Faster payments fraud - advice sought
Discussion
Hi All
a friend of ours has unfortunately fallen victim of a faster payments fraud.
They have been dealing with a builder with emails back and forth.
Email, as part of an ongoing trail, builder supplies bank details, she pays and then emails, he replies back saying he didnt send any bank details over.
Checked all email headers. All legit messages are from his mobile either via his mobile provider or his ISP. The fraudulent one, someone logged into his webmail account and sent from there so I suspect someone is monitoring his emails and just did the usuaal.
Within 30 minutes of the payments being sent, my friend had notified her bank of a fraud taking place. They have sat on it a week and now closed the case claiming that she is liable.
Now I understand she should perhaps have taken steps to do more verification (such as called builder to confirm or send a pound and confirm) but she didnt.She acted in good faith (as is always the case). The question is, as the bank were made aware of the fraud should they do more?
I remember seeing a story on here recently where someone had a similar situation and the money was clawed back. Is there any hope for her? its a significant amount for her.
Interestingly, the bank account used for the fraud is in the same town as where the builder is from.
What if anything can be done/what chances of a recovery is there?
Would the policy be interested in this if we wend down, considering the bank branch and account is held round the corner from their base?
a friend of ours has unfortunately fallen victim of a faster payments fraud.
They have been dealing with a builder with emails back and forth.
Email, as part of an ongoing trail, builder supplies bank details, she pays and then emails, he replies back saying he didnt send any bank details over.
Checked all email headers. All legit messages are from his mobile either via his mobile provider or his ISP. The fraudulent one, someone logged into his webmail account and sent from there so I suspect someone is monitoring his emails and just did the usuaal.
Within 30 minutes of the payments being sent, my friend had notified her bank of a fraud taking place. They have sat on it a week and now closed the case claiming that she is liable.
Now I understand she should perhaps have taken steps to do more verification (such as called builder to confirm or send a pound and confirm) but she didnt.She acted in good faith (as is always the case). The question is, as the bank were made aware of the fraud should they do more?
I remember seeing a story on here recently where someone had a similar situation and the money was clawed back. Is there any hope for her? its a significant amount for her.
Interestingly, the bank account used for the fraud is in the same town as where the builder is from.
What if anything can be done/what chances of a recovery is there?
Would the policy be interested in this if we wend down, considering the bank branch and account is held round the corner from their base?
https://www.theguardian.com/money/2020/feb/23/scam...
What bank?
''(Barclays, HSBC, Lloyds, Metro Bank, Nationwide, RBS, Santander, Starling) that have signed up cover 85% of APP payments.''
If not can complain to ombudsman but not really much can be done, maybe report action fraud.
What bank?
''(Barclays, HSBC, Lloyds, Metro Bank, Nationwide, RBS, Santander, Starling) that have signed up cover 85% of APP payments.''
If not can complain to ombudsman but not really much can be done, maybe report action fraud.
The root of this is that people are far too trusting of email. There is no education or even general awareness that emails can be spoofed. You can easily construct an email that looks like it’s come from a legitimate source, but hasn’t.
I sent an email to a senior director purporting to be from Richard Branson and he thought I was some kind of magician. People don’t realise that email is completely insecure.
Bank transfer details should always be confirmed verbally, using a number you have established is legitimate (i.e. not the one in the footer of the dodgy email).
Unfortunately the bank have acted upon a legitimate request from their customers to transfer money. They can’t be expected to know that the destination for the funds wasn’t the intended account, and they can’t realistically hold up every transaction/freeze accounts otherwise that would cause complaints too.
The “send a pound” trick, and following up with a phone call is the correct way to do it, there’s no “perhaps” about it.
I sent an email to a senior director purporting to be from Richard Branson and he thought I was some kind of magician. People don’t realise that email is completely insecure.
Bank transfer details should always be confirmed verbally, using a number you have established is legitimate (i.e. not the one in the footer of the dodgy email).
Unfortunately the bank have acted upon a legitimate request from their customers to transfer money. They can’t be expected to know that the destination for the funds wasn’t the intended account, and they can’t realistically hold up every transaction/freeze accounts otherwise that would cause complaints too.
