NatWest and Royal Bank of Scotland (RBS) customers are potentially being targeted by scammers, Which? can reveal, after hearing from victims who lost a staggering £350,000 in all.
Which? Money Helpline has seen a large spike in calls about a type of bank transfer or ‘authorised push-payment’ (APP) fraud, where criminals pose as a legitimate company to trick you into transferring money from your bank account.
We’re concerned that an unusually large number of these are customers of NatWest and Royal Bank of Scotland, banking brands that are part of the RBS Group.
Between May 2018 and the first week of January 2019, our helpline spoke to 42 victims – and of the 19 cases where the fraudster pretended to be their bank (as opposed to a utility company or a government body such as HMRC), 18 banked with NatWest or Royal Bank of Scotland.
While this is only a snapshot and doesn’t reflect the industry as a whole, we’re concerned it points to an unusual level of fraud activity aimed at these customers.
It follows a BBC report in November 2018 that refers to dozens of other scam victims who are unhappy with NatWest’s response after being tricked by fraudsters posing as their bank.
- How the fraud plays out
- What does RBS Group have to say?
- New hope for victims
- How to avoid bank transfer fraud
How the scam is playing out
This type of APP fraud is called ‘malicious redirection’ – being tricked into sending payments to a criminal posing as a legitimate business. Another type is ‘malicious payee’, where you are tricked into paying for goods and services that don’t exist.
At least seven victims assumed they were speaking to genuine Royal Bank of Scotland or NatWest employees thanks to a particular nasty trick called ‘number spoofing‘. This involves using software to hijack a genuine text chain with your bank or appearing to call from its legitimate phone number.
Alarmingly, many of the scam callers have been able to access their online and mobile accounts to:
- confirm specific debit card transactions
- move huge sums of money between accounts
- change account names.
The bank says this activity is only possible ‘once the fraudster has successfully harvested the customer’s security credentials’ through means such as phishing emails, scam phone calls or spoofed texts.
But once inside a customer’s bank account, fraudsters have been able to change the victims’ account names to ‘frozen’, ‘closed’ and ‘suspended’.
This has convinced victims that their accounts have been compromised. Fraudsters then tell customers to authorise transfers to ‘safe’ accounts, which the fraudsters have set up. In reality, the customers have sent money straight into the hands of criminals.
The largest single loss reported to us is £59,680. Initially, only two victims have been refunded in full: one because NatWest accepted it could have done more to prevent the scam and the other because the recipient bank admitted to errors at their end.
Once transferred, the criminal will usually empty the account as quickly as possible, so it’s rare that the victim’s bank can reclaim the money.
So far, only £50,559 has been recovered of the £347,234 stolen from the 19 bank-related scams.
‘The fraudsters were in my account before I had logged on’
Chris from Buckinghamshire had to fight to get her savings back after being tricked into transferring £19,881, following a number of calls and texts from what appeared to be a NatWest number.
After the caller, ‘James’, warned her of attempts to set up direct debits in her name and a request to change her mobile number (which was confirmed in a genuine text chain), Chris was told the bank would be suspending her account to protect it.
She logged in via her mobile app to see that every account was marked ‘suspended’. At no time was she asked for her Pin or password.
The following day, she checked her app and found she was unable to log in. Anxious, she called NatWest directly and referred to the previous call. She was assured that although the systems were down, her account was safe. We feel that the bank could have done more to stop the scam at this point.
In a final two-hour call, over the weekend, ‘James’ asked her to log in using a secure browser, explaining that he would transfer money from her most vulnerable accounts.
‘The fraudsters were in my account before I had logged on. They were moving money around, in front of my eyes. I believed my money was being made safe as I had never heard of being simultaneously logged on to the same account unless you were the bank.’
Next, she was asked to set up a new ‘switch account’, by putting her debit card in a NatWest card reader and entering the relevant codes online. This resulted in a bank transfer of £19,881 to what Chris believed was a secure account under her own name.
It was only when her eldest daughter called in a panic after hearing about a friend who had been scammed in a similar scenario that the family realised what had happened.
NatWest was able to recover some of the money from the receiving bank, but initially refused to reimburse the rest.
Royal Bank of Scotland customer Rebecca discovered that a scammer was able to register on her mobile banking app – which RBS said would have required the scammers to have access to her password, pin and security code – and move funds between various accounts.
Two of these accounts were marked ‘frozen’, and Rebecca says that she was sent codes via text to plug into her card reader. As far as she knew, this was to transfer money from her savings to her current account.
In reality, £7,744 was transferred out of her account and straight into the pocket of the fraudster. Initially, the bank refused to cover this loss, though it did refund £1,998 which was transferred after the scam was first reported.
