Over the past four months, readers of the Guardian and Observer have reported losing more than £1m to frauds as an epidemic of scams sweeps the country. Since the start of June, we have heard from more than 30 readers who have been tricked into handing money over to criminals and have written to ask for our help. Individual losses have ranged from a few hundred pounds to £245,000, and in total come to £1.05m. Some of the frauds date back many months, and readers are still trying to get their money back, but many have happened since the Covid pandemic started and reflect rising levels of fraud across the country.
According to the banking trade body, UK Finance, more than £750m was stolen from consumers in only the first six months of this year, with fraudsters using increasingly sophisticated means to part people from their cash.
Each of these crimes leaves a victim. They are devastated at having been duped and, in some cases, are left struggling to get by, having seen their life savings disappear. Banks, building societies and other financial organisations are adding automated warnings and interventions to try to get customers to think twice about payments and to report suspicious calls and emails before they act on them. But our readers’ stories show that more needs to be done. Transfers appear to be too easy, fraudsters too plausible and refunds are hit and miss. Here are some of the stories we heard during the summer.
Groomed for eight months and persuaded to hand over £160,000
Retired nurse Mabel Jennings* had spent most of the year shielding from Covid when her phone rang. An articulate stranger claimed he was calling from a financial firm, Harrell Securities LLC, about her BP shares. Jennings owned 300, worth about £1,000, and she was told that clients of Harrell may be interested in buying them for more than their market value.
The 82-year-old, who had been recently widowed, was persuaded to sign up with the company to sell her shares. Then, over the next eight months, she was groomed with weekly calls and emails, and bombarded with official-looking letters and contracts requesting payments for associated costs.
Jennings made 13 payments totalling £159,918 to an account in Indonesia. Her bank, HSBC, questioned the first £5,292 transfer and a later sum but accepted that she was paying a company to sell her shares and allowed the remaining payments of up to £31,000 a time to go through uncontested – even though she had previously fallen victim to a different scam.
Jennings only realised there was a problem when she was unable to contact Harrell after she had emptied her savings accounts and borrowed £2,800 from her nephew for what she hoped was the final payment. “She was too ashamed to tell me what happened – she had to write me a letter,” her stepson says. “I think lockdown made her even lonelier and more trusting than usual. Now she has to survive solely on her monthly pension with no savings left for a holiday or car repair.”
HSBC managed to recover the final payment of £2,676 and returned it to Jennings but it but refused to reimburse the rest. It says that the contingent reimbursement model (CRM) – a voluntary code outlining when defrauded customers should get back their cash – does not cover payments overseas.
However, banks can still be held liable for overseas transfers if they are deemed to have failed in their duty of care, according to the Financial Ombudsman Service (FOS). The CRM requires signatory banks to refund all customers categorised as vulnerable, and it was for this reason that HSBC reimbursed Jennings after she lost money to a courier fraud six years earlier. After we questioned HSBC’s level of protection for vulnerable customers, it repaid the £159,918.
Tricked into giving criminals access to his bank account
Gareth Wilcox*, 86, was called by a man purporting to be a BT security engineer and persuaded that his internet connection had been compromised. During a two-hour call, the scammer tricked him into allowing remote access to his computer and asked him to open his online NatWest account to check the security settings. Immediately, £5,000 was stolen from his account. Wilcox spent £56 trying to get through to NatWest’s fraud department but the bank refused to refund the stolen money despite having cancelled his debit card two weeks earlier when Wilcox was tricked into authorising payment to a fraudster impersonating HMRC.
“He has become increasingly vulnerable to online and phone scams and has had his cards stopped three times in the last couple of years,” his son says. “He really has been shattered by this experience and I’m not sure his self-confidence will ever return.” After the Guardian intervened, NatWest reviewed the case and repaid him in full, including the cost of calling its customer service line.
Robbed of £16,000 when terminally ill
Brian Philpott* was terminally ill when hackers accessed his bank account and transferred £16,000 to his MBNA credit card account. Unbeknown to Philpott, the hackers then impersonated him on a call to MBNA and arranged for a new current account to be linked to the credit card. The money was then transferred to the account owned by the scammers.
“My dad was breathing with the aid of an oxygen mask and was physically unable to talk to the MBNA fraud department, and my mother often had to hang up while waiting on hold because Dad needed her assistance,” his son says. “MBNA delayed so long that Dad died before they provided a response, and the stress was an additional burden in his final weeks.”
As a result of his family’s efforts, MBNA eventually admitted liability and paid £400 in compensation to his estate. Four months later, it had still not refunded the £16,000, however. After intervention from Guardian Money, MBNA finally paid up and admitted it had neglected to process the refund.
Missed delivery led to lost savings
The text informed Tessa Wright that she had missed a delivery and needed to pay a nominal sum before her parcel would be resent. She paid up before realising that the text was a phishing exercise to harvest her account details. She reported it to her bank, Lloyds, immediately and her cards were cancelled but, she says, she was not warned about the risks of future fraud attempts.
The following day she was called by a man purporting to be from Lloyds from a number spoofed to replicate the bank’s customer service number. He told her that fraudulent transactions had been attempted on her account and provided enough detail to convince her that the call was genuine. She was persuaded to transfer £25,750 to what she was told was a secure account. The caller explained away the automated confirmation of payee message from Lloyds, which suggested a mismatch between the account name and number.
