This week, the news has been awash with stories of victims who have been conned out of their hard-earned cash though a raft of different scams. Though, one of the most concerning stories relates to a woman who was targeted by something that is being called Authorised Push Payment fraud, or APP fraud for short. Below, we’ll look at this type of scam, as well as some of the other worrying issues that have been making headline news.
Authorised push payment fraud
Within the past half a year alone, there have been just shy of 20,000 reported cases of what we're seeing called APP fraud, with over £100 million estimated to have been transferred to criminal third parties within that space of time. The average loss per person equals out to around £3,000, though this is only the cases that get reported; there are likely many more than go unrecorded.
The reason that APP fraud is so devastating is because rarely will the banks offer to reimburse a victim with their money. It is called ‘authorised push payment’ fraud because the fraudsters dupe a victim into providing their explicit authorisation to transfer their own money to the criminal, even if the victim does not realise that they are being scammed. When this authorisation is given, it means that the banks can – and often do – insist that it’s the customer’s fault that they lost their money.
Typically, banks will use a PIN code send by text message as one of their last lines of defence against a criminal, sending you a message with a secure code to confirm that you are the person authorising a transaction. Unfortunately, fraudsters now regularly attempt to intercept these codes by getting a victim onto the phone prior to attempting a transaction, and claiming that the code is a security measure that can verify the legitimacy of a call, rather than one that is about to enable them to steal the victim’s money. By handing this code over, you can easily seal your own fate and ensure that the bank will blame you.
One of the most recently publicised cases of APP fraud targeted a woman named Catherine Downey, who received a text message from her bank confirming that a new number had been registered to her account. It was shortly followed up by a phone call from a person claiming to represent her bank. Ms Downey believed this to be a genuine caller from NatWest, as she had stored the bank’s switchboard number in her phone, which was the originating number for the call. The behaviour also appeared to mirror NatWest’s guidance on anti-fraud measures, which state that if strange activity is detected, they may text and then contact you for verification.
During this call, the fraudster scared the victim into believing that she was the victim of fraud, encouraging her to set up a secondary bank account with Barclays and transfer £4,000 into the new bank account. The victim followed the guidance that was provided, after which her money was siphoned off and Barclays closed the account without refunding her.
What were the red flags?
Though some of you may already be rolling your eyes at the fact that the above victim transferred her money to the fraudster’s account, this scam was more sophisticated than most. Firstly, the call appeared to originate from the official NatWest number. Secondly, the caller was well-spoken and there was supposedly background noise indicative of a call centre on the line. Finally, the fraudster knew many details about the woman’s address, account number, and more.
This victim is not the only person to have lost money to APP fraud. Other cases have hit the spotlight recently, including two more victims who lost £17,000 and £29,000. So, what were the red flags that could’ve prevented Ms Downey from losing £4,000 of her own money, and were there any clear warning signs that she might have missed? Below, we’ll look at what we think are the warning signs that this victim could’ve spotted before she went ahead with the transaction:
- The call from NatWest appeared to come from a legitimate number, but this isn’t the first time we’ve seen a criminal spoof one of NatWest’s official numbers. Call us overly-cautious, but with the number of sophisticated scams now circulating, we’d always recommend ending an inbound call claiming to be from your bank and calling back an official number from the back of your debit card. If you’re calling from a landline, be sure that you hear a dial tone before calling, otherwise the previous caller could still be holding the line open.
- As part of the above scam, the victim was asked to set up a ‘holding account’ with Barclays. You would never be asked to set up another account as a security measure; banks have means of freezing accounts during investigations so that no transactions – fraudulent or otherwise – can be carried out during the investigations process. What’s more, a bank would certainly never tell you to open an account with an entirely different institution.
- The caller only ever asked for 2 digits out of Ms Downey’s 4-digit PIN number. Though this lends some realism to the call, there was in fact never a need for the fraudster to access the victim’s account, because the victim handed over her cash directly by transferring it into the fraudulently-opened Barclays account. The details that they knew about the victim likely came from a bank statement that had been thrown away without shredding, or stolen from a letterbox. You should always carefully dispose of sensitive documents, and you should avoid having a mailbox that isn’t secured behind a door or a lock.
TSB customers particularly vulnerable
Owing to the trouble that UK bank TSB has had over the past month, you should be especially wary if you are a customer of this institution. The UK's anti-fraud agency 'Action Fraud' reported a ten-fold increase in reports of attempted TSB-related scams at the beginning of this month. These scams have involved third parties posing as representatives of the bank over telephone, text or email.
Customers of TSB have been reporting text messages and emails asking for them to click on a link and input their financial information. Handing over the requested information in this way means giving a fraudster access to their account. The victim will usually receive a call-back after a fraudulent transfer is attempted, in which the fraudster will encourage the victim to hand over their one-time PIN code to authorise the process, claiming that it is an identity check or something similar.
If you bank with TSB, be wary of any text messages, phone calls or emails that you may receive. Follow the advice we’ve set out above, or indeed any of the previous advice we’ve posted regarding scams and phishing attempts. Never hand over your personal data and consider calling back the bank on an official number if you do receive a direct telephone call.
WiseGuys can help
WiseGuys offer smartphone repairs in Bournemouth, with plans available to offer protection for all of your devices, not just one. If you’d like any more advice on keeping yourself and your personal information secure, then you can reach us on 0808 123 2820. Depending on the type of device you’re reading this on, there are a range of options for improving device security, such as VPNs, anti-virus software and so on.