Criminals stole £30,000 from a vulnerable 89-year-old customer in a sophisticated and drawn-out impersonation scam. Her bank, Lloyds, initially refused to reimburse these losses, despite being signed up to a voluntary code that has introduced significant new protection for fraud victims.
Reports of authorised push payment (APP) fraud - where the victim is tricked into moving the money into a scammer's account - jumped by 45% in 2019 and resulted in losses of £456m. Most payments are made via online banking, but there has been a 177% spike in APP scams initiated via mobile banking apps and a 40% spike in those started in branches.
A year ago, the largest banks and building societies signed up to a new voluntary code that sets standards for treating victims of APP scams. Yet Which? has since raised concerns about the way banks are handling cases, from a to relying on generic fraud warnings to to customers.
Here, Which? explains how the 'safe account' bank transfer scam was carried out, how the victim eventually got her money back from Lloyds and how this case highlights how banks can arguably fail to adhere to the code.
In June 2019, Miss P (who wishes to remain anonymous) faced a two-pronged attack involving fraudsters claiming to be from both BT and the National Crime Agency.
The first caller told her that she had won a loyalty bonus worth £35 off her next BT bill and quoted the full details of her bank card as well as her full name and address 'to confirm her eligibility'. Although she shared no sensitive data over the phone, this laid the groundwork for the second stage of the scam.
A few days later, she received a call from the 'National Crime Agency' warning her that £400 had been taken from her account due to a series of scams involving BT and complicit banks. The caller explained that the authorities knew she had been targeted only days before by a caller pretending to be from BT.
They then asked her to help with their investigation into her local bank branch, by moving her money to a 'safe account'. She agreed and, as instructed, went to the local library to print off an email that appeared to confirm the opening of this safe account - with Clydesdale Bank - in her name. In reality, this account was controlled by the criminals.
Miss P then visited her nearest branch to transfer £30,000 from her account, telling them that she wanted to move the money so that her savings weren't all in one place, as she was coached to say.
Lloyds says staff followed the correct procedures, as per the Banking Protocol - a rapid response scheme through which branch staff can alert police and Trading Standards to suspected frauds.Nothing gave the bank cause for concern.
However, Miss P says no concerns were raised or questions asked.
It was only the following day when she attempted to move more money from her account, that staff blocked the payment and became concerned about a potential scam. They asked her to sit down with them and the scam quickly came to light.
Having banked with Lloyds for more than 70 years, Miss P was shocked to hear that she wouldn't get her savings back because 'she didn't take steps to verify the identity of the cold caller'.
She says she was subject to unsympathetic and protracted questioning, making her feel 'like an idiot'.
Under the APP code, banks and their customers must take steps to prevent APP fraud, but if both parties have met the standards set out in the code, there is a 'no-blame fund' that banks can use to reimburse innocent victims.
The code also states that firms should provide a greater level of protection for customers who are considered vulnerable to APP scams and these customers should be reimbursed regardless. Vulnerability exists if 'it would not be reasonable to expect that customer to have protected themselves, at the time of becoming victim of an APP scam, against that particular APP scam, to the extent of the impact they suffered'.
We are surprised that Lloyds felt in this case that their customer was at fault for failing to make sufficient checks and did not consider her vulnerable.
A close family friend encouraged Miss P to escalate her complaint to the (FOS), wrote to the Financial Conduct Authority (FCA) and came to Which? to raise her concerns about the way Lloyds handled this case.
Lloyds has since decided to reimburse the full amount.
A Lloyds Bank spokesperson said: 'Helping to keep our customers' money safe is our priority and we have a great deal of sympathy for [Miss P] who sadly fell victim to cold callers who scammed her into transferring a large amount of cash from her account.
'Before being contacted by Which?, we had already reviewed this case and refunded the full amount she lost after having taken everything into consideration about her circumstances. We have apologised for the service she experienced during what was already a very distressing time and have paid compensation in recognition of this and the delay in our investigation.'
UK Finance reports that between 28 May 2019 and 31 December 2019 a total of £101.1m was lost to APP fraud in cases assessed under the code. Of this total, £41.3m or 41% was reimbursed to victims compared with 19% of APP losses that were reimbursed before the code was introduced.
Although we are pleased this victim finally has her money back, this case does raise some important questions about the implementation of the APP code.
Lloyds believes that Miss P 'didn't conduct sufficient checks before making the payment'. When we asked what this means in practice, it told us that the voluntary APP code requires customers to take steps to confirm any payee is genuine:
'An example of this would be to contact the company/organisation that the cold caller claimed to be from on a genuine number for example on their website before transferring money. The customer said she did not verify the identity of the cold callers. When Miss P reported the fraud, she said she should have contacted the genuine company before making a payment and had recognised attempted scam calls in the past.'
We also asked Lloyds if it assessed vulnerability, taking into account her age and the fact that this scam took place over four days. The bank told us that it does take age into account 'as part of a range of factors when considering customer vulnerability, although it's not seen on its own as an indicator'.
We're concerned that other customers are not fully aware of what their banks expect from them before making a payment, or that they may be refused reimbursement if they fail to meet these expectations.