Card and internet banking fraud explained
Internet banking fraud occurs when criminals access an online account to make an unauthorised transfer, typically by tricking customers into revealing their security details through scam phone calls, texts and emails.
UK Finance data shows that instances of internet banking fraud increased by 24% in 2019, though total fraud losses fell slightly to £111.8m.
Losses due to payment card fraud fell from 8.4p per £100 spent in 2018 to 7.5p per £100 in 2019, though the volume of cases is up 5%.
Card fraud data is split into five categories (see below for details), with remote purchase fraud the most common by some distance.
Remote purchase fraud Also called 'card-not-present' fraud, this is when card details are stolen (for example, through a computer virus or an unsolicited email) and used to buy goods online, by phone or by mail order.
Lost and stolen cards When a criminal uses a lost or stolen card to make a purchase (remotely or face-to-face) or withdraw funds from an ATM. Victims might be shoulder-surfed for their Pin or even tricked into handing their cards over to criminals pretending to be helping with a police enquiry (often referred to as a courier scam).
Counterfeit card fraud When a fake card is created using stolen details from the magnetic strip on a genuine card. Crooks can use a cloned card in countries where chip and Pin isn’t available, such as the US.
Card ID theft When stolen or fake documents are used to open a new account in someone else’s name (application fraud), or when a criminal takes over an existing account.
Card not received fraud When a new or replacement card is stolen in transit before you receive it e.g. from a communal letterbox.
Banks unfairly rejecting card fraud claims
If you’ve been a victim of fraud, your card provider should refund you immediately, unless it has evidence that:
- You authorised the transactions yourself - and the bank can demonstrate this, though you can still ask for a refund thanks to a voluntary code for authorised bank transfer scams (more on this below).
- You acted fraudulently or negligently - the burden of proof is on the bank to show that you deliberately or with ‘gross negligence’ failed to protect your card and/or Pin.
- You left it too late - the regulations state that you must inform your provider of unauthorised payments without 'undue delay' and, in any case, within 13 months.
Data exclusively obtained by Which? Money in 2017 shows that banks don't always get this right.
If your bank or credit card provider has refused to refund an unauthorised transaction, you can take your case to the Financial Ombudsman Service (FOS). If the FOS agrees with you, it will uphold your complaint and can order the provider to refund you.
The table below ranks firms by the worst uphold rate for disputed transactions from April 2015 to February 2017, indicating the customers most likely to have their complaints unfairly rejected.
|Complaints resolved by FOS||Upheld in favour of consumer|
|Barclays (inc Barclaycard)||975||36%|
|Bank of Scotland (inc Halifax)||478||22%|
|HSBC (inc First Direct)||493||21%|
Table notes: The uphold rate is created by looking at the outcome of the all the resolved cases in the period April 15 – Feb 17. We’ve only included providers with more than 100 resolved cases. Disputed transactions are defined as credit and debit card fraud and this may include misplaced transactions, missing payments, ATM disputes and debits applied incorrectly by retailers.
These figures suggest Barclays and Santander customers are at particular risk of getting a raw deal, with nearly a third wrongly denied compensation.
When we obtained these figures in 2015, Barclays' record was even worse - the FOS upheld 56% of cases about disputed transactions.
We showed these figures to Barclays and a spokesperson said: ‘We know from independent data that we’re making progress, but there is still more to do as these figures show. We will continue to take the action required to deliver the best experience possible for our customers.’
Card fraud rules and regulations
For debit cards, the new Payment Services Regulations state that the most you should have to pay is the first £35 (previously £50) of an unauthorised transaction if the bank has reason to believe you should've been aware that your payment details were lost or stolen.
Your bank can only refuse to refund you if it has evidence that you acted fraudulently, or with 'gross negligence' - and the FOS takes the view that this is more than just carelessness.
If the fraud occurs on a credit card or a credit facility, the Consumer Credit Act takes precedence.
The issue of 'gross negligence' doesn't arise in this act so unless your card provider can demonstrate that you authorised the payment, you should get your money back.
Importantly, this means that if an unauthorised payment was from an overdrawn current account (a credit facility for the purposes of the law), you can only be held responsible for the first £35 and should be refunded the rest of the overdrawn balance, including any charges incurred as a result.
Read about your rights if your card has been lost or stolen.
Deal with card fraud in five steps
1. Act quickly Report fraudulent payments and lost or stolen cards immediately. If you think mail has been intercepted, or redirected to a new address, contact Royal Mail.
