Watch out for fake messages about the new fraud refund scheme
Which? is warning the public to be on high alert for scams related to a new fraud reimbursement scheme in the coming weeks and months.
From 7 October 2024, all firms using Faster Payments (real-time transfers between UK bank accounts) will be liable to refund victims of authorised push payments (APP fraud), meaning customers will be receiving genuine messages about this scheme from their banks and other payment firms.
Scammers love to jump on anything newsworthy – as it makes their fakes harder to spot – and Which? has already seen an example of a phishing attack from fraudsters posing as NatWest.
We expect more impersonation scams to follow, both as the deadline for the scheme approaches and in the first few months of the scheme.
Read on to see what an example of this scam looks like and how you can spot a scam like this.
Sign up for scam alerts
Our emails will alert you to scams doing the rounds, and provide practical advice to keep you one step ahead of fraudsters.
Sign up for scam alerts
NatWest phishing email
Which? has seen a clever phishing email that claimed to be from NatWest, telling the intended recipient about 'new UK Consumer Protection rules against fraud' and sent in the evening of Tuesday 10 September.
It invites customers to 'verify' their mobile numbers, ensuring they would 'get notified of any transactions carried out via your account right away' and enabling them to 'report any suspicious payment alerts.'
A closer look reveals that the email was sent by 'dilbect@kolumbus.fi', which has nothing to do with NatWest, though this is easily missed in many inboxes unless you click to check the sender address.
Anyone who clicked on the web link provided would have been taken to a convincing copycat NatWest website, shown below.
This copycat website has all the correct branding and asks first for a customer number or card number, then the Pin and password, home address, mobile number and account details, giving the criminals everything they need to commit identity fraud and potentially hack into accounts.
Reporting copycat websites
One major stumbling block in the fight against fraud is that it can take far too long to get malicious websites and phone numbers removed.
In this case, Which? reported the scam website to the domain registrar (a company that enables individuals or businesses to register and buy a website), the NatWest press office and Google Safe Browsing as soon as we spotted it, on Wednesday 11 September.
But, it was still live and potentially stealing bank login details and personal data from customers six days later, on Tuesday 17 September.
Why fraud data sharing is vital
Fraud has devastating consequences both financially and emotionally.
Fighting this terrible crime can never be truly effective without a cross-sector approach. Which? is calling for sectors such as the banking industry, social media companies and telecoms providers to work together to share fraud intelligence.
Plugging the gaps in protection means domain registrars need to step up, too. We’ve recently highlighted the extent of copycat bank websites in the UK, for example, yet the companies selling these websites to fraudsters are often left out of the wider debate.
How to spot a phishing email
- Inspect the sender's email address – right click for more information on the sender's email address to see if it matches that of a genuine email from the brand it claims to be from.
- Read the email carefully – look out for impersonal greetings, spelling errors and odd wording.
- Preview the links before you visit them - don't click on any link, but hover over the link using your cursor or long-press the link on a smartphone to inspect it before you click on it. If it doesn't match up with the address of the genuine brand's website, then it's possibly a scam.
- Don't trust a link just because it looks genuine, copycat websites can be very convincing.
- Question any demands for personal information or payment – if you're concerned that it could be a genuine email, you should contact the company directly using its official customer service channels found on its website.
You can report email scams by forwarding the email to report@phishing.gov.uk.
