NatWest customer Annette Jefferys was tricked into sending £17,500 to fraudsters after they were able to generate a genuine “activation code” for her online banking account.
Exploiting a
frightening weakness in the procedures of one of Britain’s biggest banking
groups, fraudsters were able to first lock the victim’s online account and then
obtain an access code to unlock it – simply by using publicly available
information.
In a cruel twist, Ms
Jefferys was later told by the fraudsters’ bank that they had left some money
behind. The sum turned out to be just 10p.
The case comes to
light as new figures show that fraud now accounts for more than half of all
crime. Telegraph Money today calls on the banks, the police
and the Government to dramatically improve the measures they take to
protect bank customers and to defeat fraud.
Worrying new tactic:
fraudsters generate genuine activation code
Annette Jefferys
lost £17,500 after criminals targeted her in a well-planned fraud perpetrated
over the course of two days.
The exact sequence
of events that led to her losses is complex, soTelegraph Money enlisted
the help of fraud expert James Freedman to piece together with Ms Jefferys what
is likely to have happened.
The criminals, who
posed as NatWest employees, first called Ms Jefferys, a businesswoman from
north London, on a Friday night last month. They said her account was under
attack by fraudsters and that she would need to transfer money to another
account.
This ruse is
commonplace. What was different this time is that they did not ask Ms Jefferys
to make the transfer there and then. She was in any case suspicious, and
challenged the callers to prove that they really were from the bank.
They pointed out
that the number from which they were calling, displayed on her mobile phone,
matched that on the back of her bank card. However, software that allows
criminals to display a number of their choosing is readily available, according
to Mr Freedman.
Ms Jefferys then did
as experts advise in this situation and tried to call the NatWest number on the
back of her card from her landline. But she did not actually speak to anyone.
“It took ages to get through, because there were so many options, by which time
the fraudsters were calling me again on my mobile,” she said. “They phoned me
on my landline and mobile approximately six times.”
During these calls
they added to their plausibility: they asked Ms Jefferys to agree a
“password” that they could use in future to prove their identity and told her
that they would send a new bank card and identification number because her
account had been “compromised”.
In what was perhaps
their most convincing touch of all, the criminals also asked her to log in to
her online banking while they remained on the line. Because the criminals had
previously frozen her service she could not log in, and they were able to
promise that they would send Ms Jefferys an “activation code”, which would
enable her to regain access.
This would come the
following morning by text message, they said. Meanwhile, the criminals had
generated the code themselves by impersonating Ms Jefferys on NatWest’s
website. To do so they had almost certainly gleaned enough information
about her from social media and other online sources, Mr Freedman said.
Banks that allow
activation codes to be generated in this way by someone who lacks full security
details for online banking rely on the fact that the code should be seen only
by the account holder, who will previously have registered their mobile phone
number with the bank.
The code duly
arrived in a text that was sent to Ms Jefferys’s phone the following morning.
When the fraudsters called Ms Jefferys a little later, they had convinced her
that they were not impostors and given her the means to regain access to her
account.
All they had to do
then was repeat that her money was at risk and that she should move it to a
“safe” account, whose details they gave her. This she duly did.
“After that, the
caller said he would add compensation to my account, for all the inconvenience
caused, of £1,000,” Ms Jefferys said. “It was then, after I had done the
transfer, that I realised it was fraud as I could not believe that NatWest
would give £1,000 compensation.”
She immediately ran
to her local NatWest branch. She was asked to call the bank’s fraud team
from the branch but it proved too late to recover the funds from the Barclays
account to which they had been transferred.
She turned to
Barclays, which said in a letter: “We have been able to recover some of
the funds that were in the account and are therefore in a position to
return £0.10.” A spokesman for Barclays told Telegraph Money:
“As soon as we were alerted by NatWest, we acted swiftly in order to recover
any remaining funds on the account.
“Regrettably by the
time we were made aware of the fraud no money remained and the account has
since been closed.”
NatWest said:
“Regrettably our customer was a victim of a scam. Unfortunately there was no
opportunity for the bank to intervene and the customer paid funds away to
another bank.”
What the victim
should have done
Ms Jefferys’s key
mistake was to allow the fraudsters to harry her into giving up her attempts to
contact NatWest independently.
Giles Mason of Financial
Fraud Action, which fights fraud on behalf of the payments industry, said:
"Banks will never ask you to transfer money to another
account."
Mr Freedman added:
“With these frauds, there always comes a point when the victim 'buys’ the
story. From that point, evidence to the contrary is ignored or explained away.
It’s vital to give yourself time to step back and ask yourself: 'Is this
reasonable?’
“In cases such as
this, it is not the bank’s system that has been hacked, it is the victim
him or herself.”
His other tips
include:
- Banks' security systems
are generally very good which is why criminals are targeting customers. If
you want to be more secure, take time to educate yourself. Read your
bank's guidelines on avoiding fraud
- Limit the personal information
you put online. Social media and networking sites offer a data goldmine to
fraudsters. Check your privacy settings on sites such as Facebook and, if
you're not sure, ask someone for help
- Use a password management
system and update passwords frequently
- Really consider whether you
need online banking. The easier a system is to use, the easier it is to
abuse
- Register dedicated email
addresses that don't include your name with your bank and mobile
network operator
- If you receive an unsolicited call
and can't properly verify the identity of the caller, hang up. If you
choose to call back, ring the company's published number using a different
phone line
- If your mobile phone loses
service for a prolonged period, it could be an early indication of "Sim
swap" fraud, which allows criminals to receive activation codes and
other messages from your bank
- When making a large bank
transfer to a new account, take a moment to stop and think. Trust your
instincts and discuss any concerns with someone else. Being rushed is a
typical tactic in many scams. Take your time
- There is enough information on
most smartphones for a fraudster to steal your identity and spend your
money. Lock your phone
- Invest in a micro-cut shredder
and shred all paperwork and receipts before disposing of them, however
unimportant they may seem.
Mr Freedman tweets
more security tips at twitter.com/jamesfreedman.
What should banks
and the authorities do to protect us from fraud?
Telegraph Money
calls on the Government, the banks and the police to step up their efforts to
defeat fraud.
- The new joint fraud task
force, which brings these three bodies together, should investigate ways
in which frauds in progress can be halted. An emergency number along the
lines of the 999 service could be one option
- Where banks receive
out-of-the-ordinary payment instructions from clients, they should phone
or text to check – and check also whether clients have received
unsolicited calls from other “bank staff”
- A far more comprehensive and
visible public information campaign highlighting the dangers and
explaining how customers can protect themselves is needed
Have you been the
victim of banking fraud? Let us know: money@telegraph.co.uk
0 Comments