
First in Which? Money magazine
This story first appeared in Which? Money magazine. Join for reviews and investigations, plus 1-to-1 guidance from our experts.
Join Which? MoneyOnly £49 per year

Alexandru, 25, who lives in east London and is receiving treatment for cancer, lost more than £18,000 to digital wallet scammers in a matter of hours. He's one of many victims losing life-changing sums because fraud protections don’t extend to authorised card payments.
Last year, Which? reported that digital wallet scams are causing major losses for banks, yet most still rely on one-time passcodes (OTPs) for security checks.
Revolut bank won't reimburse Alexandru because he shared one of these OTPs with phone scammers and ignored its warnings, even though the industry is well aware that attackers trick users into handing over these codes.
Here, we explain how the scam unfolded and explore what more could be done to protect the public.
It started with a phone call from fraudsters posing as employees of the Lloyds Bank fraud department. They knew Alexandru’s exact account balances and card details – information he hadn’t shared – and claimed his accounts were under attack, coaching him to make nine transfers from his Lloyds account to Revolut for ‘security purposes’.
They convinced him to share an OTP sent to his mobile next, which they immediately used to add his Revolut card to their own Apple Pay wallet.
Revolut’s systems did flag the danger initially, blocking attempted purchases at a cryptocurrency exchange, pawnbroker and luxury department store Selfridges London. But Alexandru was still under the scammers’ spell and confirmed his identity via the app, thinking he was still taking steps to protect his account.
What followed was an outrageous contactless spending spree. The rampaging criminals quickly spent £16,210 at Selfridges and £2,238 at various online stores, even treating themselves to dinner to top off their busy day, spending someone else's money.
Only £1,582 was refunded via chargeback, and Revolut refused to refund the remaining balance because Alexandru shared the OTP linking his card to a new digital wallet and explicitly confirmed his identity multiple times.
Yet this case follows a pattern that is extremely familiar to Which? – a series of high-value transfers from a high street bank, followed by the card being registered to a new device and a spate of luxury purchases.
We think Revolut’s responsibilities should stretch beyond app requests when there are such clear red flags. Banks should know that OTPs are vulnerable to social engineering because impersonation scammers are extremely skilled at manipulation, regardless of whether customers are reminded not to share passcodes.
A more direct intervention had a much better chance of helping Alexandru, not least because many people have ‘notification fatigue’ and can easily dismiss in-app fraud warnings.

This story first appeared in Which? Money magazine. Join for reviews and investigations, plus 1-to-1 guidance from our experts.
Join Which? MoneyOnly £49 per year
Social engineering attacks present a huge challenge to the industry, but we think banks could be doing more.
Helping customers spot fake phone calls is a crucial layer of defence, yet only a handful of providers offer some form of caller verification: Barclays, Monzo, Nationwide, Revolut and Starling.
Revolut’s ‘we are not talking to you’ feature flags whether or not you are talking with a Revolut agent if it detects you are on a call when you open the app, although this was not in place at the time Alexandru was scammed.
Banks can detect anomalous activity, such as a new device or location linked to your account, so they should intervene in meaningful ways when they suspect fraud, or share this information to help you flag unauthorised spending. They should also make it hard for scammers to register your card details on their own device, yet most rely on OTPs sent by text message.
Digital wallet controls are also lagging behind. Many banks now allow you to view, manage and 'untrust' devices linked to your online banking; however, we aren’t aware of any banks that let you do the same for digital wallets linked to your bank cards.
Some get close, for example, Starling customers can go to the card hub section of their apps to remove all access to mobile wallets at the push of a button. Several banks, including Barclays, Santander and TSB, let you switch off the contactless functionality on your card, which they say should also block the ability to use that card in a digital wallet.
These options offer a decent level of security; however, they only come into play once you are aware that your card details have been stolen or cloned in a criminal’s wallet. A detailed list of all devices and digital wallets linked to your cards – with the option to instantly remove unauthorised access – would be a stronger defence.
Revolut and Lloyds said they are always sorry to hear of any instance where customers are targeted by ruthless and sophisticated criminals; however, neither will reimburse Alexandru.
Lloyds said his account details may have been compromised through phishing, and that as the fraudulent payments were made from his account at another bank, that bank is responsible for any reimbursement under the regulator’s rules.
Revolut said: ‘Unfortunately, in this case, our understanding is that the customer provided details to a third party that allowed them to add a card into an Apple Pay wallet, which subsequently carried out the disputed transactions. Customers are explicitly told never to share OTPs with anyone else.
‘In this case, Revolut’s systems identified activity as potentially suspicious and targeted alerts were sent to his Revolut app, which were bypassed. As a goodwill gesture, we sought to recover funds on the customer’s behalf through the commercial dispute process and were able to retrieve £1,582.
'Criminals are always looking for new and different ways to perform fraudulent activity. If you think you have fallen victim to a scam or you don’t recognise an outgoing transaction on your account, we advise you to freeze your cards immediately. Please update your Revolut passcode as well as any personal email account passwords and contact Revolut customer support via our secure in-app chat.’