Which? is urgently calling on the regulator to ensure banks do more to protect victims and provide them with fair reimbursement, as the consumer champion’s latest investigation shows many customers are still being treated appallingly when trying to get their money back.
Five years on from Which?’s landmark super-complaint, which highlighted the threat posed to consumers by bank transfer fraud, measures taken – including a voluntary code most banks have signed up to – have repeatedly failed to adequately protect consumers and provide reimbursement for victims.
Losses to bank transfer – also known as authorised push payment (APP) – fraud soared to £479 million in 2020, while reimbursement rates remain shockingly low – banks found victims at least partly responsible for their losses in 77 per cent of cases assessed in the first 14 months of the code. Two banks found the customer fully liable in more than nine in 10 decisions.
Financial Ombudsman Service (FOS) data also indicates that banks are getting most of these decisions wrong, with 73 per cent of complaints about APP fraud being upheld in favour of consumers in 2020-21.
This is despite the code clearly stating that victims should be reimbursed unless the firm can establish that their customer did not have a ‘reasonable basis’ for believing the person or organisation they are sending money to is genuine.
The Payment Systems Regulator (PSR) has said that the code is not delivering the outcomes it expected.
The PSR is due to make an announcement imminently on how to improve consumer protections against APP fraud – and Which? is calling for strong and urgent action from the regulator to ensure banks do more to protect consumers and treat customers fairly and consistently.
Which?’s new investigation reveals the appalling treatment scam victims are suffering at the hands of their bank.
In one instance, a First Direct customer has been denied full reimbursement for his £180,000 losses to an investment scam because he did not check online reviews. This is despite the trading platform having nearly as many excellent ratings (43%) as bad (47%) on Trustpilot at the time of the scam.
The platform he invested with – Grandefex – is now subject to a Financial Conduct Authority (FCA) scam warning, but this came long after he invested.
To make matters worse, First Direct took more than 35 days to reach a decision (banks should respond to reimbursement claims within 15 working days or 35 in ‘exceptional cases’) and during this time failed to warn the victim that he was at risk of identity fraud because the scammers had copies of his passport and recent bills. Which? advised him to take his case to the Financial Ombudsman Service (FOS).
In another case, a Lloyds customer was initially denied reimbursement for £64,000 after receiving a text from a fraudster claiming to be from her bank asking to verify a transaction by calling the phone number supplied. As it was not unusual for her bank to send similar texts, she did so and was immediately entangled in a scam.
The fraudster quickly established trust with the victim, telling her he would order a new debit card and persuading her to download a remote access app to ‘secure her account’. It came to light that the fraudster had made 14 payments in total and only £4,057 was reclaimed from the receiving banks (TSB and Wise).
Even though she did not move the money herself, Lloyds classes this as APP fraud because she was aware the payments were being made. It initially said it would not refund any money, although after Which? got involved, it refunded the seventh payment onwards, acknowledging that later payments should have triggered more security checks.
Which? believes the victim should be reimbursed in full, not only because the fake text was highly plausible, but also because the bank had all of the information it needed to step in. Which? has advised her to take her case to the FOS.
Instead of continuing to pursue another version of a code, the consumer champion believes the right option to address the serious shortcomings of bank transfer scam protections is for the PSR to introduce mandatory consumer protections across all payment providers, including a reimbursement obligation. Which? is urging the PSR to outline publicly the powers it wants from the government to enable this to be possible.
Properly enforced, this would help tackle the current reimbursement lottery that leaves many victims facing an uphill struggle to recover their money when they have been targeted by criminals through no fault of their own.
Jenny Ross, Which? Money Editor, said:
“Fraud can have a devastating impact on victims, and it is unacceptable for so many to be abandoned when they turn to their bank to try and get their money back. Protections for this type of fraud have to be strengthened.
“The payments regulator must introduce mandatory and clearer reimbursement requirements for all payment providers, to ensure that customers are treated fairly and consistently when they fall victim to a bank transfer scam. They must work quickly with the government to get the powers they need to deliver this.”
