Action Fraud is warning of a sharp rise in scam text and emails preying on TSB customers following the bank’s IT meltdown last month.
A total of 321 complaints have been received by the UK police’s dedicated fraud tracking team since the beginning of May compared to 30 in the previous month. Over the same period, there have been 51 reports of cybercrime to Action Fraud referencing TSB, compared to 24 in the month before.
Worryingly, this has overloaded TSB’s fraud hotline and we’ve heard from distraught victims who have seen life-changing amounts of cash emptied from their accounts being forced to wait hours on hold for help, including one Which? member who has seen £10,000 disappear from her account.
Which? explains what to watch out for and how to keep safe.
TSB scams to watch out for
Opportunistic fraudsters are using the system issue TSB customers suffered earlier this month to target people with a wave of smishing texts and phishing email scams.
We’ve seen a deluge of examples of them on Twitter with many non-TSB customers raising the alarm.
But inevitably these scams are hitting the mark and causing confusion for real TSB customers.
— Marta (@tismarta) May 10, 2018
What is a ‘spoof’ text message?
A ‘spoof’ text message involves a fraudster disguising a message with the name of a bank or other genuine business.
The scams are particularly effective at fooling victims because of the way smartphones group messages which claim to come from the same source.
So if you already have genuine texts from TSB on your phone and a fraudster sends a message as ‘TSB’ your phone will automatically include it under the real ones, making it harder to tell it’s a scam.
Find out more about how this ploy works in our exclusive investigation how text message scammers pose as your bank to rip you off.
TSB scams in action
One convincing example we’ve seen is a spoof text that genuinely appears to be from TSB and is being added to existing TSB message threads on a victim’s phones.
It says: ‘Hello, TSB here. Use password 751540. Didn’t request this? Please call us on 03459758758’. The text is almost identical to the messages that TSB genuinely sends about logging into your account, making the scam extremely convincing.
The number is ‘spoofing’ TSB’s sender ID which allows it to be grouped with other TSB messages. It’s also spoofing a genuine TSB phone number but those that click the link end up ringing a scammer.
On the call, the scammer is likely to ask for your internet banking user ID, full name, and date of birth – which is all the information they need to reset your password.
This will generate a genuine text, with a genuine One Time Password or OTP code which the scammer will convince you to share with them – giving them free reign to empty your account.
Has there been a data breach?
The information needed to initiate this sort of scam has led some to ask if TSB has experienced a data breach.
— Mark Andres (@CloudHQ) May 10, 2018
During the IT debacle, as well as thousands of customers being locked out of their online accounts, some were able to see the details of other customers’ balances and payments when they logged on.
However, TSB insists there has been no data breach and customer details are safe.
A TSB fraud spokesperson said: ‘While our systems are safe and secure, unfortunately, fraudsters are increasingly sophisticated and looking to take advantage of situations like these by approaching customers.
‘Protecting our customers’ information is our number one priority. We are doing all we can to ensure customers don’t become a victim of fraud, whether they bank with us in branch, online or via the telephone and this is something we are working on with Action Fraud and a number of external organisations.
‘We are also working with these organisations to help them identify fraudulent sites so we can take them down as quickly as possible.’
‘£10,000 was emptied from my account’
TSB’s fraud services seem to be buckling under the pressure as fraud victims have been left on hold when trying to report what’s happened to them.
Which? member Pat Durham, from Nottinghamshire, thought something was suspicious when she got locked out of her TSB online banking two weeks ago. She went into a branch the same day and found that someone had accessed her account and managed to empty nearly £10,000 in various transactions.
The retired teacher, 64, told Which? Money she had not received any suspicious emails or texts claiming to be from TSB so has no idea how the fraudsters were able to access her account.
But she found it nearly impossible to get through to the TSB fraud team once she had discovered the life-changing sum of money had been stolen and on one day was left waiting three hours on the fraud hotline in her local branch.
When she got through she was not given any idea about if the cash would be repaid or when she could get back into her account.
Mrs Durham has since been refunded an arbitrary £8,000 – £2,000 short of what she lost, out of the blue and with no communication from TSB, leaving her confused and worried.
We asked TSB about what it’s doing to help fraud victims facing hours to speak to an adviser. A spokesperson said: ‘We apologise for the long wait times that customers may be experiencing. We’ve put in additional resources to help customers with their enquiries and we are working hard to improve call wait times.’
Your rights to a refund
Banks do not have to refund fraud victims if they can prove a customer shared sensitive information like user IDs, PINs or passwords.
However, some are calling for TSB to shoulder some of the responsibility as fraudsters capitalise on the bank’s very public IT problems, which have left customers more vulnerable to falling for these cons.
Gareth Shaw, Which? Money expert, said: ‘TSB customers will be looking for immediate answers to some big questions. Not only have they endured last month’s IT shambles, but they now find themselves more vulnerable to fraudsters who have capitalised on the meltdown.
“The bank has a long way to go to restore its customers’ trust and must take into consideration the additional consequences of its IT glitch when dealing with complaints of fraud.’
We asked TSB if it would treat customers fallen victim to fraud differently given the circumstances, a spokesperson said: ‘If customers have been a victim of fraud as a direct result of our recent IT issues they won’t be left out of pocket.’
This statement doesn’t confirm, however, whether or not customers who fall victims of scams will be refunded in full.
Find out more in our guide to how to get your money back after a scam.
How to spot a fake TSB text, email, call or tweet
TSB has issued a warning to customers about the increase in bogus emails, texts and tweets phishing for information.
The bank has sent customers emails and updated its site with information about how to keep safe and on how to spot when a communication isn’t from them.
Here are ten things it says it would never ever do:
- Ask you for your PIN or your online banking passwords
- Email you with a link directly to a web page that asks you for your username, password or any other personal details
- Ask you to email or text us your PINs, card details or passwords
- Ask you to authorise a payment or send money into a new account that you haven’t already set up
- Ask you to bank through a website or app that isn’t TSB
- Request that you to carry out a ‘test’ transaction online
- Ask you to make any transaction unless it’s inside a branch
- Ask you to hand over cash or cards to anyone
- Talk to you on social media through accounts that aren’t our official ones (Twitter – @TSB, Facebook – @Tsbbankuk and Instagram – @Tsbbank)
- Advise you to purchase land, diamonds or any other commodities
Find out more in our guide to how to spot a scam
How to keep safe
You should always question unsolicited texts, calls, emails and tweets claiming to be from TSB.
Phone numbers and email addresses can be made to look authentic, so always contact TSB directly via a known email or phone number, such as the one on the back of your bank card.
Never automatically click on a link in an unexpected text or email. Remember, a genuine bank will never contact you out of the blue to ask for your full PIN or password.
If you think you have received a phishing email or text, report it to Action Fraud using the online reporting tool.
If you have received a suspicious TSB email, do not respond to it, report it to Action Fraud and forward it to firstname.lastname@example.org, then delete it.