When Wright realised she had been scammed, she called Lloyds. It recovered £5,750 and paid her £100 for acknowledged shortfalls in customer service but it refused to refund the rest, claiming that she should have taken more steps to verify the scam caller. “I had to call my GP because the issue was tipping me over the edge,” she says. “I’d just downsized after a long-term relationship ended and the money was the equity I’d released.”
Lloyds admitted, when the Guardian questioned its conduct, that it might have prevented the fraud if it had warned Wright she might be targeted after the phishing fraud, and it refunded half the outstanding sum. Wright’s case is now with the FOS.
Still waiting after ombudsman tells Halifax to pay up
Melissa Smith from London was the victim of a sophisticated sting that led to her transferring £8,777, the entire balance of her Isa, to an account controlled by a scammer.
The good news for the 37-year-old is that an FOS investigator has found in her favour, saying the bank involved, Halifax, has not treated her fairly and needs to fully refund her money, with 8% interest on top. The bad news is that Halifax has told the ombudsman service that it disagrees with its findings.
In January, Smith received a text purporting to be from her bank saying she had set up a direct debit for £410 that it had stopped for security reasons and that a member of staff would be calling her to discuss this. The sender’s name came up as Halifax. Shortly afterwards she got a call from someone claiming to be from the fraud department, and the number on screen came up as the bank’s customer service number.
The man asked her about the direct debit, which she said she had not authorised, and said the bank had stopped an attempt to transfer £4,600 from her Isa to a woman whose name Smith did not recognise. He said someone in Aberdeen had logged in as her and that other transfers had been attempted, so the bank would have to shut down her account and set up a new one. The man said Smith would receive a secure text message with the details within minutes, which she did.
After being told she needed to move quickly as more transactions had been attempted, she transferred the money. Immediately afterwards she called the bank but although she waited on hold for more than 40 minutes, she could not get through. She called again and waited more than 20 minutes before someone answered. They confirmed they had not called Smith.
“Unfortunately it was too late,” Smith says.
A little later she was told the bank had completed its investigation and had only approved a partial refund, with £3,977 paid into her account. The account she had transferred the money to was also a Halifax account.
An investigator at the ombudsman service ruled: “I don’t think Bank of Scotland [of which Halifax is a division] have acted fairly,” and that Halifax should refund the money.
However, the investigator later told Smith that the bank disagreed with the findings.
A spokesperson for the parent company of Halifax, Lloyds Banking Group, said: “We have a great deal of sympathy for Mrs Smith … We acted immediately when the fraud was reported to recover the funds and were able to get back £3,977.17 of the money she sent to the fraudsters.
“However, she did not take steps to verify the caller was genuine, chose to make the payment despite the confirmation of payee check not matching and a specific and relevant warning which said that we’ll never call to tell you to move your money to another account and that if you get a call like this, it’s a scam.”
Four questions for the banks to answer
Why does it take so long to get through to the fraud department?
Victims who realised quickly that they had been scammed often tell us that they were on hold to fraud departments for ages before they could report what had happened.
The trade body for banks UK Finance says most have dedicated fraud helplines that allow customers to report cases, and it understands “that overall the average call waiting times for these helplines remain low”. It says customers should call up and also report their case to Action Fraud.
Two initiatives launched this week offer helplines for people who think they may have been contacted by fraudsters – one from Nationwide for its customers and one from a group of banks and telecoms companies (customers call 159 to get through). The idea behind both is that you check if a payment request is legitimate before you make the transfer.
Why don’t banks do more to stop criminals withdrawing the money?
Cases of authorised push payment fraud make up almost half of bank scams, and many of the victims we have heard from transferred money into an individual account. But even when they provided their bank with the details straight away, there were often only pennies left by the time the receiving bank froze the account. How is it that while banks query small payments, they can let thousands of pounds wash through an account in a short space of time?
UK Finance says banks have invested in technology that helps to track suspicious payments and identify money mule accounts used by scammers. “Criminals are targeting students and young people that have legitimate bank accounts to launder the fraudulent funds,” it says. “It is harder for the banks to spot, and often the criminals will transfer the money quickly via multiple accounts and into cryptocurrency wallets. We have seen an increased use of cryptocurrency wallet[s] as a means of criminals cashing stolen money out.”
How many cases are reported to the police?
In recent months there have been arrests and prosecutions linked to delivery text scams but the vast number of fraudsters seem to escape justice. UK Finance says its members report all relevant information on frauds to the police’s National Fraud Intelligence Bureau – last year 106,701 cases were reported in this way. “Cases where a bank does not have any actionable intelligence are not passed to police as there are no viable lines of inquiry but are reported to the Office for National Statistics and are included in the figures they publish to show the scale of fraud in the UK,” it says.
Why does the application of the CRM code vary from bank to bank?
Several big banks, and Nationwide building society, are signed up to the voluntary contingent reimbursement model code. It outlines the steps customers and banks should take to protect themselves from scams and how victims should be treated after losing money.
But the cases we have seen have resulted in a wide range of responses from banks, including those signed up to the code. Some victims have been reimbursed in full straight away, while others have had to fight to get back half of what they have lost. Others have had their appeals for a refund refused.
UK Finance says the code should be backed by legislation so that the protections apply consistently.
* Names have been changed