skip to content

ombudsman news

issue 145

August 2018

ombudsman focus: fraud and scams

According to the latest data from UK Finance, banks and card companies prevented nearly £1.5 billion from being lost to fraud in 2017. However, more than £730 million was still lost – with “authorised push payment” (APP) fraud, where people unwittingly act on fraudsters’ instructions and carry out the transactions themselves, accounting for a further £236 million of stolen payments.

We asked lead ombudsman Pat Hurley, the Payment Systems Regulator’s Hannah Nixon, independent fraud expert Richard Emery and UK Finance’s Katy Worobec for their perspective on scams and fraud – and what more needs to be done to prevent them.

Pat Hurley, lead ombudsman and director of casework

Image:Pat Hurley, lead ombudsman and director of casework at the Financial Ombudsman ServiceThe rapid evolution of technology means people are able to engage with financial services in ways that they couldn’t have imagined just a few years ago. And that’s a direction of travel which is only likely to continue. We live in a world now where new technology emerges and is adopted within months, versus the years it took previously. Consumer behaviour and expectations are of course changing in line with this.

Unfortunately, this can provide a fertile ground for scammers who are always moving with the times too. While people may be wiser to emails from strangers offering unexpected windfalls, today’s scammers are far more sophisticated. This sophistication often manifests itself through a combination of a manipulation of these technological advances and, crucially, social engineering – in other words, manipulating people. The challenge for the financial services sector, its regulators and us at the ombudsman, when we’re deciding what’s fair and reasonable, is to make sure our thinking and our ways of working reflect what’s essentially an ever-changing state of play.

The fact is that scams can be very convincing – for example, using fake websites that look identical to banks’ online systems, or text messages that to all intents and purposes look like they’re from someone’s bank, even joining the message thread of a conversation people had been having with their actual bank. Fraudsters often know the bank’s fraud processes too – playing on the emotions of their targets, who are panicked into thinking their money is at risk right now and perhaps less likely to think clearly as a result.

It’s understandable that, in many cases, neither a bank nor their customer feel they’ve done anything wrong. People who’ve fallen victim to scams will often tell us they felt they had no option but to do what they were told by the scammers. At the same time, banks often tell us they believe their customers have been “grossly negligent” in handing over personal details to scammers – enabling the scam to occur.

But gross negligence isn’t a term to be used lightly. When someone contacts us after losing money to a scam, we’ll look to see if they actually authorised the transaction. In assessing this, we’ll be trying to “recreate the scene”.

If we think it’s more likely than not they didn’t authorise the transaction, that’s when we need to consider whether they were grossly negligent – as part of deciding what’s fair and reasonable. And one of the key things we’ll think about will be the environment that was created by the fraudster for the consumer – essentially the “spell that was cast”.

As financial services change, and scams evolve with it, what’s considered grossly negligent behaviour will inevitably change too.

The increasing sophistication of scams means that the bar for gross negligence is high – it’s more than just a test of whether someone was careless. But, like all complaints, if present-day scams have any silver lining, it may be that they can help the financial services sector with its prevention work. And they can also help regulators and the ombudsman service keep in step with what it’s fair and reasonable to expect from financial businesses and their customers when it comes to protecting their money.

In fact, if we all continue to learn from today’s lessons, then – as consumer understanding and banks’ security measures evolve over time – a complaint we uphold today might conceivably not be upheld in a few years’ time. Of course, in a perfect world there won’t even be fraud to complain about in the first place. But one step at a time.

Hannah Nixon, managing director, Payment Systems Regulator

Image: Hannah Nixon, managing director, Payment Systems RegulatorThese days financial fraud can happen when we least expect it. Criminals have many different tactics to get hold of our money, and one of them is through authorised push payment (APP) scams – when a fraudster tricks you into transferring money from your bank account to theirs.

We’ve heard of people in the process of buying a house who have been tricked by fraudsters posing as their conveyancing solicitor, who conned them into transferring and subsequently losing life-changing sums of money. Or people who have paid contractors upfront to carry out work on their homes, only for the “contractor” to disappear with their money.

In the past, the banks didn’t have appropriate measures in place to track and stop these scams. There was no reporting of the extent of the problem. There was little by way of making sure consumers were protected, or of getting their money back if they fell prey to a scammer.

We knew that this wasn’t good enough and instigated several pieces of work to help stamp out the problem. We told the banks to accurately record the details of this type of fraud so we could understand the impact properly – and discovered that there were 43,875 reported cases of authorised push payment scams last year, with a total value of £236 million. 88% of the victims were consumers, who lost an average of £2,784. The rest were businesses, who lost on average £24,355 per case.

There are also a number of additional initiatives being developed to combat the problem and provide greater protections. These include guidelines to check the identity of people opening bank accounts to make it harder for fraudsters to open accounts that they use for scams; confirmation of payee, which will allow customers to verify that they are paying the person they want; and improved data sharing, which will mean banks can work together to respond to scams faster and more effectively.

We also tasked the industry to work with consumer representative groups to produce a code that the industry must adhere to when people report scams. This will give everybody greater protection against this type of fraud – and victims a much better chance of being reimbursed.

We’re making good progress and have worked closely with the Financial Ombudsman Service on this important piece of work. In a couple of months the Ombudsman will be able to take this code into account as a relevant consideration when determining new consumer complaints about APP scams. From September 2018 the code will be publicly consulted on, to be refined in early 2019. We know that fraud is an ever-changing beast and we expect the code to continue to evolve to ensure preventative measures are up to date.

