Scam Afternmath

Thanks for posting - just printed off the outcome of the consultation, and will have a look later this evening. What an exciting life I lead.

In my experience a large majority of fraud funds are cashed out via Barclays. They’re also one of the least industry friendly banks to deal with when it comes to fraud. Like getting blood from a stone when you want help and they’re involved.

The criminals will always be one step ahead though. They’ve already developed ways to sell an ID along with a Snapchat style matching face filter, to get past the more tech focussed fraud checks where you take a live video/photo as part of your identity checks.

I see the other side of this a lot, we run a haulage/self store yard and we buy and sell containers and run a crane truck.

We get at least one call a week asking us for a price to pick up 20ft containers that the person has "bought" from ebay/fb market place/gumtree and deliver them to their address.

A tiny bit of questioning usually brings out that the person has been scammed and that there never was any containers and they have lost a couple of grand because they paid via bank transfer and clicked OK for all the security questions.

Its such a shame, in pursuit of a bargain they they get ripped off.

Its replaced the jcb scam that was similar from a couple of years ago.

Thanks Chris - that’s an interesting read. I don’t believe so. Of 13 transactions only 3 caused the account to be locked and poor questions asked.

The peak, unchallenged payment was for £95k.

I’ll certainly put it in there, however it would only apply to the transactions between September 20 and end of November 20 when we discovered this.

The main let down is the low rate of detecting unusual transactions ie tens of thousands of pounds and international as well as the very weak line of questioning when a transaction was flagged.

With the data I have I reckon I could develop a pretty good training course on how not to do it, and a series of questions for different scenarios that would yield results without the customer feeling it was intrusive.

That wont necessarily get any refund, but I’ve now gone as far as contacting my MP as I think it would be good to evidence the victim impact to an appropriate treasury committee or or regulatory body.

To be honest that sounds like a bs excuse. They have the systems to monitor and control these things. Normal people go through dozens of hoops to open multiple accounts with different banks. God help you if you have no history. It has all the hallmarks of banks facilitating fraud and seeing more profit than loss in allowing these practices to continue.

Issues I see.

Data sharing. How do scammers get data?
Despite all the new data protection stuff, which ultimately just limits normal people and business more, is utterly transparent to criminals.

Phone spoofing. I no longer pick up the phone to anyone unless their number is already added. Only the NHS are a giveaway with number withheld.
It’s the Wild West.
How can this not just be properly traced? Whoever does the forwarding of the spoofed number must have the real number and line/imei etc? If they get pinged with scam calls block them.

Banks. I have to jump through hoops to get an account.
If it’s so easy to scam via a bank account then they need to audit all accounts without verified ID, addresses and so on, and block them until details are provided.
No one should be able to send money to a uk or ‘western economy’ account and it be untraceable.


It just seems government can’t be arsed to legislate better.

The rush for fintech and digital banking is crazy too. It’s convenient yeah, until one bit is breached and then all your money is exposed.

Keep finances face to face in banks, pay them for their time, and 95% of this probably goes away.

The number of generational fraud cases we see from the likes of some of the newer banks, and some of the older ones too as well as software/programme manager businesses like Tide, Monese, etc who use firms like Prepay Technologies (PPS) to whitelabel against would surprise you.

We analyse the data deeply, and conduct checks on payments that flag, inbound or outbound. Of the inbound second generation fraud we see, Monzo accounts for high proportion. Then it's Revolut, Starling and Lloyds.

We sometimes see the same newly incorporated company have 4 or more accounts at PPS, due to whitelabelling for firms who are chasing "growth" (in terms of user numbers). At each account they will go through the entire monthly allowance (usually 250k). Surely PPS is seeing that information so how does it get comfortable with a newly formed business clearing 1m+ a month? Ultimately the buck stops with PPS, not the whitelabel firm.

That said, the scammers often take a very powerful hold of the victim. We had a case where we held up a payment for a check. Our system uses machine learning and this one caught the system's eye. We analysed the information and it was a 67 year old woman. What she was purporting to buy did not suit her profile. I should add that we held no concerns over our customer, just concerned this lady was buying something she knew nothing about and that what she was buying was easy to move elsewhere and convert back to cash (and difficult to trace).

So we called her bank (HSBC). After being messed about for two hours, they said they would call her and we were adamant we would stay on the call. They got off the call to us and said for us not to hold the payment and not to return it. We stated what she was buying and that we were worried she was at risk. They said they're satisfied to process it because she is adamant.

My TM team were not satisfied so they further analysed the data we were provided and noticed there was a lawyer's letter in the SoF documentation, the contents of which hinted she may be vulnerable. After confirmation they could contact the firm to satisfy for SoF/SoW check they mentioned to the lawyer what she was buying and the lawyer immediately said to hold tight for ten minutes whilst he calls his client. He called back saying "regrettably process" the payment.

