By clicking a retailer link you consent to third-party cookies that track your onward journey. This enables W? to receive an affiliate commission if you make a purchase, which supports our mission to be the UK's consumer champion.

Scammers pose as the National Crime Agency to steal £30,000 from Lloyds customer

A new code has introduced greater protection for scam victims - but are banks applying the standards consistently?
Chiara CavaglieriSenior researcher & writer

Criminals stole £30,000 from a vulnerable 89-year-old customer in a sophisticated and drawn-out impersonation scam. Her bank, Lloyds, initially refused to reimburse these losses, despite being signed up to a voluntary code that has introduced significant new protection for fraud victims.

Reports of authorised push payment (APP) fraud - where the victim is tricked into moving the money into a scammer's account - jumped by 45% in 2019 and resulted in losses of £456m. Most payments are made via online banking, but there has been a 177% spike in APP scams initiated via mobile banking apps and a 40% spike in those started in branches.

A year ago, the largest banks and building societies signed up to a new voluntary code that sets standards for treating victims of APP scams. Yet Which? has since raised concerns about the way banks are handling cases, from a lack of due diligence in branches to relying on generic fraud warnings to shift the blame to customers.

Here, Which? explains how the 'safe account' bank transfer scam was carried out, how the victim eventually got her money back from Lloyds and how this case highlights how banks can arguably fail to adhere to the code.

Two-pronged 'safe account' scam

In June 2019, Miss P (who wishes to remain anonymous) faced a two-pronged attack involving fraudsters claiming to be from both BT and the National Crime Agency.

The first caller told her that she had won a loyalty bonus worth £35 off her next BT bill and quoted the full details of her bank card as well as her full name and address 'to confirm her eligibility'. Although she shared no sensitive data over the phone, this laid the groundwork for the second stage of the scam.

A few days later, she received a call from the 'National Crime Agency' warning her that £400 had been taken from her account due to a series of scams involving BT and complicit banks. The caller explained that the authorities knew she had been targeted only days before by a caller pretending to be from BT.

They then asked her to help with their investigation into her local bank branch, by moving her money to a 'safe account'. She agreed and, as instructed, went to the local library to print off an email that appeared to confirm the opening of this safe account - with Clydesdale Bank - in her name. In reality, this account was controlled by the criminals.

Miss P then visited her nearest branch to transfer £30,000 from her account, telling them that she wanted to move the money so that her savings weren't all in one place, as she was coached to say.

Lloyds says staff followed the correct procedures, as per the Banking Protocol - a rapid response scheme through which branch staff can alert police and Trading Standards to suspected frauds.Nothing gave the bank cause for concern.

However, Miss P says no concerns were raised or questions asked.

It was only the following day when she attempted to move more money from her account, that staff blocked the payment and became concerned about a potential scam. They asked her to sit down with them and the scam quickly came to light.

Why Lloyds initially refused a refund

Having banked with Lloyds for more than 70 years, Miss P was shocked to hear that she wouldn't get her savings back because 'she didn't take steps to verify the identity of the cold caller'.

She says she was subject to unsympathetic and protracted questioning, making her feel 'like an idiot'.

Under the APP code, banks and their customers must take steps to prevent APP fraud, but if both parties have met the standards set out in the code, there is a 'no-blame fund' that banks can use to reimburse innocent victims.

The code also states that firms should provide a greater level of protection for customers who are considered vulnerable to APP scams and these customers should be reimbursed regardless. Vulnerability exists if 'it would not be reasonable to expect that customer to have protected themselves, at the time of becoming victim of an APP scam, against that particular APP scam, to the extent of the impact they suffered'.

We are surprised that Lloyds felt in this case that their customer was at fault for failing to make sufficient checks and did not consider her vulnerable.

How did the victim get her money back?

A close family friend encouraged Miss P to escalate her complaint to the Financial Ombudsman Service (FOS), wrote to the Financial Conduct Authority (FCA) and came to Which? to raise her concerns about the way Lloyds handled this case.

Lloyds has since decided to reimburse the full amount.

A Lloyds Bank spokesperson said: 'Helping to keep our customers' money safe is our priority and we have a great deal of sympathy for [Miss P] who sadly fell victim to cold callers who scammed her into transferring a large amount of cash from her account.

