The Revolut Google advert scam is back, helping criminals steal more than £67,000 off at least eight victims. Which? is concerned that both Google and Revolut aren't doing enough to protect and warn users.
Which? first reported a malicious Revolut advert to Google in and again in . A third advert has since materialised, aiming to trick users into calling a phone number answered by scammers impersonating the e-money firm.
We've heard from eight victims who have each lost thousands of pounds after using the search engine to find a Revolut helpline. Revolut doesn't operate telephone customer services - users must contact them via the app chatbot instead.
Five days after we reported this latest example to Google, the advert was still live, although the homepage has since been changed to state 'we are third party call connection service providers' and 'we have no ties to Revolut'.
Here, Which? reveals the nasty tactics used by the fraudsters behind the scam.
We are aware of at least one advert, shown below, although there may be others. This directed users to a website, shown after, that uses Revolut branding and supplies an 0800 phone number to call.
After we reported this to Google and Revolut, the homepage was changed (see the third image, below).
Once they called the number supplied, an automated message told them 'thank you for calling Revolut' before they were put through to someone who claimed to be working for the e-money firm.
Victims were then told to download a remote-access tool called TeamViewer QuickSupport, which the scammers used to gain access to their smartphones. Although the app is legitimate, Which? has previously warned of .
One victim was told that this was necessary to effect a refund after he was overcharged at a petrol station. Another was told that he needed to install TeamViewer to access the app because he had forgotten his login details.
Once the fraudsters had access to their devices, they could set up new beneficiaries without their knowledge or consent.
In several cases, the impersonators convinced victims to transfer money from other bank accounts to their Revolut accounts in order to 'verify their account' or 'set the transfer limits'. One was told to upload a 'selfie' and take a picture of his passport to confirm his identity, putting him at serious risk of .
The largest single loss was $30,000 from a business account. In this case, the victim was unable to activate his new Revolut card and searched for a phone number to call.
He clicked on a link that claimed to be providing a legitimate phone number and was put through to someone who promised to get his card and account working. He was told they needed to 'transfer funds to a treasury account within Revolut' and would do so by taking control of his phone.
The fraudsters said that the remote access tool was a new feature of the Revolut app. Once they had control of his phone, they moved the money in three transactions - one to a Barclays account and two to other Revolut accounts. He was on the phone to the scammers for three hours in total.
As he appeared to be named as the beneficiary of the payments he did not suspect fraud. A chat advisor later claimed that the scammers may have set up a fraudulent Revolut account in his name, possibly using a high-quality fake ID.
We were unable to contact the website owners as the phone number supplied has been disconnected and it did not provide any other method of contact.
However, some of the latest victims have been told they will not be reimbursed.
Revolut - which operates under an in the UK, not a banking license - told one victim the decision to give remote access means that the request for a reimbursement 'falls into a category in which we cannot assist and therefore we will be unable to refund you'.
Banks and e-money firms must reimburse unauthorised transactions unless they can prove the customer authorised the payments, or they believe the customer acted with gross negligence.
Firms should set a high bar for gross negligence, well beyond ordinary carelessness. We don't believe that giving remote access to your device would be grossly negligent in these circumstances.
Several victims told us they feel Revolut hasn't adequately protected them, because it failed to flag unusual transactions as potentially fraudulent.
For example, one told us that his account had been dormant for over two years. Despite the long period of inactivity, Revolut's systems failed to block £3,000 being credited to his account and transferred out within minutes. The victim told us that Revolut did not require any two-step verification security checks.
Revolut told Which? it will re-examine the specific cases we have raised. We will update this story once it has made a decision. It told us:
'We understand the distress that victims of fraud face, and we make it a priority to investigate every case with compassion and care. We also work to identify and implement best practice solutions to help protect customers against financial crime, in line with other industry players.
'We have introduced a number of initiatives to help protect and educate customers on this issue, including strong customer identification and quarterly communications campaigns on how customers can protect themselves from scams. We are committed to combating financial crime and protecting our customer's money. We are continuously improving our fraud defense programme with some major upgrades planned over the next few weeks.'
Which? believes Google should do more to protect people from this particular type of scam. It shouldn't be this easy for scammers to set up malicious adverts once, let alone three times.
A Google spokesperson told Which?: 'UK consumers often look online for help with financial decisions, but there are bad actors who purposely set out to mislead or take advantage of them. Protecting these consumers and the credible businesses operating in this area is a priority for us, which merits careful rules and enforcement.
'We have policies that determine which ads we allow and prohibit on our platforms, and if we discover sites that are breaking our policies, we take appropriate action.'
Revolut has started to locate the telecoms provider for the virtual phone numbers supplied on the scam advert to get them disconnected - a method which it says has proved to be more effective than asking Google to remove the adverts.
Revolut told Which?: 'As soon as such fake ads are brought to our attention, we immediately report them to Google and request that they be taken down. Unfortunately, the timing for this process is dependent on Google. We also work with telecoms providers to have these fake phone numbers disconnected.
'Each quarter, Revolut runs a full-scale communications campaign to educate customers on account security. While these campaigns are effective, we recognise that we can do more to raise awareness around this particular issue and have a programme to increase customer awareness and help them reduce their risks.'
We think Revolut must make it crystal clear to users that anyone offering a Revolut phone number may have malicious intent. None of the victims we spoke to were aware of this.
Revolut needs a secure method of contact for users who are unable to use the in-app chat function.
Several of the victims we spoke to were attempting to contact Revolut because they were receiving frequent emails from Revolut requiring them to submit new ID. These emails contained no information about what to do if they experienced any issues with the app.
If Revolut used these genuine communications to remind customers that phone numbers supplied on Google adverts may be malicious, the victims we spoke to may not have lost their life savings.
This isdesigned to help them quickly and more effectively signpost bogus adverts to online platforms such as Google and Facebook.