By clicking a retailer link you consent to third-party cookies that track your onward journey. This enables W? to receive an affiliate commission if you make a purchase, which supports our mission to be the UK's consumer champion.

Which? issues warning as scammers target NatWest and RBS customers

Victims of cruel bank transfer scams fighting to get their money back
Chiara CavaglieriSenior researcher & writer

NatWest and Royal Bank of Scotland (RBS) customers are potentially being targeted by scammers, Which? can reveal, after hearing from victims who lost a staggering £350,000 in all. 

Which? Money Helpline has seen a large spike in calls about a type of bank transfer or 'authorised push-payment' (APP) fraud, where criminals pose as a legitimate company to trick you into transferring money from your bank account.

We're concerned that an unusually large number of these are customers of NatWest and Royal Bank of Scotland, banking brands that are part of the RBS Group.

Between May 2018 and the first week of January 2019, our helpline spoke to 42 victims- and of the 19 cases where the fraudster pretended to be their bank (as opposed to a utility company or a government body such as HMRC), 18 banked with NatWest or Royal Bank of Scotland.

While this is only a snapshot and doesn't reflect the industry as a whole, we're concerned it points to an unusual level of fraud activity aimed at these customers.

It follows a BBC report in November 2018 that refers to dozens of other scam victims who are unhappy with NatWest's response after being tricked by fraudsters posing as their bank.

How the scam is playing out

This type of APP fraud is called 'malicious redirection' - being tricked into sending payments to a criminal posing as a legitimate business. Another type is 'malicious payee', where you are tricked into paying for goods and services that don't exist.

At least seven victims assumed they were speaking to genuine Royal Bank of Scotland or NatWest employees thanks to a particular nasty trick called 'number spoofing'. This involves using software to hijack a genuine text chain with your bank or appearing to call from its legitimate phone number.

Alarmingly, many of the scam callers have been able to access their online and mobile accounts to:

  • confirm specific debit card transactions
  • move huge sums of money between accounts
  • change account names.

The bank says this activity is only possible 'once the fraudster has successfully harvested the customer's security credentials' through means such as phishing emails, scam phone calls or spoofed texts.

But once inside a customer's bank account, fraudsters have been able to change the victims' account names to 'frozen', 'closed' and 'suspended'.

This has convinced victims that their accounts have been compromised. Fraudsters then tell customers to authorise transfers to 'safe' accounts, which the fraudsters have set up. In reality, the customers have sent money straight into the hands of criminals.

The largest single loss reported to us is £59,680. Initially, only two victims have been refunded in full: one because NatWest accepted it could have done more to prevent the scam and the other because the recipient bank admitted to errors at their end.

Once transferred, the criminal will usually empty the account as quickly as possible, so it's rare that the victim's bank can reclaim the money.

So far, only £50,559 has been recovered of the £347,234 stolen from the 19 bank-related scams.

'The fraudsters were in my account before I had logged on'

Chris from Buckinghamshire had to fight to get her savings back after being tricked into transferring£19,881, following a number of calls and texts from what appeared to be a NatWest number.

After the caller, 'James', warned her of attempts to set up direct debits in her name and a request to change her mobile number (which was confirmed in a genuine text chain),Chris was told the bank would be suspending her account to protect it.

She logged in via her mobile app to see that every account was marked 'suspended'. At no time was she asked for her Pin or password.

The following day, she checked her app and found she was unable to log in. Anxious, she called NatWest directly and referred to the previous call. She was assured that although the systems were down, her account was safe. We feel that the bank could have done more to stop the scam at this point.

In a final two-hour call, over the weekend, 'James' asked her to log in using a secure browser, explaining that he would transfer money from her most vulnerable accounts.

'The fraudsters were in my account before I had logged on. They were moving money around, in front of my eyes. I believed my money was being made safe as I had never heard of being simultaneously logged on to the same account unless you were the bank.'

Next, she was asked to set up a new 'switch account', by putting her debit card in a NatWest card reader and entering the relevant codes online. This resulted in a bank transfer of£19,881 to what Chris believed was a secure account under her own name.

It was only when her eldest daughter called in a panic after hearing about a friend who had been scammed in a similar scenario that the family realised what had happened.

NatWest was able to recover some of the money from the receiving bank, but initially refused to reimburse the rest.

Royal Bank of Scotland customer Rebecca discovered that a scammer was able to register on her mobile banking app - which RBS said would have required the scammers to have access to her password, pin and security code - and move funds between various accounts.

Two of these accounts were marked 'frozen', and Rebecca says that she was sent codes via text to plug into her card reader. As far as she knew, this was to transfer money from her savings to her current account.