'Before being contacted by Which?, we had already reviewed this case and refunded the full amount she lost after having taken everything into consideration about her circumstances. We have apologised for the service she experienced during what was already a very distressing time and have paid compensation in recognition of this and the delay in our investigation.'

Can the voluntary code protect you?

UK Finance reports that between 28 May 2019 and 31 December 2019 a total of £101.1m was lost to APP fraud in cases assessed under the code. Of this total, £41.3m or 41% was reimbursed to victims compared with 19% of APP losses that were reimbursed before the code was introduced.

Although we are pleased this victim finally has her money back, this case does raise some important questions about the implementation of the APP code.

Lloyds believes that Miss P 'didn't conduct sufficient checks before making the payment'. When we asked what this means in practice, it told us that the voluntary APP code requires customers to take steps to confirm any payee is genuine:

'An example of this would be to contact the company/organisation that the cold caller claimed to be from on a genuine number for example on their website before transferring money. The customer said she did not verify the identity of the cold callers. When Miss P reported the fraud, she said she should have contacted the genuine company before making a payment and had recognised attempted scam calls in the past.'

We also asked Lloyds if it assessed vulnerability, taking into account her age and the fact that this scam took place over four days. The bank told us that it does take age into account 'as part of a range of factors when considering customer vulnerability, although it's not seen on its own as an indicator'.

We're concerned that other customers are not fully aware of what their banks expect from them before making a payment, or that they may be refused reimbursement if they fail to meet these expectations.

More on this

Related articles

About Us

Which? Limited is registered in England and Wales to 2 Marylebone Road, London NW1 4DF, company number 00677665  and is an Introducer Appointed Representative (FRN 610689) of the following:


1. Inspop.com Ltd for the introduction of non-investment motor, home, travel and pet insurance, who are authorised and regulated by the Financial Conduct Authority (FCA) to provide advice and arrange non-investment motor, home, travel and pet insurance products (FRN310635). Inspop.com Ltd is authorised and regulated by the Financial Conduct Authority (FCA) to provide advice and arrange non-investment motor, home, travel and pet insurance products (FRN310635) and is registered in England and Wales to Greyfriars House, Greyfriars Road, Cardiff, South Wales, CF10 3AL, company number 03857130. Confused.com is a trading name of Inspop.com Ltd. 


2. LifeSearch Partners Limited (FRN656479), for the introduction of Pure Protection Contracts and Private Health Insurance, who are authorised and regulated by the FCA to provide advice and arrange Pure Protection Contracts and Private Health Insurance Contracts.  LifeSearch Partners Ltd is registered in England and Wales to 3000a Parkway, Whiteley, Hampshire, PO15 7FX, company number 03412386.


3. HUB Financial Solutions, for the introduction of equity release advice and an annuity comparison service, who are authorised and regulated by the Financial Conduct Authority (‘FCA’) to provide advice and guidance on financial products for those who have retired or are approaching retirement (FCA Firm Reference Number: 455713). HUB Financial Solutions is registered in England and Wales to Enterprise House, Bancroft Road, Reigate, Surrey RH12 7RP, company number 05125701.


4. Alan Boswell Insurance Brokers Ltd (FRN 301), for the introduction of non-investment landlord insurances, who are authorised and regulated by the Financial Conduct Authority to provide advice and arrange insurance contracts. Alan Boswell insurance brokers Ltd is registered in England at Prospect House, Rouen Rd, Norwich NR1 1RE, company number 02591252.


Other financial services:

Mortgage service provided by London & Country Mortgages (L&C), Unit 26 (2.06), Newark Works, 2 Foundry Lane, Bath BA2 3GZ. London & Country are authorised and regulated by the Financial Conduct Authority (registered number: 143002). The FCA does not regulate most Buy to Let mortgages. Your home or property may be repossessed if you do not keep up repayments on your mortgage.


We do not make, nor do we seek to make, any recommendations or personalised advice on financial products or services that are regulated by the FCA, as we’re not regulated or authorised by the FCA to advise you in this way. In some cases, however, we have included links to regulated brands or providers with whom we have a commercial relationship and, if you choose to, you can buy a product from our commercial partners. 


If you go ahead and buy a product using our link, we will receive a commission to help fund our not-for-profit mission and our campaigns work as a champion for the UK consumer. Please note that a link alone does not constitute an endorsement by Which?.