Financial fraud explained
Criminals will use any number of tactics to commit fraud, most recently increasing their use of online platforms and social media channels to target victims.
Card fraud remains one of the most lucrative cons around. Although losses fell by 7% to £574.2m in 2020, card fraud made up 45% of all financial fraud losses in that year, as reported by the banking industry.
Fraud losses in 2020
Remote banking fraud occurs when criminals access an account (via the internet, mobile or telephone banking) to make an unauthorised transfer, typically by tricking customers into revealing their security details through scam phone calls, texts and emails.
UK Finance data shows that while telephone banking fraud fell by 33% in 2020 (from 11,199 to 7,490 cases), hacking of online and mobile accounts has increased dramatically. Internet banking fraud was up 117% (from 25,849 to 55,995 cases) and mobile banking fraud cases was up 48% (from 6,872 to 10,155 cases).
Cheque fraud - involving counterfeit, altered, or forged cheques - has also spiked, though fraudsters have targeted business accounts rather than individual customer accounts.
What is card fraud?
Card fraud data is split into five categories (see below for details), with remote purchase fraud the most common by some distance.
- Remote purchase fraud Also called 'card-not-present' fraud, this is when card details are stolen (for example, through a computer virus or an unsolicited email) and used to buy goods online, by phone or by mail order.
- Lost and stolen cards When a criminal uses a lost or stolen card to make a purchase (remotely or face-to-face) or withdraw funds from an ATM. Victims might be shoulder-surfed for their Pin or even tricked into handing their cards over to criminals pretending to be helping with a police enquiry (often referred to as a courier scam).
- Counterfeit card fraud When a fake card is created using stolen details from the magnetic strip on a genuine card. Crooks can use a cloned card in countries where chip and Pin isn’t available, such as the US.
- Card ID theft When stolen or fake documents are used to open a new account in someone else’s name (application fraud), or when a criminal takes over an existing account.
- Card not received fraud When a new or replacement card is stolen in transit before you receive it e.g. from a communal letterbox.
How can I spot card fraud?
It's important to keep an eye on your finances and contact your bank if you're suspicious.
1. Scan statements
Keep a close eye on your statements to spot unusual transactions and flag anything suspicious to your bank. Some banks offer real time notifications of payments.
2. Check your credit report
Monitor your credit report for any new accounts opened in your name.
If you have fallen victim to card fraud, then check your credit report after the incident. If the fraudster's actions led to a change to your report (multiple credit cards being opened, for instance), than contact the banks or card providers and ask the incident be removed from your report.
3. Act quickly
Report fraudulent payments and lost or stolen cards immediately. If you think mail has been intercepted, or redirected to a new address, contact Royal Mail.
4. Change your security details
If your online account has been hacked, change passwords and Pins to prevent the fraudsters from doing any further damage.
5. Get a refund
Banks should refund your account by the end of the next working day, unless they’ve reason to believe you acted fraudulently or negligently.
Card fraud: how do I get my money back?
For debit cards, the new Payment Services Regulations state that the most you should have to pay is the first £35 (previously £50) of an unauthorised transaction if the bank has reason to believe you should've been aware that your payment details were lost or stolen.
Your bank can only refuse to refund you if it has evidence that you acted fraudulently, or with 'gross negligence' - and the this is a high bar – the regulations describe it as ‘involving conduct exhibiting a significant degree of carelessness’.
Your bank can’t say that use of your password or Pin proves that you authorised a payment, although victims have told us this continues to happen
If the fraud occurs on a credit card or a credit facility, the Consumer Credit Act takes precedence.
The issue of 'gross negligence' doesn't arise in this act so unless your card provider can demonstrate that you authorised the payment, you should get your money back.
Importantly, this means that if an unauthorised payment was from an overdrawn current account (a credit facility for the purposes of the law), you can only be held responsible for the first £35 and should be refunded the rest of the overdrawn balance, including any charges incurred as a result.
- Read about your rights if your card has been lost or stolen.
How long will the bank take to refund?
Unlike victims of ‘authorised push payment' fraud, who are tricked into transferring money to scammers, the majority of card fraud victims are reimbursed by their bank.
Banks should refund you by the end of the following business day - from when they are made aware of the problem - but our latest investigation has found that people can struggle for weeks or even months to secure these refunds.
Debit card fraud victims were more likely to receive a prompt refund – 79% were refunded within a week, compared with 61% of credit card fraud victims. But 12% of credit card fraud victims waited at least four weeks for a refund, with 6% of these left out of pocket for between three and six months.
Which? wants providers to refund victims without delay. We also think they can improve fraud detection and offer victims better support and advice so they can protect themselves in future.
Even though banks use technology to track suspicious payments, our survey found that debit card fraud victims were almost as likely to notice fraudulent transactions first (49%) as their bank (51%).
