NatWest and Royal Bank of Scotland (RBS) customers are potentially being targeted by scammers, Which? can reveal, after hearing from victims who lost a staggering £350,000 in all.
Which? Money Helpline has seen a large spike in calls about a type of bank transfer or 'authorised push-payment' (APP) fraud, where criminals pose as a legitimate company to trick you into transferring money from your bank account.
We're concerned that an unusually large number of these are customers of NatWest and Royal Bank of Scotland, banking brands that are part of the RBS Group.
Between May 2018 and the first week of January 2019, our helpline spoke to 42 victims- and of the 19 cases where the fraudster pretended to be their bank (as opposed to a utility company or a government body such as HMRC), 18 banked with NatWest or Royal Bank of Scotland.
While this is only a snapshot and doesn't reflect the industry as a whole, we're concerned it points to an unusual level of fraud activity aimed at these customers.
This type of APP fraud is called 'malicious redirection' - being tricked into sending payments to a criminal posing as a legitimate business. Another type is 'malicious payee', where you are tricked into paying for goods and services that don't exist.
At least seven victims assumed they were speaking to genuine Royal Bank of Scotland or NatWest employees thanks to a particular nasty trick called''. This involves using software to hijack a genuine text chain with your bank or appearing to call from its legitimate phone number.
Alarmingly, many of the scam callers have been able to access their online and mobile accounts to:
The bank says this activity is only possible 'once the fraudster has successfully harvested the customer's security credentials' through means such as phishing emails, scam phone calls or spoofed texts.
But once inside a customer's bank account, fraudsters have been able to change the victims' account names to 'frozen', 'closed' and 'suspended'.
This has convinced victims that their accounts have been compromised. Fraudsters then tell customers to authorise transfers to 'safe' accounts, which the fraudsters have set up. In reality, the customers have sent money straight into the hands of criminals.
The largest single loss reported to us is£59,680. Initially, only two victims have been refunded in full: one because NatWest accepted it could have done more to prevent the scam and the other because the recipient bankadmitted to errors at their end.
Once transferred, the criminal will usually empty the account as quickly as possible, so it's rare that the victim's bank can reclaim the money.
So far, only £50,559 has been recovered of the £347,234 stolen from the 19 bank-related scams.
Chris from Buckinghamshire had to fight to get her savings back after being tricked into transferring£19,881, following a number of calls and texts from what appeared to be a NatWest number.
After the caller, 'James', warned her of attempts to set up direct debits in her name and a request to change her mobile number (which was confirmed in a genuine text chain),Chris was told the bank would be suspending her account to protect it.
Shelogged in via her mobile app to see that every account was marked 'suspended'.At no time was she asked for her Pin or password.
The following day, she checked her app and found she was unable to log in. Anxious, she called NatWest directly and referred to the previous call. She was assured that although the systems were down, her account was safe.We feel that the bank could have done more to stop the scam at this point.
In a final two-hour call, over the weekend, 'James' asked her to log in using a secure browser, explaining that he would transfer money from her most vulnerable accounts.
Next, she was asked to set up a new 'switch account', by putting her debit card in a NatWest card reader and entering the relevant codes online. This resulted in a bank transfer of£19,881 to what Chris believed was a secure account under her own name.
It was only when her eldest daughter called in a panic after hearing about a friend who had been scammed in a similar scenario that the family realised what had happened.
NatWest was able to recover some of the money from the receiving bank, but initially refused to reimburse the rest.
Royal Bank of Scotland customer Rebecca discovered that a scammer was able to register on her mobile banking app - which RBS said would have required the scammers to have access to her password, pin and security code - and move funds between various accounts.
Two of these accounts were marked 'frozen', and Rebecca says that she was sent codes via text to plug into her card reader. As far as she knew, this was to transfer money from her savings to her current account.
In reality, £7,744 was transferred out of her account and straight into the pocket of the fraudster. Initially, the bank refused to cover this loss, though it did refund £1,998 which was transferred after the scam was first reported.
We first spoke to RBS Group in October 2018, when it said it was 'not aware of any coordinated attack'.After we reiterated our concerns, it told us last week:
RBS Group said it will never ask customers to move money to another account to keep it safe from scams or fraud and customers should never make a payment, transfer funds, or divulge full security credentials at the request of someone over the phone purporting to be from their bank.
If you receive such a request, terminate the call, never act and report it to the bank.
Which? has learned that some banks - including RBS Group - make a clear distinction between victims of 'scams' (customers who have been tricked into authorising payments) and victims of 'fraud' (who have lost money due to payments made without their authority).
While fraud victims are typically entitled to reimbursement, unless there is evidence that they've been grossly negligent with their security details or cards, there is little protection for scam victims because they are deemed to have approved the transaction.
Following our in 2016, we've been working with the industry to develop a voluntary code - the Contingent Reimbursement Model - that aims to better protect victims and allows some victims of this fraud to be reimbursed.
While the code is voluntary, Which? is pushing for all payment service providers (PSPs), including online-only banks, building societies and money-transfer services, to sign up.
Another industry-wide measure being introduced is the long overdueConfirmation of Payee,which should be rolled out this year.
Once in place, banks will warn you when thepayee name provided doesn't match the receiving bank's records, so youcan make sure the account belongs to the person or organisation you are expecting to pay.
This won't prevent all types of bank transfer fraud, but will give better protection against accidental mistakes and adds an important hurdle for fraudsters.
Banks and other PSPs that sign up pledge to; improve fraud detection, provide effective warnings to customers about to make a transfer and act faster to stop suspicious payments in the first place do more to prevent accounts being opened by fraudsters.
If they don't meet these standards, victims of APP fraud should be able to be reimbursed for their losses, either from the bank you sent the money from, or the bank that received the stolen funds.Both may hold some liability for failure to stop the fraud.
Consumers will also have responsibilities to meet within this code. If these rules aren't adhered to, it could jeopardise victims' chances of getting reimbursed after an APP scam. These include:
(this information was first published in the December 2018 edition of Which? Money magazine).
Currently, however, there is a group of victims that will not receive reimbursement from APP fraud - those who have met their responsibilities but find that both sending and receiving banks have met theirs. This is referred to as a 'no-blame' scenario, where no parties involved are at fault for the scam taking place.
Banks and PSPs cannot agree on how to fund the reimbursement of this group of victims. Until a method is found, they will not be reimbursed.
If you've been a victim of APP fraud, and you're not happy with how your bank has dealt with your case, you can escalate it to the Financial Ombudsman Service, the body that resolves disputes between consumers and regulated financial companies.
At the moment, you can only complain about the provider you made a transfer from. However, from 31 January you will also be able to complain about the bank that received the stolen funds.