If you’ve been emailed bank de­tails … be warned

The Observer - - Cash -

Both of these let­ters are de­press­ingly sim­i­lar and should be a warn­ing to every­one who banks on­line.

I trans­ferred £20,000 into our pen­sion plan, but the money never ar­rived. I had asked my fi­nan­cial ad­viser at Brewin Dol­phin for the rel­e­vant bank de­tails and he sent them by email. It seems it was in­ter­cepted and the bank de­tails changed so the trans­fer went into some­one else’s ac­count.

Brewin Dol­phin says its email sys­tem has not been cor­rupted. My provider says my email ad­dress has not been com­pro­mised in the last six months. My bank has tried

I had some build­ing work on my flat. The builder emailed me his bank de­tails, but, be­fore I’d paid, he emailed again to ask if part of the amount could be paid into a dif­fer­ent (Lloyds Bank) ac­count. I duly trans­ferred £6,300. How­ever, the re­quest was fraud­u­lent.

The builder’s PC had been hacked, and he no­ticed I had replied to an email that had not been sent by him. It was then too late to stop the pay­ment, but I im­me­di­ately alerted my bank (HSBC) and also re­ported it on­line to Ac­tion Fraud.

The fraud­ster con­tin­ued to email me, ask­ing if I was go­ing to make an­other pay­ment, and this, too, I re­ported. How­ever, I now seem to have reached a dead end.

Ac­tion Fraud says it can­not pro­vide up­dates within three months of a com­plaint. Lloyds Bank says it can­not deal di­rect with me, and HSBC has passed me to its “fraud com­plex com­plaints team” (which doesn’t ap­pear to have a phone num­ber or email ad­dress and won’t give me a con­tact name). This tells me that Lloyds won’t pro­vide de­tails of the ben­e­fi­ciary ac­count due to data pro­tec­tion, but that some of my money is still there. To re­coup it, it says, is a civil mat­ter I’d have to pur­sue in the courts.

I can­not un­der­stand why HSBC will not act on my be­half, at least to as­cer­tain how much is re­main­ing in the ac­count. JV, Ex­eter

Both of you are vic­tims of an in­creas­ingly preva­lent scam whereby crim­i­nals hack into per­sonal or busi­ness email ac­counts, in­ter­cept any mes­sages con­cern­ing pend­ing pay­ments and send an email from the hacked ac­count chang­ing the de­tails in their favour.

The scam cost con­sumers £145.4m in the first half of this year, ac­cord­ing to UK Fi­nance. It’s known as “push-pay­ment fraud” and, un­like credit card or di­rect debit pay­ments, there is no pro­tec­tion for cus­tomers who lose out.

This could change. A code pro­posed by the Pay­ment Sys­tems Reg­u­la­tor last month might re­quire banks to re­im­burse vic­tims – pro­vided they were not neg­li­gent when mak­ing the pay­ment – al­though the code would be vol­un­tary and it’s not clear who will fund the com­pen­sa­tion.

In the mean­time, you have both been left in le­gal and reg­u­la­tory limbo. In CC’s case, Brewin Dol­phin main­tains its sys­tem was not com­pro­mised and there­fore the hacker must have tar­geted your ac­count.

It points out that the Have I Been Pwned web­site, which checks whether emails have been af­fected by data breaches, shows your email has been com­pro­mised five times.

More­over, the scam email you re­ceived con­tained a dif­fer­ent do­main name to Brewin Dol­phin’s. Or­di­nar­ily, the Fi­nan­cial Om­buds­man Ser­vice can in­ves­ti­gate whether a com­pany has dealt rea­son­ably with such a com­plaint, but not in your case be­cause email hack­ing isn’t a reg­u­lated ac­tiv­ity.

Un­less you can stom­ach the prospect of chal­leng­ing Brewin Dol­phin’s sys­tem se­cu­rity through le­gal ac­tion there is, ex­cru­ci­at­ingly, noth­ing more you can do. The prob­lem for JV was that the fraud only came to light four days af­ter the pay­ment.

HSBC says it con­tacted Lloyds im­me­di­ately and Lloyds says it froze the ben­e­fi­ciary ac­count, but, by then, con­trary to what you were told, the money had ap­par­ently van­ished.

De­press­ingly, the au­thor­i­ties have been of no help. Ac­tion Fraud even­tu­ally told you that, due to over­load, it would not be in­ves­ti­gat­ing and re­ferred you to the po­lice.

The po­lice replied that they, too, could not do any­thing “be­cause of the high level of fraud re­port­ing and lim­ited po­lice re­sources to in­ves­ti­gate eco­nomic crime”.

HSBC re­ferred you to the Om­buds­man but the re­sponse was the same, and it is yet to in­ves­ti­gate.

Pre­cau­tion, there­fore, is the only pro­tec­tion. If de­tails are sent by email, and par­tic­u­larly if they sud­denly change, ring the per­son or com­pany to check they are bona fide. When pos­si­ble, pay by credit card – or even by cheque, which can, at least, be stopped.

If you need help email Anna Tims at your.prob­lems@ob­server.co.uk or write to Your Prob­lems, The Ob­server, Kings Place, 90 York Way, Lon­don N1 9GU. In­clude an ad­dress and phone num­ber. Sub­mis­sion and pub­li­ca­tion are sub­ject to our terms and con­di­tions

Anna Tims

Newspapers in English

Newspapers from UK

© PressReader. All rights reserved.