Banking scams are big business.
Online banking scams alone accounted for an estimated £130 million disappearing from accounts last year, more than double the £60 million stolen in 2014, according to figures collated by Financial Fraud Action UK – an organisation formed by banks and card issuers to fight fraud.
This is, however, only the tip of the iceberg. Banking fraud in the UK probably runs into billions, not millions, and it is the fastest growing crime in the UK.
James Phipson, commercial director of the Economic Crime Directorate at the City of London Police, estimates that financial crime costs the UK economy £52 billion a year.
He believes that only about 12% of financial fraud is reported. Nearly nine out of 10 people who have been conned stay quiet because they are too embarrassed at being taken in, fraud-fighting police estimate.
Victims often feel they should have spotted the warning signs, yet they are usually wrong to conclude that they have been stupid. Banking fraud has become increasingly sophisticated, and successful people have been taken in.
This type of fraud will inevitably continue to mushroom as more people bank online and use computers and mobile phones to access their accounts. Modern banking makes it easier for customers to move their money around – and easier for the scammers to intercept it.
While interest rates on savings accounts remain at record low levels, many bank customers keep large sums in more vulnerable current accounts so that they can take advantage of offers such as cashback on purchases.
A growing proportion of consumers now rarely use cash for the majority of their purchases, and this is particularly true among younger consumers, with those over the age of 65 by far the most reliant on cash. Experts predict that within the next 10 years, the proportion of consumer purchases made with cash will decline to around one third of all transactions, compared to the current figure of just over half.
Banks have already made one attempt to scrap cheque books and backed down only in the face of a public outcry. The demise of cheques is only a matter of time.
We have moved into a new golden age for scammers, one in which modern communications make it easy to contact large numbers of potential victims cheaply and rapidly. Technology enables scammers to pose as genuine banks, police or lawyers to trap the unwary. It all looks and sounds genuine, and scammers need only a tiny percentage of people they approach to fall for the scam in order to make a lucrative living.
From Lagos to phishing
Banking fraud has come a long way from the crude ‘Letter from Lagos’ scam that most people are familiar with. You got a badly written email offering you a large percentage of millions of dollars locked away in a foreign country. All you had to do was provide your bank details so the money could be transferred to you and you then pass it on, minus your commission.
The bank details allowed the scammer to raid your account rather than put money in.
Publicity meant this scam had to be transformed into new variations, such as claiming for an inheritance from a complete stranger with no heirs. Such ploys now seem old hat. They came at a time when you could recognise most fake emails by the poor standard of design and spelling mistakes, and fake phone calls by the poor quality of English spoken.
Thus we moved on to phishing, where conmen sent emails that purported to come from banks or other organisations handling money such as eBay or PayPal. Often these messages looked authentic, with the bank’s logo reproduced to make them more convincing.
Victims were asked to ‘verify’ their account details, including their passwords. The crooks would take over the account, change the password to block out the genuine user, and plunder whatever they could.
Vishing – voice phishing – was a natural extension. Instead of an email, you got a voice on the phone seeking your personal banking details. Scammers posing as bank officials, or even the police, found this far more lucrative.
It’s a popular ploy to pose as some kind of official because victims are more likely to sit up and listen to someone they think speaks with authority. They are also more inclined to think the matter is serious if it demands the attention of someone with some kind of title.
From the scammer’s point of view, the other advantage of a plausible telephone call is that the victim can be rushed or panicked into taking action before they have time to see any flaws in the scam. Any doubts in the victim’s mind can be assuaged in a way that is not possible with an impersonal email.
The scammer will encourage you to put down your receiver, then pick it up again and dial your bank’s fraud department. The scammer keeps the line open, so you are not actually making a call.
By working in teams, scammers can arrange for a different person to take over the call, which makes it seem that you really have got through to the fraud department rather than a random individual.
Thus the victim can be persuaded that it really is the bank or a police officer warning that a fraudster has cloned a credit card or is trying to remove money from the victim’s account.
Having gained your trust, and with assurances that he will sort everything out for you, the scammer now asks for all the details he needs to empty your bank account, such as which bank you are with (he may not know this), the branch, the account number and sort code, security questions and finally your card number and password.
