PIN were used is not seen as conclusive proof that a customer authorised it.
A second reason is if it can prove a customer was at fault because of ‘gross negligence’, such as failing to protect card or PIN details. And third, a bank can say no if it is only told of an unauthorised payment 13 months or more after the date it left the account.
On Friday, The Mail on Sunday asked NatWest to comment on its handling of the fraud committed against the golf club. It said the club should have downloaded its recommended Trusteer Rapport security software and should not have entered a special code at log-in.
A bank spokesman said: ‘We have every sympathy with the club being the victim of malware fraud. We investigated the case thoroughly and provided a detailed rationale for the outcome. We provide extensive security advice to enable customers to prevent malware fraud, through direct messages, emails and access to the security centre on our website.’
The case acts as a warning to NatWest customers that if they do not download what it says they should in terms of security software, and if they have spyware on a computer, they could be held responsible for fraud.
The bank also said it gave the club the best loan rate it could.