Here’s how it can play out: you receive a text message that appears to be from your bank, asking you to get in touch urgently as ‘suspicious activity’ has been detected on your account. The call handler says they’re from your bank’s fraud team and asks you to transfer money into a ‘safe account.’ By the time you realise you’ve been duped, the cash is likely to be long gone from the account you sent it to, making it impossible for your bank to reclaim it.
Gallingly, because you ‘authorised’ the payment, current rules mean that you have no legal right to a refund. The good news (at least for future victims), is that things are finally about to change.
Bank transfer fraud – also known as authorised push payment (APP) fraud – is big business for scammers. In the 18 months to June 2018, it was responsible for losses totalling £381 million, with less than a quarter returned to victims.
Sadly, such cases are all too familiar to the Which? Money Helpline. Since the beginning of this year alone, we’ve heard from 16 people who were tricked into transferring a total of almost £262,000 to criminals. Just £9,000 of that has been recovered. Victims are targeted in all sorts of ways – there’s no textbook bank transfer scam.
Impersonation is a common tactic, but criminals don’t limit their repertoire to bank staff – they also pose as police, government bodies or utility companies in an attempt to persuade you to transfer money out of your account. Invoice fraud is another lucrative variation on the theme. This is where scammers hack email accounts to send payment requests that appear to be from a genuine contact.
Last year, we heard from a restaurant owner who lost a staggering £593,000 to such a trick. After starting the process of buying a home, he received an email that looked to be from his solicitor, which provided bank account details and instructed him to transfer funds to secure the property. Three weeks later he learned that the money had never reached the intended recipient. His bank was only able to recover £135,000.
At Which? we’ve long been campaigning for victims of APP fraud to be better protected, and in September 2016 we made a super-complaint to the Payment Systems Regulator, calling for action. Since then, we’ve been working with banks, regulators and other consumer groups to draw up a voluntary code that aims to give more victims their money back and prevent losses in the first place.
A launch date has at last been confirmed. As of 28 May, banks who have signed up to the code will be required to take a number of steps to reduce the risk of customers being tricked into transferring money to scammers. These include detecting payments that are at high risk of being a scam, providing warnings to customers about the risks of sending money via a bank transfer and identifying customers who might be vulnerable to scams.
Under the new code, you’ll be reimbursed as long as you’ve done nothing wrong – such as ignore warnings about scams or not taken care to establish the person you’re sending money to is legitimate.
Your bank should tell you whether or not it has decided to reimburse you within 15 working days of you reporting the scam – and you should get your money back without delay. In ‘exceptional circumstances’ the bank can take more time to reach a decision, up to a maximum of 35 working days.
But what if no one’s at fault? This ‘no blame’ scenario – where neither you nor the banks involved in the transfer has done anything wrong – has caused a big headache for those drafting the code. Unsurprisingly, banks are reluctant to shoulder the financial burden. A temporary funding solution has now been agreed, but this only lasts until the end of 2019, so it remains to be seen whether a longer-term arrangement can be reached.
The fact that the code will soon become a reality is a major breakthrough after many months of wrangling across the industry, but it’s not a guaranteed panacea.
Even if you eventually get your money back, the experience of fraud can be very distressing. So it’s concerning that the introduction of a measure designed to minimise the risk of it happening in the first place has been delayed, possibly until next year. This measure, known as ‘confirmation of payee’, means that when making a transfer you’ll have the chance to check that the name on the recipient account matches the name of the person you’re intending to pay.
Then there’s the fact that the code is voluntary. We want to see all banks signing up to it before May to ensure that no customers are left without the valuable protection it provides. Far too many have already lost life-changing amounts of money.
Jenny Ross is Which? Money editor.