Both Chris and Rebecca referred their complaints to the Financial Ombudsman Service but RBS Group has since decided to reimburse both customers, following our intervention. It said:
‘We are deeply sympathetic towards any customer who has fallen victim to a scam and appreciate this can be a traumatic experience. Having reviewed [Chris’] case, a decision has been made to uphold her claim and refund her for the loss.
‘We should have done more to protect her from this scam. Upon reviewing [Rebecca’s] case, we will reimburse as a goodwill gesture. We apologise for the distress caused to both.’
What does RBS have to say?
We first spoke to RBS Group in October 2018, when it said it was ‘not aware of any coordinated attack’. After we reiterated our concerns, it told us last week:
‘Keeping our customers safe and secure is of paramount importance to us. We understand that it can be traumatic for customers who fall victim to fraud and we have invested heavily across all our channels to continuously enhance security features.
‘In line with the industry, we have witnessed an increase in the number of enquiries from our customers with respect to APP scams.
‘We constantly update our systems and monitoring processes to improve detection of APP scams and have layered security systems which help protect customers, in addition to the personal security credentials our customers use for log in and payment authentication.
‘Additionally we continue to advise customers through all our channels and social media platforms on how to stay safe and protect themselves from falling victim to fraud and scams.’
RBS Group said it will never ask customers to move money to another account to keep it safe from scams or fraud and customers should never make a payment, transfer funds, or divulge full security credentials at the request of someone over the phone purporting to be from their bank.
If you receive such a request, terminate the call, never act and report it to the bank.
New hope for bank transfer fraud victims
Which? has learned that some banks – including RBS Group – make a clear distinction between victims of ‘scams’ (customers who have been tricked into authorising payments) and victims of ‘fraud’ (who have lost money due to payments made without their authority).
While fraud victims are typically entitled to reimbursement, unless there is evidence that they’ve been grossly negligent with their security details or cards, there is little protection for scam victims because they are deemed to have approved the transaction.
Following our super-complaint about these scams in 2016, we’ve been working with the industry to develop a voluntary code – the Contingent Reimbursement Model – that aims to better protect victims and allows some victims of this fraud to be reimbursed.
While the code is voluntary, Which? is pushing for all payment service providers (PSPs), including online-only banks, building societies and money-transfer services, to sign up.
Another industry-wide measure being introduced is the long overdue Confirmation of Payee, which should be rolled out this year.
Once in place, banks will warn you when the payee name provided doesn’t match the receiving bank’s records, so you can make sure the account belongs to the person or organisation you are expecting to pay.
This won’t prevent all types of bank transfer fraud, but will give better protection against accidental mistakes and adds an important hurdle for fraudsters.
How the new protection code works
Banks and other PSPs that sign up pledge to; improve fraud detection, provide effective warnings to customers about to make a transfer and act faster to stop suspicious payments in the first place do more to prevent accounts being opened by fraudsters.
If they don’t meet these standards, victims of APP fraud should be able to be reimbursed for their losses, either from the bank you sent the money from, or the bank that received the stolen funds. Both may hold some liability for failure to stop the fraud.
Consumers will also have responsibilities to meet within this code. If these rules aren’t adhered to, it could jeopardise victims’ chances of getting reimbursed after an APP scam. These include:
- Don’t ignore the banks’ fraud warnings or a negative confirmation of payee result.
- Take steps to ensure you know who you’re paying. What this means is a point of contention between banks and consumer groups. For example, we don’t think it’s reasonable for people to have to check Companies House when they pay a company.
- If you’re defrauded, be honest in your dealings with your bank. For example, if you say you haven’t given the scammer security details, and the bank finds out you have, it could jeopardise your claim.
- Small businesses or charities must follow their own internal anti-fraud processes – for example, new payments confirmed via phone.
- You must also not have been ‘grossly negligent’, but banks cannot use this just because you have fallen victim to a scam. The Financial Ombudsman Service has warned banks that, given increasing sophistication of scams, they cannot simply refuse to reimburse someone for being grossly negligent because they unwittingly transferred money to a fraudster.
(this information was first published in the December 2018 edition of Which? Money magazine).
Currently, however, there is a group of victims that will not receive reimbursement from APP fraud – those who have met their responsibilities but find that both sending and receiving banks have met theirs. This is referred to as a ‘no-blame’ scenario, where no parties involved are at fault for the scam taking place.
Banks and PSPs cannot agree on how to fund the reimbursement of this group of victims. Until a method is found, they will not be reimbursed.
Protection under the Financial Ombudsman Service
If you’ve been a victim of APP fraud, and you’re not happy with how your bank has dealt with your case, you can escalate it to the Financial Ombudsman Service, the body that resolves disputes between consumers and regulated financial companies.
At the moment, you can only complain about the provider you made a transfer from. However, from 31 January you will also be able to complain about the bank that received the stolen funds.