Credit card firms were far more likely to notice fraud first (56%) in comparison to victims (38%), with Tesco Bank, American Express and Nationwide coming out on top. Barclaycard and Lloyds were the least likely to notice credit card fraud first.
When asked to rate providers on the clarity of information given about how and why the fraud happened, 39% of credit card fraud victims described their provider as poor, and 21% said guidance on how to minimise the risk of fraud in future was poor.
We surveyed 920 Which? members in November 2020 about their recent experiences of bank fraud.
What if the bank refuses to refund me?
If you’ve been a victim of fraud, your card provider should refund you immediately, unless it has evidence that:
- You authorised the transactions yourself - and the bank can demonstrate this, though you can still ask for a refund thanks to a voluntary code for authorised bank transfer scams (more on this below).
- You acted fraudulently or negligently - the burden of proof is on the bank to show that you deliberately or with ‘gross negligence’ failed to protect your card and/or Pin.
- You left it too late - the regulations state that you must inform your provider of unauthorised payments without 'undue delay' and, in any case, within 13 months.
Data exclusively obtained by Which? Money shows that banks don't always get this right.
If your bank or credit card provider has refused to refund an unauthorised transaction, you can take your case to the Financial Ombudsman Service (FOS). If the FOS agrees with you, it will uphold your complaint and can order the provider to refund you.
The table below ranks firms by the best to worst uphold rate for disputed transactions from April 2017 to the end of September 2020, indicating the customers most likely to have their fraud complaints unfairly rejected.
|Firm Name||Number of resolved cases||Uphold rate (%)|
|Tesco Personal Finance||282||30%|
|Bank of Scotland [a]||2194||37%|
|Barclays Bank [b]||1836||39%|
|Nationwide Building Society||1468||47%|
|Barclays Bank UK [b]||3454||52%|
|The Co-operative Bank||286||53%|
|HSBC UK Bank [c]||2105||54%|
|The Royal Bank of Scotland||972||64%|
Table notes: We’ve used Financial Ombudsman Service data from 2017-2020 to rank firms by uphold rate. The higher the uphold rate, the more often a firm has unfairly rejected customers’ complaints. Data covers card fraud, chip and Pin disputes, cash not dispensed from ATMs, ID theft and authorised push payment scams [a] Includes Halifax complaints [b] Barclays split into two entities in April 2018 when it ring-fenced its UK retail and business customers: Barclays Bank and Barclays Bank UK (which includes Barclaycard complaints) [c] Includes First Direct complaints.
These figures suggest customers of Royal Bank of Scotland (RBS) and NatWest - part of the same banking group - are at particular risk of getting a raw deal.
We showed these figures to NatWest and a spokesperson said: ‘We recognise that being a victim of a scam can be lifechanging. We continue to invest heavily in our defences as well as working with telecoms and social media companies to help our customers avoid becoming the victim of this type of crime. In terms of the value of money our customers send to scammers, we recover and refund more than most banks.’
NewDay (a store card provider), TSB and Clydesdale Bank customers should also be concerned that the FOS upheld more than 60% of cases. However, it is worth noting TSB introduced a 'fraud refund guarantee' in April 2019 promising to refund all innocent victims of fraud and its uphold rate fell to 44% between April 2020 and September 2020.
How to complain about card fraud
If you think your card provider has wrongly denied you reimbursement, or treated you unfairly in another way, you should lodge a formal complaint.
Within 15 business days, you must receive a full response to complaints about most unauthorised payments. Firms can extend this to 35 business days in exceptional circumstances, but they must send a holding letter in the meantime.
The FOS will look at complaints related to disputed transactions for all FCA-regulated financial firms, including PayPal and store card providers such as NewDay.
If an investigator finds insufficient evidence that you authorised the transaction or acted with gross negligence, your card provider will be asked to refund the loss along with appropriate interest from the date of the disputed transaction.
- Follow our step-by-step guide on how to take your complaint to the Financial Ombudsman Service.
Authorised push payment fraud - where victims are tricked into transferring money to an account controlled by a criminal - is ruthless and fast-growing.
As with card fraud, there are many different types of APP fraud, detailed below.
If you are a victim of authorised push payment fraud it can be difficult to get a refund because banks are legally required to follow your instructions. However, all banks must take steps to protect customers from financial harm.
We have developed a step-by-step guide on what to do if you're a victim of authorised push payment fraud.
Additional protection is in place for customers of banks signed up to a new voluntary code for APP scams, which provides a reimbursement fund for blameless victims.
Which? has some early concerns about the way this code is being interpreted by banks, as we found that banks are using online warnings to shift the blame onto customers and avoid refunding losses.
But, this still offers a lifeline to victims and crucially, will be taken into account by the Ombudsman where complaints are referred to its service.
- Sign up for the Which? scam alert emails to keep one step ahead of the fraudsters.