In reality, £7,744 was transferred out of her account and straight into the pocket of the fraudster. Initially, the bank refused to cover this loss, though it did refund £1,998 which was transferred after the scam was first reported.

Both Chris and Rebecca referred their complaints to the Financial Ombudsman Service but RBS Group has since decided to reimburse both customers, following our intervention. It said:

'We are deeply sympathetic towards any customer who has fallen victim to a scam and appreciate this can be a traumatic experience. Having reviewed [Chris'] case, a decision has been made to uphold her claim and refund her for the loss. 'We should have done more to protect her from this scam. Upon reviewing [Rebecca's] case, we will reimburse as a goodwill gesture. We apologise for the distress caused to both.'

What does RBS have to say?

We first spoke to RBS Group in October 2018, when it said it was 'not aware of any coordinated attack'. After we reiterated our concerns, it told us last week:

'Keeping our customers safe and secure is of paramount importance to us. We understand that it can be traumatic for customers who fall victim to fraud and we have invested heavily across all our channels to continuously enhance security features. 'In line with the industry, we have witnessed an increase in the number of enquiries from our customers with respect to APP scams. 'We constantly update our systems and monitoring processes to improve detection of APP scams and have layered security systems which help protect customers, in addition to the personal security credentials our customers use for log in and payment authentication. 'Additionally we continue to advise customers through all our channels and social media platforms on how to stay safe and protect themselves from falling victim to fraud and scams.'

RBS Group said it will never ask customers to move money to another account to keep it safe from scams or fraud and customers should never make a payment, transfer funds, or divulge full security credentials at the request of someone over the phone purporting to be from their bank.

If you receive such a request, terminate the call, never act and report it to the bank.

New hope for bank transfer fraud victims

Which? has learned that some banks - including RBS Group - make a clear distinction between victims of 'scams' (customers who have been tricked into authorising payments) and victims of 'fraud' (who have lost money due to payments made without their authority).

While fraud victims are typically entitled to reimbursement, unless there is evidence that they've been grossly negligent with their security details or cards, there is little protection for scam victims because they are deemed to have approved the transaction.

Following our super-complaint about these scams in 2016, we've been working with the industry to develop a voluntary code - the Contingent Reimbursement Model - that aims to better protect victims and allows some victims of this fraud to be reimbursed.

While the code is voluntary, Which? is pushing for all payment service providers (PSPs), including online-only banks, building societies and money-transfer services, to sign up.

Another industry-wide measure being introduced is the long overdue Confirmation of Payee, which should be rolled out this year.

Once in place, banks will warn you when the payee name provided doesn't match the receiving bank's records, so you can make sure the account belongs to the person or organisation you are expecting to pay.

This won't prevent all types of bank transfer fraud, but will give better protection against accidental mistakes and adds an important hurdle for fraudsters.

How the new protection code works

Banks and other PSPs that sign up pledge to; improve fraud detection, provide effective warnings to customers about to make a transfer and act faster to stop suspicious payments in the first place do more to prevent accounts being opened by fraudsters.

If they don't meet these standards, victims of APP fraud should be able to be reimbursed for their losses, either from the bank you sent the money from, or the bank that received the stolen funds. Both may hold some liability for failure to stop the fraud.

Consumers will also have responsibilities to meet within this code. If these rules aren't adhered to, it could jeopardise victims' chances of getting reimbursed after an APP scam. These include:

  • Don't ignore the banks' fraud warnings or a negative confirmation of payee result.
  • Take steps to ensure you know who you're paying. What this means isa point of contention between banks and consumer groups. For example, we don't think it's reasonable for people to have to check Companies House when they pay a company.
  • If you're defrauded, be honest in your dealings with your bank. For example, if you say you haven't given the scammer security details, and the bank finds out you have, it could jeopardise your claim.
  • Small businesses or charities must follow their own internal anti-fraud processes - for example, new payments confirmed via phone.
  • You must also not have been 'grossly negligent', but banks cannot use this just because you have fallen victim to a scam. The Financial Ombudsman Service has warned banks that, given increasing sophistication of scams, they cannot simply refuse to reimburse someone for being grossly negligent because they unwittingly transferred money to a fraudster.

(this information was first published in the December 2018 edition of Which? Money magazine).

Currently, however, there is a group of victims that will not receive reimbursement from APP fraud - those who have met their responsibilities but find that both sending and receiving banks have met theirs. This is referred to as a 'no-blame' scenario, where no parties involved are at fault for the scam taking place.