The “send a pound” trick, and following up with a phone call is the correct way to do it, there’s no “perhaps” about it.
Edited by Durzel on Wednesday 26th February 04:50
There is a lot of education that can be done for users but there also needs to be a better level of protection.
Having read through the FP website there is a great section on what to do if you've made a payment in mistake.
Then if you find you are a victim of fraud, you are essentially left high and dry at the mercy of the bank - as you authorised the payment you have asserted it its correct and therefor the bank has no liability.
Was her payment authorised by herself? Yes
Was it to the correct bank? No
Was this a mistake? No
Net result you authorised it, we've done nothing wrong, we cannot help you. So the fraudsters get away with it. There needs to be a far greater level of protection here, in this case, she did trust the email but this was not a spoofed email. This was an illegitimate email as part of a legitimate email chain.
I've looked at the emails and what has happened is obvious, someone's got access to this chaps email account and has intercepted and changed the message - no spoofing of accounts or domains. Regardless of whether she should have done more such as phoning to confirm or dropping a pound into the account is for another topic. If the bank is notified of a fraud as soon as possible (here within 30 minutes), there are mechanisms under FP on how to halt mistaken payments so the same could be and should be applied for fraud.
Very disappointing, Action Fraud have basically given a reference number and that is it. The bank have washed their hands saying tough.
Having read through the FP website there is a great section on what to do if you've made a payment in mistake.
Then if you find you are a victim of fraud, you are essentially left high and dry at the mercy of the bank - as you authorised the payment you have asserted it its correct and therefor the bank has no liability.
Was her payment authorised by herself? Yes
Was it to the correct bank? No
Was this a mistake? No
Net result you authorised it, we've done nothing wrong, we cannot help you. So the fraudsters get away with it. There needs to be a far greater level of protection here, in this case, she did trust the email but this was not a spoofed email. This was an illegitimate email as part of a legitimate email chain.
I've looked at the emails and what has happened is obvious, someone's got access to this chaps email account and has intercepted and changed the message - no spoofing of accounts or domains. Regardless of whether she should have done more such as phoning to confirm or dropping a pound into the account is for another topic. If the bank is notified of a fraud as soon as possible (here within 30 minutes), there are mechanisms under FP on how to halt mistaken payments so the same could be and should be applied for fraud.
Very disappointing, Action Fraud have basically given a reference number and that is it. The bank have washed their hands saying tough.
Olas said:
Echoing the above, you dont do ANYTHING by email.
careless is putting it too lightly
Helpful post is helpful.careless is putting it too lightly
I deal with this stuff daily, email, information, business security - email is used, it will continue to be used and it should be.
There are things that we, in technology services, need to stop doing - assuming the user is knowledgable on what they should do and we should build in simple safeguards. A 24h delay on FP or even a 3 hour one would be OK. The world survived prior to FP (btw I was involved in the deployment and security testing of FP within one of the major banks) - I understand FP but I don't understand the fraud claim process.
Lets stop saying what people should be doing and give them a bit of support for when genuine issues arise.
kestral said:
How is it that these bank tranfers just disapear into thin air?
How do the bank not know which account and which sort code the money was sent to?
How does someone open an account without proper ID?
The money must have a name associated with it!
IF you make a mistake, ie genuinely type in the wrong ac number - the banks can protect the funds up to 20 days, provide the recipient a chance to dispute. How do the bank not know which account and which sort code the money was sent to?
How does someone open an account without proper ID?
The money must have a name associated with it!
This shows what is capable, the bank could use this exact same mechanism if you report a fraud such as this and within a certain time frame. Why they dont offer that service here, where a forced mistake is made, is a question the banks need to answer as right now it seems if you are going after lots of small amounts and are clever, you can get away with free money fraud.
my mum isn't internet savy and would easily fall into this trap, as lets be honest the sender isn't at fault here. It is a sorry tale and the banks know it is happening, they know the customers most likely to be tricked, they see the data, yet offer a code they don't seem to back up when it suits.
Thesprucegoose said:
my mum isn't internet savy and would easily fall into this trap, as lets be honest the sender isn't at fault here. It is a sorry tale and the banks know it is happening, they know the customers most likely to be tricked, they see the data, yet offer a code they don't seem to back up when it suits.