Short while later, the lady in question calls and starts swearing at my team, and filed a complaint with my compliance manager saying we had no right to hold the payment up. That she knew what she was doing and that she knew what she was buying. She then went on to pay another 200k to buy more. Several times payments were stopped and checked again as it flagged again in our TM, with the obvious friction that causes.

Fast forward 9 months, turns out it was a romance scam and she wants her money back and made a complaint against HSBC. Who do you blame in that scenario?

The banks have to act on your behalf and execute a payment order unless there is a real risk it is fraudulent or ML. We also have to release the funds to you if we have no valid reason to hold it (and generally before close of business). Unless we go on a SAR filing frenzy, we're open to a complaint or a compensation claim.

From our side as a counterparty, some of the banks seem really bad with their TM stuff. I mean really bad. And most of the fintech's are too. But unless there's a combination of customer awareness and bank safety nets, this will continue. As things get more digital, it will get even worse. During the lockdown, we have seen a large rise in scams.

All my TM and compliance staff are tasked with liaising with banks daily as we might see things that flag up. Natwest never reply to concern emails. HSBC used to treat us like pests, but they engage very closely now as they see the value in what we are doing. The same is also true of Barclays, who have had a 180 degree change in attitude towards it.

And to answer why the scammers cannot be traced, what happens most often is the account is in the name of a mule. That mule thinks they are getting 10% of a business transaction (or they know they are in on a scam but hey) and then when they are caught they are unable to provide any details of the person they were working with (either they really don't know, or they're too scared to say).

The money often leaves via international payments (bounces around several accounts and then gets withdrawn) or it goes via cryptocurrency. Transferwise used to open accounts with just emailed in passport and proof of address, and gave access to the account right away, before the card arrived at the address. By the time the unwitting mule had worked out why they had a transferwise account arrive in the post, the scam had taken place. They don't remember opening an account at Transferwise, but it might not clock that the council emailing them to ask their for id and address proof wasn't really the council.

One thing that everyone must be mindful of is whilst these scams are awful, the more intervention you expect from the banks, the more everyone's transactions will be questioned and delayed. And then the scammers will find another way. This is inevitable. What needs to happen is scammers brought to justice properly. At the moment they operate with impunity. If you're caught being a mule, you should be punished. Nothing really happens to the mule beyond difficulty getting an account.

Case in point is where we caught a generational fraud (mule account at Monzo) and returned the funds to Monzo to return to the victim. Our system automatically blacklists the account and remitter name. Guess what, two months later she sends money in from a "fintech" account and our system holds it up. Yep, generational fraud again. Obviously the registration with CIFAS isn't deterring them!

Some advice to anyone who has someone vulnerable (it often is older folk, but not exclusive to them):

You can ask the bank to be added the CIFAS watchlist. This can help banks and other FI with an early warning sign.

If an "investment firm" calls you, do not engage. If you are looking for an investment, do your own searches and perform due diligence. Remember there is no such thing as a free lunch.

There is a lot of social engineering involved. Never just hand over your identity or proof of address documents to anyone who asks for it. Verify that they have a legitimate reason to ask for it, and if they found you, rather than you finding them, then be very weary. Never perform any selfie type check or text as that can be photoshopped too. Those documents can be used to open accounts or take loans in your name. You could end up being the mule. If for example an ebay trader says they need your KYC docs, do not hand it to them.

Pay close attention to the confirmation of payee check the bank performs. If you think you're paying British Telecom and your bank says the name of the account you provided is ABC Ltd then don't proceed.

Before you make any payment, if it is to a new beneficiary and for an investment or to pay for anything, do not be rushed into making it. Being pushed is a tell tale sign of a scammer. Stop and take a breath.

Be weary of trustpilot reviews and cloned websites. Look carefully at the email address domain name. is it @ajbell.co.uk or is it @ajbell.cc? Search for the company independently and contact them directly.

If you're being asked to pay a deposit, use a credit card (not even a debit card, although that's better than bank transfer).

Install and keep up to date good internet security software on your computer. Antivirus is not good enough. Don't give anyone remote access to your computer.

Finally, tell your bank exactly what the payment is for if you harbour any concern. Push the liability to them and ask them if they are able to give you any help or reassurance the transaction is genuine.

If you have any doubt whatsoever do not make the payment. This is where your subconscious is making an assessment and it isn't happy! Heed its advice.

To the OP if you need any advice on FOS process drop me a message and I'll be happy to help with any questions you may have.

I think FWIW, from the transaction activity you describe, your elderly relatives have a very good chance the FOS will side with you. We have had to give evidence a few times to FOS for claims against banks and we have seen a good number of cases sided with the consumer.

My thanks also Ninj-eli - that is very insighful indeed, and thanks for taking the time to give such detail.

I'll need to read that a few times to absorb it and reply properly.

Not sure where I heard this on the radio - scammers can instantly construct a bogus (but professionally looking) website from the information that they have gleaned from you when talking on the phone in order to persuade you to invest.