2. Change your security details If your online account has been hacked, change passwords and Pins to prevent the fraudsters from doing any further damage.
3. Check your credit report Monitor your credit report for any new accounts opened in your name.
4. Scan statements Contactless cards can be used fraudulently after being cancelled, so keep a close eye on your statements.
5. Get a refund Banks should refund your account by the end of the next working day, unless they’ve reason to believe you acted fraudulently or negligently.
Card fraud victims rate their bank
In November 2018, we spoke to more than 900 Which? members to find out how their provider or bank dealt with them after they were defrauded by card criminals. Results are in the table below.
We ranked credit card companies and bank account providers by their overall level of helpfulness.
This score includes the speed of receiving a replacement card, the guidance that was given on how to minimise the risk of fraud in the future, the communication provided by the bank following the fraud, and how customers would rate the overall reaction to the fraud.
Credit card providers
|Credit card providers||Communication after the fraud took place||Guidance on minimising fraud risk in the future||Speed of replacement card||Overall response to fraud||Helpfulness score|
|M&S Bank (33)||89%||-||91%||90%||90%|
|American Express (Amex) (35)||85%||-||87%||88%||87%|
|Tesco Bank (54)||81%||66%||83%||84%||79%|
|Lloyds Bank (34)||73%||74%||86%||79%||78%|
|John Lewis Partnership/Waitrose (61)||75%||57%||81%||77%||72%|
Debit card providers
|Debit card providers||Communication after the fraud took place||Guidance on minimising fraud risk in the future||Speed of replacement card||Overall response to fraud||Helpfulness score|
|Nationwide BS (39)||87%||84%||87%||90%||87%|
|Lloyds Bank (43)||82%||73%||86%||83%||81%|
|Barclays Bank (48)||78%||69%||88%||78%||78%|
Table notes: Helpfulness score includes speed of receiving replacement card, the guidance given on minimising card fraud, the communication provided by the bank following the fraud and overall response to fraud. Sample size in brackets. A bank needed 30 responses in at least two of the four categories, including overall response to fraud (a dash indicates that the sample size wasn't big enough to quote results).
M&S Bank came top of credit card providers for helpfulness, with a score of 90%, and impressed customers with level of communication after a fraud occurred, as well as the speed a replacement card was received.
John Lewis Partnership/Waitrose were at the bottom of the table with 72%, and received a score of 57% for the guidance provided on minimising fraud risk.
Nationwide Building Society customers were pleased with the helpfulness of their bank, and it came top of the table with 87%. NatWest was bottom of the bunch with a helpfulness score of 73%.
If you've been inspired to change your bank account or credit card provider, find out how in our guides to switching your bank.
What if I authorised a payment to a scammer?
Authorised Push Payment (APP) fraud - where victims are tricked into transferring money to an account controlled by a criminal - is ruthless and fast-growing.
The number of reported cases jumped by 45% from 2018 to 2019 and victims lost a total of £455.8m, split between personal (£317.1m) and business (£138.7m).
As with card fraud, there are many different types of APP fraud, detailed below.
- Purchase scams Goods, such as those advertised on social media sites, that never arrive
- Investment scams Fictitious funds or fake investments
- Romance scams Maliciously targeting victims via social media or dating websites and asking them for money
- Advance fee scams Criminals pretending payment will lead to a windfall e.g. lottery win or inheritance
- Invoice and mandate scams Sending victims fake invoices from someone they’re expecting to pay, such as a builder or solicitor
- CEO fraud Impersonating high-ranking officials from the victim’s organisation to request money
- Impersonation scams Where criminals pose as the police, banks or other familiar firms and request bank transfers to accounts they control
How do I get my money back?
It can be difficult to get a refund of APP fraud losses, because banks are legally required to follow your instructions.
However, firms sometimes wrongly refuse to reimburse customers where they could've done more to prevent financial harm. We examine some of these cases in this news story.
Additional protection is in place for customers of banks signed up to a new voluntary code for APP scams, which provides a reimbursement fund for blameless victims.
Which? has some early concerns about the way this code is being interpreted by banks, as we found that banks are using online warnings to shift the blame onto customers and avoid refunding losses.
But, this still offers a lifeline to victims and crucially, will be taken into account by the Financial Ombudsman where complaints are referred to its service.
- Follow our step-by-step guide on how to take your complaint to the Financial Ombudsman Service.