It began with a text purportedly from O2. The message informed Stephen Frew that his latest payment could not be processed and asked him to update his card details via a link. Frew duly obliged. Within a week the £21,330 he was about to use as a deposit on a flat was stolen from his bank account.
He is far from alone. The senior hospital nurse, who is in charge of Covid admissions, is one of thousands to have lost their life savings in an online scam known as Authorised Push-Payment (APP) fraud, which has intensified as fraudsters exploit the pandemic to target stressed customers. Over £200m was lost to APP fraud in the first half of this year according to new figures from trade association UK Finance.
Scammers are adapting their tactics as people spend more time at home. “We are using internet platforms for shopping more than ever,” says Katherine Hart of the Chartered Trading Standards Institute. “Phishing scams have existed for a long time, but the current crisis has made people more vulnerable.”
The scam usually starts with an email, text or phone call purporting to be from a trusted organisation, warning householders of suspicious activity on their account or enforcement action over unpaid bills. The goal is to frighten them into divulging security details that will allow access to their bank account. And whereas fake demands were once relatively easy to spot, sophisticated technology can make the messages almost indistinguishable from official correspondence.
Since March my consumer inbox has filled with heartbreaking tales from young and old who have suffered life-changing losses. While banks have improved fraud prevention technology – £73.1m stolen in APP fraud was reclaimed for customers in the first six months of 2020, an 86% increase on last year – many victims are still left out of pocket.
A voluntary scheme for compensating customers has been denounced as a lottery by campaign groups, who say that only 38% of stolen funds have been covered by banks who signed up to the pledge, and that some banks refuse to engage.
In Frew’s case the scammers used the card details he had submitted via the text link to make four purchases several days later. This triggered a phone call from his bank, Triodos, flagging up suspicious transactions. So when a second call told him his account had been hacked, he didn’t question it.
This time, however, it was the scammers masquerading as Triodos’s fraud team. Number-spoofing technology made it look as though they were ringing from the bank’s customer service department, and their knowledge of the fraudulent payments convinced him they were authentic. When they told him they needed his security details to move his money to a safe account, he unsuspectingly complied.
“My partner and I have now had to abort the purchase of the flat and are left with solicitors’ fees to pay and no deposit for another property,” he says.
Triodos refunded the credit card transactions and the £21,330, but it reclaimed the latter sum after an investigation concluded that Frew had ignored warnings not to disclose security details. Gareth Griffiths, head of retail banking, says: “We reimbursed the previous day’s incidents of card fraud for this customer, but it is difficult to continue to secure an account if they give out their private security details over the phone.” Frew has issued a formal complaint about the decision and intends to appeal to the Financial Ombudsman Service.
While banks are stepping up measures to detect and prevent fraud, critics claim that the authorities are failing to catch the criminals behind it. Victims are told to report the crime to Action Fraud, a data processing centre outsourced by City of London police. However, an investigation by the consumer group Which? branded the centre unfit for purpose after finding that many complaints are not passed on to the police for investigation. Only 2% lead to charges. It was recently revealed that police chiefs are seeking a new company to take over the service in a £60m revamp. Action Fraud insists that every report is important and helps build a clearer picture of criminal activity.
In April, City of London Police and the National Cyber Security Centre launched a Suspicious Email Reporting Service. It allows the public to refer possible phishing messages to an automated service which will scan web links and remove the websites if they are found to be invalid. It has so far identified 6,501 scams after receiving 1.7 million reports.
Current frauds
Travel refunds A cold call, text or email purports to be from a claims firm appointed by an unnamed airline or travel agency to issue refunds for trips cancelled due to Covid. They take advantage of customers who are genuinely awaiting refunds by requesting bank or card details in order to process the payment.
Amazon Prime A recorded message warns householders that their Prime subscription is due to auto-renew for £78.89 and invites them to press 1 to cancel it. A fraudster, masquerading as an Amazon call centre rep, states that the subscription has been set up fraudulently after a security breach and asks the caller to download software so they can secure their account. This allows them access to the victim’s bank details. Variations of the scam inform victims that a £39 subscription has been debited in error and asks them to submit a web form requesting a refund. They then claim that, due to a typo, £3,900 was refunded and must be repaid immediately to avoid legal consequences.
Jury service A text with authentic-looking government logos informs recipients that they have been summonsed for jury service and must click on a link if they want to defer it. The link invites them to submit their card details and pay £34.99 to defer the summons for six months.
HMRC An email states that a tax rebate of £755.80 is due and asks for proof of address and a copy of the passport for identity verification. Recipients are asked to click on a link to submit these along with their bank details for payment.
Courts & Tribunals Service There are several of these doing the rounds. Automated calls advise recipients that a warrant is out for their arrest for tax irregularities and orders them to press 1 to speak to the tax audit office. Impostors aim to panic callers with legal threats and jargon, and pressure them into transferring huge sums in bogus penalties and legal fees. An official-looking email informs recipients of a penalty charge for “use of a vehicle in a charging area without payment of the appropriate charge”. A payment tab clicks through to a website that harvests bank details.
Banking A call or text, purporting to be from the recipient’s bank, alerts them to a suspicious transaction on their account. The caller asks for “security details” to “verify” the account holder, including information such as PIN and password that a genuine bank would never request. They tell the victim that their account has been hacked and order them to transfer funds to a safe account.
