A grandmother who had her £40,000 life savings stolen by a callous con-man just days before Christmas has been told by her bank that it won't cover her losses, despite pressure for banks to shoulder more responsibility when customers fall prey to sophisticated scams.
Doreen Kent, who is 80 and lives near Ely in Cambridgeshire, was left "devastated" after her daughter Angie Coe – a Santander joint account holder with her mum – was targeted in an elaborate bank transfer scam.
The text-based 'smishing' trick was so convincing that Angie agreed to reveal sensitive one-time passcode information that allowed sizeable withdrawals to be made not only from the joint account she shares with her mum, but also a linked joint account she has with her husband Mark. Some £45,200 was stolen in total.
The scam comes just three months after consumer group Which? filed a 'super-complaint' with the Payment Systems Regulator calling for banks to do more to help customers who have lost money having been tricked by fraudsters into making a bank transfer. For help staying safe online, see 30+ Ways to Stop Scams.
How £45,000 was stolen when 'smishing' scammer struck
'Smishing' is when fraudsters send victims a text (or SMS, which is why the term's 'SMiShing'). The text typically says it's from your bank, and you need to update your personal details or call your bank urgently. The text normally contains either a telephone number or link to a website that asks you to enter personal details or download a file to update your records.
In this case, the scammer texted Angie on 21 December, claiming to be from Santander and asking if she'd recently made a large payment to a company. The text included a phone number for her to call if she didn't recognise the payment.
When Angie called the number, it was answered by a man claiming to be Santander's head of security, who told her a questionable payment of £6,000 had been spotted that seemed to be linked to Nigeria.
Angie asked the individual to prove he worked for Santander. She says it was only when he was able to recite personal info, such as log-in details, the last transaction made on the account and regular direct debits, that she believed she was talking to a representative of her bank – though Santander disputes this, and claims Angie was "socially engineered" into disclosing sensitive banking details.
Either way, having won Angie's trust, the heartless thief was able to access her online banking and convince her to reveal one-time passcodes that are texted from the bank when you transfer money from an account to a new beneficiary.
The scammer was then able to make a number of transfers totalling about £45,200. He also told Angie to ignore any further texts or calls from Santander – which is exactly what Angie did when Santander's real fraud team tried to warn her about suspicious activity spotted on her accounts.
Angie only realised she'd been duped when the so-called Santander security chief didn't call back and she tried calling him on the personal number she'd been given but found it failed to connect.
Santander refuses to refund losses
When Angie and Doreen finally contacted Santander to explain what had happened, they were told the bank would not be able to cover their loss, as the payments had been authorised by one-time passcodes.
A spokesperson told MoneySavingExpert.com: "We are very sympathetic to the distress caused by being the victim of a scam. Santander identified the payments as suspect and sent a text message to the customer's registered mobile, upon which the customer confirmed the payment as genuine, which allowed the fraudster to make further payments. We therefore cannot accept any responsibility for the losses on this account.
"Subsequent transactions were made by the fraudsters and we made further attempts to contact Mrs Coe regarding the activity on the account that day but unfortunately, Mrs Coe was waiting to speak to 'the security team' [the scammer] and didn't want to speak with our fraud team.
"As soon as we did and we were notified of the scam, we contacted the receiving banks to secure any unspent funds. We're waiting for confirmation from these banks of any money recovered.
"This is an increasingly common scam within the banking industry. We have tips and advice on our website and in branch on how customers can protect themselves against scams."
Doreen, pictured below left, told us: "I am so worried – these are my savings. I'm devastated. It has been so stressful. More should be done to warn customers about these scams; from what we have seen lots of people have been affected by [smishing scams] but we didn't know anything about it."
Angie, pictured below right, added: "Our Christmas has been ruined because of this, especially when Santander said they wouldn't be able to refund the money. We've had a look on Google and there are many other cases from the start of December where this [type of fraud] has happened – so why has Santander not been warning people?"
What are your rights if you're targeted in a bank transfer scam?
Unfortunately for victims of this type of scam, banking regulations provide scant protection for customers who have been targeted as part of a bank transfer scam.
Normally if you can show you didn't authorise a payment from your bank account you can claim a refund. But if you've handed over sensitive banking details or security info – even if tricked into doing so – banks AREN'T obliged to reimburse you.
However, one potential route for clawing back lost cash is the Financial Ombudsman Service (FOS), which has powers to step in and order a refund if it identifies instances of negligence by a bank or any other financial organisation.
A FOS spokesperson told us it's overseen cases where victims of bank transfer scams have received refunds following intervention by the Ombudsman. But the spokesperson was at pains to point out that "outcomes are finely balanced based on individual details".
If you've been a victim of a bank transfer scam and aren't satisfied with the way your bank has handled the matter, you should first lodge a complaint with your bank and give it a chance to put things right. If you don't receive an adequate response within eight weeks of submitting your complaint, you should get in touch with the FOS. You can do that online or by calling for free on 0800 023 4567.
What's the upshot of the 'super-complaint' about bank transfer scams?
In September 2016, Which? filed a 'super-complaint' with the Payment Systems Regulator (PSR) about the lack of protection given to victims of bank transfer fraud.
A survey by Which? of about 2,000 UK adults found:
- 60% didn't realise they had no consumer protection from their bank if scammed into making a bank transfer.
- 84% said they've used a bank transfer to make a payment.
- 9% have made a bank transfer payment to a con-artist's account, or know someone who has.
The consumer group subsequently called on banks to take more responsibility for money lost to scams made by bank transfer, just as they reimburse customers who lose money to scams via direct debits, credit and debit cards or fraudulent account activity. The idea was that banks would then have an incentive to develop better mechanisms to nip bank transfer fraud in the bud.
However, in its response to the 'super-complaint' last month, the PSR failed to change the rules so that banks would have to cough up in the event of a customer being defrauded via a bank transfer scam.
The PSR response included a warning to banks that they need to do more to protect their customers. It also found that banks need to improve the way they respond to bank transfer scams and do more to identify fraudulent payments. But Which? was less than impressed with the response and claimed the PSR had "let banks off the hook".
Bank transfer 'smishing' scams – what to watch out for
Smishing scams are one of the main emerging types of bank transfer fraud in recent times. Here are the three main warning signs to look out for:
- A link in a text message pretending to be from a bank that leads you to a site where you're asked to enter personal or security details, or to download a file.
- A text message that claims that if you don't respond within a set timescale, your account will be closed.
- A text from someone pretending to be from your bank and asking for your security information.
You might think that you'd never fall for one of these scams, but fraudsters are cunning and constantly coming up with new ways to make off with your hard-earned cash. Follow these tips to make sure you protect yourself against scammers:
- Never give out personal or security details such as your one-time passcode, security numbers or card PIN. Remember, banks will never ask you to do this.
- Don't click on links in suspicious text messages. Banks will never text asking you to click on a link to update your details.
- Never allow anyone remote access to your computer. If someone can see your screens, they could access your bank accounts.
- Banks never ask you to transfer money – so never transfer money out of your account to anyone pretending to be from a bank.
- Never give out personal information in response to an incoming text, or rely on caller ID as the sole means of identification – the number can be spoofed to look like a recognised number.
- There may be times when banks will genuinely contact you by text. If you aren't sure whether a message or phone call that you think might be from your bank is genuine, contact it directly before you take action.
- If you think you've responded to a smishing text message or given your details to the wrong people, contact your bank directly as soon as possible.
For more help, see our 30+ Ways to Stop Scams guide.