ISlena Rossi * was sued £ 2,400 by her plumber for repairs to her boiler. The bill was duly sent by email and Rossi transferred the sum. Only when the plumber chased her for payment did she find out that the money had been paid to a scammer. “We found out that the scammer had violated the plumber’s email account and was sending and intercepting email from it,” he says.
“The invoice arrived when expected, for the exact amount, from the correct e-mail address with the company logo on its letterhead and the correct distribution for the job. We had no reason to suspect there was anything wrong. “
His bank, the cooperative, refused to refund the stolen money and when Rossi filed a complaint with the Financial Ombudsman Service, he confirmed the decision because he had authorized the payment and the bank had not acted negligently.
Rossi’s misfortune was that she was defrauded last March, two months before a voluntary code, the contingent refund model, was introduced. The code requires participating banks to reimburse reprehensible victims of authorized push payment fraud (APP) and the Cooperative became the ninth bank to register in December.
The bank told al Observer Rossi’s case has been examined by the ombudsman, but since the code is not retrospective, it will be assessed against the criteria in force last March, when repayments would be due only if the banks were negligent in investigating the fraud.
More than £ 200 million was stolen from customers through APP fraud in the first half of 2019 and crime is skyrocketing. Rossi’s ordeal reveals the lottery of the attempt to ask for a refund since success depends on when the fraud occurred, the bank and which method the scammers used to deceive.
Customers who carry out banking transactions with one of the 10 great players such as Monzo and Tesco who have yet to register for the code, remain unprotected. Even those with banks that have adopted it are not guaranteed their money as the code excuses them from repaying victims who have been “negligent”. Since “carelessness” is not defined, it can be interpreted as they wish.
Victoria Ross lost £ 25,000 after the scammers sent her messages claiming to be from her bank reporting suspicious activity on her Lloyds account and advising her to transfer her balance to a “safe” account in her name. “The messages were on my original Lloyds text message feed and I was asked to verify that the phone number matched the phone number on my Lloyds credit card as it was,” he says.
Lloyds told al Observer that Ross did not take sufficient measures to verify that the text message was authentic and ignored a fraud alert on “secure” accounts of forged numbers.
Ross only remembers a generic fraud alert that the scammers had told her it was a predefined message sent before each transaction. .
One report per campaign group Which one? concluded that banks unfairly penalize customers who ignore automatic fraud alerts. These are required by the code to be clear, effective, timely and adapted to the specific scenario.
The practice could result in a PPI-like scandal, according to Pradeep Oliver, partner of Cripps Pemberton Greenish. “If it can be shown that banks are adopting a general procedure in which they refuse to repay customers because of generalized and non-specific warnings, I hope the FCA will intervene sooner rather than later,” he says.
Fraudsters are so adept at “social engineering” victims to engage their confidence and panic that they are commonly too agitated to think rationally, even when banks specifically report a suspicious transaction.
Last month, the owner Emily Church * was treated for over nine hours of phone calls by criminals posing as officials of the Royal Court of Justice and her bank, believing she had to face jail for irregular tax returns. Fraudsters gained his trust by falsifying the phone number of the Royal Courts, erasing the official case numbers and citing the dates of the warning letters to which he had not responded. She was told that she could settle out of court, provided she signed a confidentiality agreement.
“They impressed me that a prison sentence would mean the possible loss of my home, the inability to obtain a mortgage, being unable to see my children and losing my business and reputation,” he says.
She was tricked into paying £ 12,500 from her Lloyds and Santander accounts and misleading bank staff when they called her to question the transactions. “I was scared that if I hadn’t done something I wouldn’t have been able to make a payment and in the end I wouldn’t have seen my kids grow up,” he adds. Fraud was discovered when her partner, alarmed by her changed behavior, appreciated the truth. Santander and Lloyds were unable to recover the stolen funds and said so Observer they would not refund her because she canceled the automatic and verbal warnings of a possible fraud.
Church plans to submit his case to the Financial Ombudsman Service, which recently accepted a complaint from a victim of a very similar scenario. He ordered the bank to repay the stolen £ 100,000, despite the fact that the customer, like Church, had provided staff coverage.
Critics argue that the regulations have failed to keep pace with the evolution of technology. The ombudsman was empowered to investigate APP fraud reports only a year ago. And until the end of March, the six largest banking groups in the UK will ultimately be required to confirm that the name of the account a customer is paying for matches the name they entered in the payee box. Currently, only the account number and ordering code are matched, allowing scammers to convince victims that they are transferring money to a secure account in their name.
A recent report from the Treasury Committee concluded that this has resulted in the fraud of thousands of people since banks were first notified of the problem in 2016 and are expected to reimburse them retrospectively. The committee also recommends that payments for the first time on a new account be postponed by 24 hours to allow customers to reconsider and that the CRM code is made mandatory.
Basically, current rules do not allow banks to prevent a payment authorized by a customer, even if they suspect it is a scam, or to recover funds fraudulently transferred from a payee’s account without a court order. They are also expected to complete a transaction within two hours under banking regulations.
These rules cost Nick Hutchinson * the £ 4,000 that left his account with The Co-operative 10 days after he informed the bank that he had fallen victim to an APP scam and that he refused a refund. He said that the sum consisted of several card transactions carried out by the scammer before Hutchinson reported him and that he was powerless to prevent according to the rules of the card scheme, although there was a delay of 10 days before the money was claimed. After contact from Observer refunded £ 3,750 as it only authorized an initial payment of £ 250.
Financial trading UK Finance believes that urgent reforms are needed to give banks more power when a customer is welcomed. “A clearer and more effective legal and regulatory framework is needed to help respond quickly to fraud claims and thus reduce harm to victims,” he says.
* The name has been changed