If you’ve been tricked into sending money to a criminal, you now stand a much better chance of getting your money back. But Which? Money has found that the way banks treat victims continues to be a lottery, despite the introduction of new industry standards.
The voluntary Contingent Reimbursement Model code, in place since May 2019, marked a breakthrough in protection for victims of bank transfer or authorised push payment (APP) fraud. It compels banks to reimburse blameless victims, as they do for fraud that’s related to card payments and direct debits.
Yet early signs suggest that banks are shifting responsibility onto customers, by refusing to cover losses on the basis that they show fraud warnings at the point of payment.
How does bank transfer fraud happen?
In the first half of 2019, losses to APP fraud reached £146m.
These scams often start with a text, email or phone call from a fraudster purporting to be someone you know personally or a legitimate company.
A common method is to pose as your bank and tell you your account has been compromised, instructing you to transfer your cash to a ‘safe account’ while the problem is resolved. But the account you move your money to will have been set up by the fraudster.
How the new fraud code protects you
If your bank is signed up to the code (check the table below) it must take steps to protect you from APP fraud. These include providing ‘effective warnings’ where it identifies a risk.
As a customer, you also have responsibilities – you shouldn’t ignore these warnings and must have a reasonable basis for believing that you’re paying the right person.
If both parties have met the standards set out in the code, there is a ‘no-blame fund’ that banks can use to reimburse innocent victims.
- Find out more: The authorised push payment code – what to do if you’re a victim
Although TSB is not a signatory of the code, it promises to reimburse all victims of fraud under its ‘Fraud Refund Guarantee’, launched on 14 April 2019.
The problem of victim blaming
Which? Money has heard from people who were told they won’t get their stolen savings back purely because they ‘ignored fraud warnings’ – even where it seems unfair to expect them to have behaved differently.
Some said their bank seemed ‘uninterested’ in the specific details or nature of the scam, even though this could inform their assessment.
Michelle, 38, lost almost £33,000 after responding to a text message about a ‘suspicious payment to Airbnb’ in August 2019.
It appeared to come from Lloyds Bank’s usual phone number, sandwiched between two genuine messages (see image, below), so she called the number supplied, unaware that scammers can manipulate the information shown on your phone to mimic the number of a real company, such as a bank (known as number spoofing).
Over the course of an hour Michelle was persuaded to transfer her money to a new account, in the belief that hers had been hijacked by criminals.
Lloyds says that, although it has sympathy for Michelle, it will not reimburse her, on the grounds that she ‘did not take sufficient steps to verify that either the text message or the person she spoke to on the phone were genuine’, and that she authorised the payments despite receiving ‘specific warnings’ stating that Lloyds would never ask a customer to move money to other banks.
Michelle had no reason to believe the text was fake, and Lloyds is yet to explain the ‘sufficient steps’ she ought to have taken. And, while she did notice an online warning about fraud when she made the first payment, the criminal on the phone was able to quickly dismiss her concerns.
We’ve advised Michelle to escalate her case to the Financial Ombudsman Service.
How banks warn you about bank transfer fraud
The code stipulates that fraud warnings must be ‘understandable, clear, impactful, timely and specific’ but individual banks are free to interpret this as they see fit.
Some (Barclays, the Co-operative Bank, Nationwide and Santander) ask you to select a payment type, such as paying a friend or buying goods, so that they can show you fraud warnings specifically tailored to the associated risks.
Others display a more generic message about bank transfer fraud (First Direct, HSBC, Lloyds, NatWest and Royal Bank of Scotland).
Are the warnings working?
Petko Kusev, Joseph Teal and Rose Martin from the Behavioural Research Centre of Huddersfield Business School believe that warnings without specific instructions are highly unlikely to be influential.
Patrick Fagan, a consumer psychologist from Goldsmiths, University of London, thinks it’s possible that warnings simply come too late once people have been targeted and interacted with the scammer.
He cites optimism bias as yet another hurdle – one that most research indicates can’t be overcome – where people tend to think that they are unlikely to be victims of fraud and therefore discount the warnings as irrelevant.
Warnings are less effective if they don’t speak to customers in their own language, says Fagan, and may be ignored as they become ‘part of the furniture’, particularly if banks don’t occasionally modify the text, placement and design.
Which? wants banks to provide evidence that their warnings are effective, as per the code, and suitable for different groups of people and under different circumstances.
Until they have, it’s hard to see how any bank could justify refusing to reimburse victims simply for ignoring a warning.
- The full investigation appeared in the February issue of Which? Money magazine. You can try Which? Money today for just £1 to have our impartial, jargon-free insight delivered to your door every month.