Banks and PSPs cannot agree on how to fund the reimbursement of this group of victims. Until a method is found, they will not be reimbursed.

Protection under the Financial Ombudsman Service

If you've been a victim of APP fraud, and you're not happy with how your bank has dealt with your case, you can escalate it to the Financial Ombudsman Service, the body that resolves disputes between consumers and regulated financial companies.

At the moment, you can only complain about the provider you made a transfer from. However, from 31 January you will also be able to complain about the bank that received the stolen funds.

  • Web address - Check the domain name carefully and never enter sensitive data on non-HTTPs pages. This is usually indicated by a clickable padlock.  
  • Price -  Is the price far too low? Are you being asked to pay by bank transfer or wire transfer? Both are a warning sign. 
  • Contact us - Legitimate sites have nothing to hide, so if there’s no phone number or social media presence, be wary and do some more digging. 
  • Copyright - Found at the bottom of the screen, any copyright disclaimer should be up to date and show the legal brand name, never a URL. 
  • Whois - Use whois.com to find out who owns the domain (this may be hidden) and when it was registered. Treat relatively new sites with caution.
  • Block malware - Microsoft Smartscreen and Google Safe Browsing should be on by default to steer you away from sites reported as potentially unsafe.
  • Reputation - For belt and braces, use a free service such as scamfoo.com which pulls together data to flag potentially untrustworthy sites.

More on this

Related articles

About Us

Which? Limited is registered in England and Wales to 2 Marylebone Road, London NW1 4DF, company number 00677665  and is an Introducer Appointed Representative (FRN 610689) of the following:


1. Inspop.com Ltd for the introduction of non-investment motor, home and travel insurance, who are authorised and regulated by the Financial Conduct Authority (FCA) to provide advice and arrange non-investment motor, home, and travel insurance products (FRN310635). Inspop.com Ltd is authorised and regulated by the Financial Conduct Authority (FCA) to provide advice and arrange non-investment motor, home, travel insurance products (FRN310635) and is registered in England and Wales to Greyfriars House, Greyfriars Road, Cardiff, South Wales, CF10 3AL, company number 03857130. Confused.com is a trading name of Inspop.com Ltd. 


2. LifeSearch Partners Limited (FRN656479), for the introduction of Pure Protection Contracts and Private Health Insurance, who are authorised and regulated by the FCA to provide advice and arrange Pure Protection Contracts and Private Health Insurance Contracts.  LifeSearch Partners Ltd is registered in England and Wales to 3000a Parkway, Whiteley, Hampshire, PO15 7FX, company number 03412386.


3. HUB Financial Solutions, for the introduction of equity release advice and an annuity comparison service, who are authorised and regulated by the Financial Conduct Authority (‘FCA’) to provide advice and guidance on financial products for those who have retired or are approaching retirement (FCA Firm Reference Number: 455713). HUB Financial Solutions is registered in England and Wales to Enterprise House, Bancroft Road, Reigate, Surrey RH12 7RP, company number 05125701.


4. Alan Boswell Insurance Brokers Ltd (FRN 301), for the introduction of non-investment landlord insurances, who are authorised and regulated by the Financial Conduct Authority to provide advice and arrange insurance contracts. Alan Boswell insurance brokers Ltd is registered in England at Prospect House, Rouen Rd, Norwich NR1 1RE, company number 02591252.


5.Stickee Technology Limited for the introduction of non-investment pet insurance, who are authorised and regulated by the Financial Conduct Authority (FCA) to arrange non-investment pet insurance products (FRN916665). Stickee Technology Ltd is authorised and regulated by the Financial Conduct Authority (FCA)  in England and Wales; 3rd floor, 1 Ashley Road, Altrincham, Cheshire, UK WA14 2DT Registered company number 06711740

 

Other financial services:


Mortgage service provided by London & Country Mortgages (L&C), Unit 26 (2.06), Newark Works, 2 Foundry Lane, Bath BA2 3GZ. London & Country are authorised and regulated by the Financial Conduct Authority (registered number: 143002). The FCA does not regulate most Buy to Let mortgages. Your home or property may be repossessed if you do not keep up repayments on your mortgage.


We do not make, nor do we seek to make, any recommendations or personalised advice on financial products or services that are regulated by the FCA, as we’re not regulated or authorised by the FCA to advise you in this way. In some cases, however, we have included links to regulated brands or providers with whom we have a commercial relationship and, if you choose to, you can buy a product from our commercial partners. 


If you go ahead and buy a product using our link, we will receive a commission to help fund our not-for-profit mission and our campaigns work as a champion for the UK consumer. Please note that a link alone does not constitute an endorsement by Which?.