Brian contacted us after his bank refused to refund him £7,000 stolen from his account in a text message scam.
Brian received a message he thought was from his bank. The message appeared in the same chain of messages on his phone as genuine messages he’d had from his bank before.
The text message warned of a fraudulent payment and asked him to phone his bank immediately on the number in the text. He did this and spoke to someone who, at the time, he thought worked at his bank. They said he would receive a code by text, which he’d need to give to them so they could stop the fraudulent payment leaving his account.
The information he’d been asked to give during the call was just like what he’d been asked for when he’d phoned his bank in the past. He hadn’t realised he was actually talking to fraudsters. When the code arrived, he’d given it straight to them. It seemed the payment had then triggered the bank’s fraud systems – and another code was sent to him by text.
He’d given the fraudsters this code, too – and they’d used it to authorise a payment out of his account. Within minutes, the fraudsters had taken £7,000.
He complained to his bank, but they said that Brian was at fault because he had given the fraudsters security details and passcodes. They said that he had been 'grossly negligent' and wouldn't refund the stolen money.
What we said
We asked the bank for their view on the situation. They told us it was Brian’s obligation to take reasonable steps to keep the personalised security features of his account safe. They also told us they had emailed their customers warnings about this type of scam – and they thought Brian should have read these.
First, we considered whether Brian had authorised the transactions. We decided that he hadn’t – it had been the fraudsters with the information they’d obtained from him. We then considered what Brian had said about the initial text message he received. There were lots of similarities between the security questions asked by his bank and the information he was asked for during the scam. The scammers appeared to be aware of the bank’s fraud and security procedures, including the fact that security codes were sent out by text. So we thought Brian’s account of what had happened was plausible.
This was clearly a sophisticated fraud. The fraudsters made Brian believe that this situation was time-sensitive and Brian was understandably worried. Because of how the fraudsters had gained his trust, we thought Brian's actions had been reasonable.
We didn’t agree with the bank that Brian had been grossly negligent, and the fact they sent a general email about scams didn’t change our view. We told the bank to put things right by reimbursing the £7,000 payment to Brian’s account.