Indeed!Triumph Trollomite said:
kestral said:
How is it that these bank tranfers just disapear into thin air?
How do the bank not know which account and which sort code the money was sent to?
How does someone open an account without proper ID?
The money must have a name associated with it!
IF you make a mistake, ie genuinely type in the wrong ac number - the banks can protect the funds up to 20 days, provide the recipient a chance to dispute. How do the bank not know which account and which sort code the money was sent to?
How does someone open an account without proper ID?
The money must have a name associated with it!
This shows what is capable, the bank could use this exact same mechanism if you report a fraud such as this and within a certain time frame. Why they dont offer that service here, where a forced mistake is made, is a question the banks need to answer as right now it seems if you are going after lots of small amounts and are clever, you can get away with free money fraud.
Triumph Trollomite said:
A 24h delay on FP or even a 3 hour one would be OK.
How would that help in this instance? The payee does not know that there's money in the system. The payer does not expect to have to check anything after making the payment. 3/24 hours later the money has gone. Then payer checks to discover fraud. I don't see that a delay adds anything helpful, while inconveniencing the millions who use the system successfully.Triumph Trollomite said:
Helpful post is helpful.
I deal with this stuff daily, email, information, business security - email is used, it will continue to be used and it should be.
There are things that we, in technology services, need to stop doing - assuming the user is knowledgable on what they should do and we should build in simple safeguards. A 24h delay on FP or even a 3 hour one would be OK. The world survived prior to FP (btw I was involved in the deployment and security testing of FP within one of the major banks) - I understand FP but I don't understand the fraud claim process.
Lets stop saying what people should be doing and give them a bit of support for when genuine issues arise.
A 24 hour delay on Faster Payments would be somewhat of a contradiction in terms. I deal with this stuff daily, email, information, business security - email is used, it will continue to be used and it should be.
There are things that we, in technology services, need to stop doing - assuming the user is knowledgable on what they should do and we should build in simple safeguards. A 24h delay on FP or even a 3 hour one would be OK. The world survived prior to FP (btw I was involved in the deployment and security testing of FP within one of the major banks) - I understand FP but I don't understand the fraud claim process.
Lets stop saying what people should be doing and give them a bit of support for when genuine issues arise.
I had to wait about 2 hours for a bank transfer to clear when I bought a used car. Standing around awkwardly in the guys house while none of us is sure where the money actually is (it departed my account quickly enough) was not something I would like to repeat. Neither of us were given any information about why it was stopped, or how long it would take to resolve. I still don't know to this date which of our accounts tripped a flag in a system.
Being a bit merciless - there are people who manage to pay the right people and take the necessary precautions, why should they have to suffer blanket 24 hour delays on payments or pre-emptive account freezes? They wouldn't suffer it, they would complain, and arguably rightfully so.
I agree with the wider point about the need for payments to have additional security that only the account holders can know. I thought there was some kind of movement to require bank transfers to have a payee that is recognised/registered? I guess that isn't infallible either.
[quote]The fraudulent one, someone logged into *his webmail* account and sent from there so I suspect someone is monitoring his emails and just did the usuaal.
[/quote]
She isn't liable as her account hasn't been compromised. It's (I assume) the builders email account that has been compromised and where the request came from.
I'm not suprised the bank hasn't refunded her money. She isn't the one that has been compromised in this situation.
[/quote]
She isn't liable as her account hasn't been compromised. It's (I assume) the builders email account that has been compromised and where the request came from.
I'm not suprised the bank hasn't refunded her money. She isn't the one that has been compromised in this situation.
sugerbear said:
She isn't liable as her account hasn't been compromised. It's (I assume) the builders email account that has been compromised and where the request came from.
I'm not suprised the bank hasn't refunded her money. She isn't the one that has been compromised in this situation.
But the bank must know where the money went and to what account at which bank so why don't they block it or offer the details of were the money went to to their customer to try and make a recovery.I'm not suprised the bank hasn't refunded her money. She isn't the one that has been compromised in this situation.
How is it that this money just disapears?
Gassing Station | Speed, Plod & the Law | Top of Page | What's New | My Stuff