Notes to editors
John, 78, from Cambridge, was told by his bank First Direct that it wouldn’t fully reimburse his £180,000 loss to an investment scam, as he didn’t check online reviews of Grandefex – the trading platform he invested with.
First Direct told Which? he “could have carried out greater checks before making the payment. For example, reviews on TrustPilot and Google gave a clear red-ﬂag warning.”
In November 2020, shortly after John was scammed, TrustPilot reviews for Grandefex gave no obvious cause for concern, with nearly as many excellent ratings (43%) as bad (47%). Grandefex is now subject to a Financial Conduct Authority (FCA) scam warning, but this came long after he invested.
To make matters worse, First Direct took more than 35 days to reach a decision (banks should respond to reimbursement claims within 15 working days or 35 in ‘exceptional cases’) and failed to warn John he was at risk of identity fraud because the scammers had copies of his passport and recent bills. We advised John to take his case to the FOS.
Alma, 60, from Hampshire lost her life savings of £64,000 following a fake Lloyds text in May 2021. She was instructed to call the phone number supplied to verify a transaction – as it isn’t unusual for her bank to send similar texts, she did so and was immediately entangled in a scam orchestrated by a fraudster claiming to work for Lloyds.
He quickly established trust, telling Alma he would order a new debit card and persuading her to download a remote access app called AnyDesk to ‘secure her account’. Alma had no idea that this meant the scammer could block any warning texts sent by the real Lloyds.
She said: “I had no reason to disbelieve this person. He sounded very professional and convincing with the empathy that you would expect from a caring bank. He advised that he was transferring funds to secure them. He always said to not hang up on the landline as he would keep coming back to me, and not to speak to family members or the bank as they could be the scammers or be involved.”
It came to light that the fraudster had made 14 payments in total and only £4,057 was reclaimed from the receiving banks (TSB and Wise).
Even though Alma didn’t move the money herself, Lloyds classes this as APP fraud because she was aware the payments were being made. It initially said it would not refund any money, although after Which? got involved, it refunded the seventh payment onwards, as this should’ve triggered another security check.
Which? believes Alma should be reimbursed in full, not only because the fake text was highly plausible but also because the bank had all of the information it needed to step in. Which? has advised Alma to take her case to the FOS.
Rights of reply
First Direct said: “We are truly sorry (John) has been a victim of an Authorised Push Payment (APP) scam. We fully appreciate how the situation has impacted (him), sadly there are unscrupulous individuals who carry out criminal activities without any regard for the effect this will have on their victims. We have every sympathy with (his) situation, but are afraid we are unable to credit him with all the funds sent as he authorised the payments to debit his account.”
A Lloyds spokesperson said: “Unfortunately (Alma) did not take sufficient steps to verify the identity of the caller who claimed to be from the bank. She also downloaded software which granted the fraudster access to her device and her online banking account. When we blocked the first payment due to unusual activity, she called us and told us the payments were for her cousin and confirmed the transaction should go ahead.”
Which? advice for scam victims
Call your bank directly, checking its website for the correct number to ring. If the fraud involved any of your personal information, consider signing up for a Protective Registration with Cifas, which costs £25 for two years.
Change your passwords for any accounts that have been compromised due to fraud – and any that use the same password. Set up two-factor authentication wherever possible to provide another layer of protection.
Being scammed can take a huge toll on mental health. Mind (0300 123 3393) and Victim Support (0808 168 9293) have confidential helplines that provide support to consumers who have been affected.
Make sure you are aware of new or emerging threats by signing up to the free Which? Scam Alerts service
Which? is the UK’s consumer champion, here to make life simpler, fairer and safer for everyone. Our research gets to the heart of consumer issues, our advice is impartial, and our rigorous product tests lead to expert recommendations. We’re the independent consumer voice that influences politicians and lawmakers, investigates, holds businesses to account and makes change happen. As an organisation we’re not for profit and all for making consumers more powerful.
The information in this press release is for editorial use by journalists and media outlets only. Any business seeking to reproduce information in this release should contact the Which? Endorsement Scheme team at firstname.lastname@example.org.