Unfortunately, people who have already fallen victim won’t benefit from the new protections, but we’re committed to making sure that the right measures and incentives are in place to prevent these scams happening in the future. When they do happen, the victims can be confident that they will be given fairer consideration for reimbursement, and that the Ombudsman will be able to hear new complaints under the new code.

Richard Emery, independent forensic fraud investigator, 4Keys International

Image: Richard Emery, independent forensic fraud investigator, 4Keys InternationalDuring the last 25 years Richard has served as an expert witness in the civil and criminal justice systems. For the last five years he has focused on the investigation and resolution of payment or bank transaction disputes, primarily involving “gross negligence” , APP scams and fraud.

authorised push payment (APP) scams and fraud - past and present

The new code that is being developed by the Payment Systems Regulator and the work that they are doing with the Financial Ombudsman Service are welcome, but this is all about the future. What about the past and the present?

Based on the figures published for 2017 I estimate that in the five years since 2014 over 200,000 individuals, charities and small businesses will have been victims of APP scams and fraud. The majority of these are most likely to have been low- value consumer purchases in response to scam internet offers that turned out to be, quite literally, too good to be true. But this leaves an estimated 50,000 victims who have suffered irrecoverable losses totalling around £1bn, an average of £20,000 each. Life-changing amounts, but not covered by the new code.

In my view, these high value APP frauds fall into three main categories:

  • High-value consumer purchases, where the victim makes a direct payment for an item such as an expensive watch or computer system, but never receives it.
  • Expected payment fraud, where the victim is expecting to make a high value payment for goods or services but inadvertently makes the payment to an account controlled by a fraudster, typically in response to an invoice or payment request attached to an email. I believe that this is the most common type of APP fraud and cases that I have seen include a property transaction (£144k), investments (£105k) and paying a genuine builder for work done (£44k).
  • Account transfer fraud, where the victim is persuaded that their account is at risk and they need to move their money to a new “safe” account.

Fraudsters are becoming ever more sophisticated, making increased use of highly developed technical skills and social engineering to steal money from our bank accounts. They are exploiting our reliance on email, the web and the Faster Payment Services (FPS), and the banks are being lamentably slow to respond to the changing landscape. I look forward to the long overdue proposals for “confirmation of payee” and hope that they will achieve higher levels of payment security without compromising individual privacy.

I value the FPS but fraudsters exploit it. I asked my bank to not release any high-value payments from my account until 24 hours after the payee is created. They declined, saying customers wouldn’t want the delay – but they’ve never actually asked. In any event, they said, FPS rules mean that payments must be made the same day and cannot be delayed. Not so. My bank allows me to “forward date” payments and they comply with FPS rules by making the payment on the forward date. All I’m asking is that they always “forward date” the first high value payment to a new payee by 24 hours.

There is plenty of scope for banks to enhance their security but, in my view, they are unlikely to undertake the necessary investment until they have to take responsibility for more of the losses.

Katy Worobec, managing director of economic crime, UK Finance

Image:Katy Worobec, managing director of economic crime, UK Finance Taking the fight to the fraudsters

Fraud is a menace that threatens every part of society and whose perpetrators often target some of the most vulnerable people. It’s a threat that requires a response from all sectors, and one that the finance industry is committed to tackling.

Last year, banks’ advanced security systems prevented £2 in every £3 of unauthorised fraud. That’s £1.4 billion that was stopped from falling into the hands of criminals. Money that otherwise would have gone on to fund illegal activity such as terrorism, drug trafficking and people smuggling.

However, we know there is more to do. While losses due to unauthorised financial fraud fell five per cent last year, they still totalled almost £732 million. And figures collated for the first time on authorised push payment (APP) scams show an additional £236 million was stolen that way in 2017.

That’s why the industry has combined forces with the government and the police through the Joint Fraud Taskforce to deter and disrupt the criminals responsible.

At the same time, UK Finance is leading the development of a comprehensive set of initiatives to tackle fraud and scams.

We have established new best practice standards for responding to APP scam claims, so that customers get the help they need. Since they were launched at the start of the year, these standards are already in place across over 80 per cent of the market.

We are hosting the government-led programme to reform the system of economic crime information sharing, known in the industry as Suspicious Activity Reports, so that it meets the needs of crime agencies, regulators, consumers and businesses. And we are working with the Information Commissioner’s Office to establish guidance on how data about APP scams can be shared between our members, so they can better protect their customers.

We have developed initiatives such as the Banking Protocol – a ground-breaking rapid response scheme through which branch staff can alert the police and Trading Standards to suspected frauds taking place. The system is now in place across the entire UK and in its first year prevented £25 million in fraud and led to 197 arrests.

The industry also fully sponsors a specialist police unit, the Dedicated Card and Payment Crime Unit, which targets the organised criminal gangs behind these crimes. Last year, the unit prevented almost £30m in fraud and secured 89 convictions.

As the cases often highlighted in Ombudsman News show, criminals are increasingly targeting customers directly using sophisticated techniques, known as social engineering, to trick people into parting with their data or cash.

So it’s vital that we also help customers protect themselves. Through our Take Five to Stop Fraud campaign we are equipping people with the knowledge they need to spot the scams and give them the confidence to challenge any out-of-the-blue requests for their personal and financial details or to transfer money.

Sadly, there is no silver bullet in the fight against fraud. But working together and with partners, the finance industry is growing an ever-strengthening arsenal, and this is a battle that we are steadfast in our resolve to win.

Image: ombudsman news 145

ombudsman news gives general information on the position at the date of publication. It is not a definitive statement of the law, our approach or our procedure.

The illustrative case studies are based broadly on real-life cases, but are not precedents. Individual cases are decided on their own facts.