In the case of a genuine attempted fraud, your bank would ask some of these questions, so it is difficult to spot that you are being conned, but you can try giving a false answer to one of the security questions. If the caller does not pick up on this, you know it is a scam.
However, the bank will never ask for your password or PIN, not even tapping the PIN on to your telephone keypad rather than saying it out loud. Any such request should set alarm bells ringing. Nor will the bank or police ask you to hand over a credit or debit card. The card is of no earthly use to them – except for drawing money out of your account.
The bank will not ask you to switch money out of your account into another one on the spurious grounds that someone is trying to raid your account. If the bank knows of a fraudulent transaction, why doesn’t the bank simply block it?
The new 'smishing' scam
The latest banking scam to emerge is called ‘smishing’ because it involves the use of SMS texting from mobile phones. Scammers insert fake messages into genuine threads of messages between a customer and their bank.
To make the texts seem authentic, fraudsters use specialist software which alters the sender ID on a message so that it appears with the name of a bank or government department as the sender.
Users may be tricked into downloading a virus so the scammers can impersonate a bank in text messages to steal passwords and security details. In some variations the bank customer is persuaded to ring a phone number belonging to the scammers, who ask for the customer’s password.
Sometimes the victim is encouraged to visit a website that looks genuine.
The scam text messages may claim that there has been suspicious activity on the recipient’s account or that their account details need to be ‘updated’ or ‘verified’. The texts often claim the matter is urgent in the hope that the victim will be panicked into taking action.
Katy Worobec, director of Financial Fraud Action UK, says: “We have seen a recent increase in attempts by fraudsters to use scam text messages to con people into giving away their security information.
Always be wary if you receive a message out of the blue asking you for any personal or financial details. Never give this out unless you are absolutely sure who you are dealing with. If you’re ever at all suspicious, call your bank on a number that you know.”
A tale of two smishing scams
One reported case of ‘smishing’ concerned a Barclays customer in Liverpool who used the bank’s Pingit service, which allows customers to send and receive money using just a mobile phone number, to make a genuine payment to his daughter.
Less than 24 hours later, he received what looked like an authentic message from Barclays wishing to confirm a £900 direct debit to telecoms giant BT. On this occasion the customer’s suspicions were aroused and he avoided falling for the scam.
Instead of responding directly to the message he rang the bank separately to ensure that no payment was made.
A Santander customer was not so fortunate. He lost £22,700 from his account after fraudsters managed to hijack a bank text message thread, claiming there had been suspicious activity on his account and instructing him to call a phone number belonging to the scammers.
The customer was tricked into creating a one-time password, which is normal procedure in mobile phone banking, and then passing this to the scammers, who used the password to empty his bank account. The bank subsequently told him he would not be reimbursed because he gave authorisation for the payment.
10 ways to beat the scammers
- Do not assume that only stupid people fall for scams. Scammers are highly plausible and have taken in intelligent people, many of whom have been successful in business.
- Do not take the word of a complete stranger for anything, no matter what method the stranger has used to contact you.
- Be suspicious of any text message that asks you to provide sensitive personal information, such as passwords, or to make transactions.
- Be wary of clicking on any link in a text message to ‘update’ or ‘verify’ account details.
- If you’re asked to call a number given in a text message and the number is unknown to you or looks suspicious, call your bank on a number that you trust – such as the one on the back of your debit card – to check that the number and message is authentic. Do not call the phone number the text message has been sent from.
- Do not transfer money to a new account at the request of a third party, even if it says the account is in your name.
- Resist the temptation to click on an email link unless you are absolutely certain it is genuine. Always err on the side of assuming that it is a scam, even if you know the sender – your friend or business contact may have had their email hacked.You can always ring the purported sender to ask if it is genuine.
- Similarly, you should not open suspicious attachments. This is where malware is lurking to be transmitted on to your computer. Such malware may transmit your banking details to the scammer.
- Do not use public wi-fi, such as in an internet café or a hotel, to conduct online banking transactions. Scammers can intercept the messages.
- Above all if you are scammed, report it to Action Fraud and your bank, and warn your friends. It may be too late to save your bank account from being targeted, but at least you can stop the scammers from cheating other people.