Banner background texture

Victim of Authorised Push Payment Fraud? It pays to persevere!

White curve graphic
Monday 15th July, 2019 | Author: Dick Smith [Member (F1520)] | Filed under: Case studies

Recent UK figures suggest that £145m was lost to APP fraud during the first six months of 2018 and the phenomenon continues to grow at an alarming rate. ‘Authorised Push Payment’ fraud occurs where the victim is tricked into transferring money from their own accounts into those accounts controlled by the scammers.

Such has been the concern of the FCA, that this year they introduced a voluntary code which should demonstrate a desire by these institutions to help tackle the problem. ‘Payment providers’, (banks, building societies etc), ought now to be giving consumers stronger redress with the recipient bank used by the scammers. Naturally, the code additionally demands that consumers remain vigilant and take sensible precautions so that businesses are not left to absorb the full burden of tackling the crime.

Good news for victims, one might consider. In practical terms, however, the poor old account holder may still have to do battle with a mighty and sometimes unsympathetic institution.

Take the case of Mrs R who received an email from the TV Licensing Authority, [or so she thought], which triggered a series of events costing her £17,000. She approached IPFGB when she came up against an intransigent attitude from her High Street bank.

iPhones are wonderful things and they will helpfully identify for you the sender of a text; perhaps a business; even a bank, from which you have previously received communications. Except they don’t capture the niceties ~ like the all-important additional hyphen or full stop ~ and blindly convince the user of the authenticity of the sender. And, of course, since GDPR now prevents potential victims from checking ‘WHOIS’ for the validity of a URL, [the privacy rights of fraudsters have to be protected as well, you know], so it was that Mrs R was sure the text was from TV Licensing.

That text, perhaps deliberately timed the day prior to a long bank holiday weekend, claimed there was an issue with her bank details and requested that she re-submit them on a form generated to resemble the genuine TV Licence document. [Although this particular scam was well-reported on the web, sadly Mrs R had not seen the reports.]

She responded, using her iPhone and providing bank sort code and account. No password material was disclosed.

Within four days, Mrs R became aware that her entire savings had been transferred from her savings account into her current account. She had not executed this action. Almost immediately, she received a phone call on her iPhone; the genuine telephone banking number flagging up; clearly spoofed. ‘Stephen’ claimed that he was from [the High Street bank] fraud office. He told her that in order to safeguard her funds, he had moved her money from her savings account into her current account. He told her that the TV license matter she had responded to was a scam and because she had responded, her account was at risk. Crucial to this case, he was able to endorse his credentials by correctly reciting two of her very recent bank transactions. This, she believed, was conclusive evidence that this was a genuine call from her bank. She agreed to make the transfer as soon as she got home.

There, Mrs R was called again by ‘Stephen’, who stated that an appointment had been set up for her at a local branch of the bank for 10.30 the next day. He gave her the name of a person who would issue her with a new debit card and re-set her online account. Having succeeded in convincing Mrs R that she was in real danger of losing all of her money, the fraudster provided her with a ‘safe’ bank sort code and account number to receive her transferred funds. She accessed her account from her laptop and, using her card-reader, transferred her funds. It was also very evident that the fraudster was highly familiar with the internal layout of the particular online system as he was able to talk her through all of the processes. Mission accomplished!

Mrs R went to the bank the next day. There was no appointment and only then did she realise she was the victim of an elaborate fraud. She was told that the recipient bank was not a mainstream one, but one which operated a ‘prepay’ facility; ideal for this type of fraud. She asked the bank to investigate. A week later, the bank told her that as she had transferred the funds, she was culpable and they accepted no responsibility.

She tried to report the crime to her local Police Station. Unsurprisingly, they refused to take any details and merely provided her with an internet link to Action Fraud. She duly registered the crime. [Subsequent attempts to obtain an update from Action Fraud went unanswered; in fact, she never even received an acknowledgment.]

Frustrated, Mrs R called 101. She was offered no help and told that the police would decline the investigation of a theft of only £17,000.

Ten days after the crime, Mrs R was told by her bank that they would refuse any refund as the beneficiary bank no longer had the funds. Redress with that bank, as outlined by the new FCA code, was not even mentioned.

As weeks passed, Mrs R continued to demand that the bank explain how the fraudster had gained access to those recent transactions. She tried letter, recorded delivery letter and personal visit. No explanation followed. They were visibly stonewalling, so Mrs R contacted IPFGB. Forensic IT analysis of her iPhone and laptop enabled the log-file trail to be recovered and the sequence of events confirmed; the time-stamping of the movement of monies from the savings to the current account proved that it was the scammers who had gained access. That report proved invaluable; it demonstrated that the bank’s security had been breached and Mrs R’s account had been hacked. It had been reasonable that she had trusted ‘Stephen’.

She advised the bank that she was in possession of the forensic analysis report and a further written submission indicated civil proceedings against them would ensue. Only at this stage, during a personal visit, did the bank verbally accepted liability.

Funds were formally repatriated shortly afterwards; coupled with a letter in which the bank accepted no culpability and contained a lengthy guidance list on how not to fall foul of fraud!

So, what can we learn from this?

• Keep abreast of current fraud trends;
• Don’t be panicked into making rushed decisions;
• Check integrity of calls, texts and emails . . . then re-check;
• Don’t expect help from law enforcement;
• Get professional support;
• Don’t accept ‘no’ from the bank.

Dick Smith QPM
IP Forensics GB