Impersonation scams are on the rise, and millennials are most likely to fall for them. Stylist’s Moya Crockett shares her experience of losing everything.
The scammer called at the worst possible time for me and the best possible time for him. I was grieving the end of a four-year relationship, sleeping badly at night and sobbing at my laptop during the day while sending upbeat, competent-sounding messages to colleagues over Slack. My boss was away, so I was effectively doing two jobs at once. I was devastated, exhausted and distracted; any mental sharpness I usually possessed hacked bluntly away.
Then, on a Thursday evening in late July, my phone rang. “Hello, Ms Crockett?” said a male voice (friendly, polite, respectful). “My name is Gary Clayton. I’m calling from NatWest’s fraud prevention team. We’ve detected some suspicious activity on your account.”
‘Gary’ rattled through several direct debits that had been set up on my account over the last 24 hours, and asked if I recognised any of them. I didn’t. He asked me to open my online banking app and check for any other unfamiliar transactions. I did, and spotted a pending payment to Netflix that I hadn’t made. No problem, he said; he’d block those transactions straight away.
Now, Gary continued, it was important to figure out how fraudsters had accessed my account. Many NatWest customers were being caught out by phishing emails and texts purporting to be from HMRC, their mobile phone networks or the bank. Had I received anything like that?
My heart sank. The previous night, just before I turned out the light, I’d had a text from my phone network. It said that my latest bill couldn’t be processed because my details were incorrect, which made sense: I’d just moved house and changed the address on my NatWest account, which was linked to my phone. Tired and tear-stained, I followed the link in the text, entered my new address and bank details, and fell into an uneasy sleep.
“I’m such an idiot,” I told Gary. “That was obviously a phishing text. I’m so embarrassed.” He was kind and reassuring. I had nothing to be embarrassed about, he said; it could happen to anyone. What we needed to do now was stop the fraudsters accessing any more of my money.
Of course, Gary wasn’t really from NatWest’s fraud team. He was a professional scammer, part of the same group of people who’d sent the phishing text to gather my details and made small transactions on my card to prove my account was vulnerable. Over the next 30 minutes, he talked me through the ‘necessary’ steps to protect my money. Because the fraudsters had my account details, he said, NatWest would need to create a new account for me. He’d set it up right then and there, I could transfer my funds safely into it, and it would be active by midnight.
At this point, something occurred to me. “Sorry,” I said, apologetically, “but how do I know you’re actually from NatWest?” I felt stupid asking. I didn’t really think he was a scammer: he knew so many of my personal details, and he’d emphasised that at no point was I to share my pin number or online banking passwords with him. He was so polite, so professional. But it seemed the sort of thing I should ask.
“I’m really glad you’re taking your security seriously, Ms Crockett,” he said (the sheer nerve still makes me go cold with rage). “If you look at the back of your debit card, you’ll see NatWest’s customer telephone number. That’s the number I’m calling from.” I looked. It was. I had no idea that scammers can now fake their phone numbers, that they have the technology to make it look like they’re calling from anywhere. My tiny flicker of doubt was snuffed out.
Within half an hour, my account was empty. I’d moved all my money into ‘my’ new account, ticking the little box asking if I was sure I wasn’t being scammed (I was sure!). A pop-up warned that the name on the new account – my name – didn’t match the number and sort code, but Gary assured me this was because the account “wouldn’t be recognised by the system until it activates at midnight”. (It was actually because the account wasn’t in my name at all.) He gave me a reference number, told me it had been a pleasure speaking to me, and hung up.
If you’re thinking you’d never have fallen for it, you’re probably already familiar with this kind of scam. Known as impersonation or automated push payment (APP) fraud, it involves a criminal posing as a representative of a trusted organisation: perhaps your bank, HMRC, or a company you’ve done business with.
The scammer will persuade you to transfer money to a fraudulent account, having fooled you into thinking that it’s a genuine transaction. They might send fake verification texts that appear in the same thread as legitimate messages from your bank, or it might sound like they’re speaking to you from a real call centre (complete with hold music and requests to enter your pin or customer number). Ultimately, the aim is to bypass banks’ increasingly tough security measures and get you to move your money yourself.
Crucially, these scammers are skilled at social engineering. This is a form of manipulation “using psychological tricks to convince people to unwittingly give over information, access to information or money,” explains Dr Jessica Barker, cybersecurity expert and author of Confident Cyber Security. “Attackers will pose as someone you trust and try to cloud your judgement with time pressure, scare tactics or flattery. Social engineering attacks are getting more sophisticated and when they are successful, we don’t realise we’re being scammed until it’s too late.”
I’m far from the only one to fall victim to an APP scam. Reported incidents rose by 45% in 2019 compared to the previous year, with almost £456 million lost in total. Fraud has become even more prevalent during the coronavirus pandemic: data from Barclays shows that impersonation scams nearly doubled between May and June. Millennials are also more likely than any other age group to be tricked into transferring money to fraudsters. Yet despite the pervasiveness of APP and impersonation scams, I’d never heard of them until I was targeted – and so I didn’t know what to look out for.
Despite knowing I wasn’t the only victim out there, I felt terribly ashamed. And that shame, combined with the shock of losing my life savings, quickly curdled into something very cold and dark. The scammers had stolen every penny I’d saved since graduation: all the evidence of the times I’d said no to holidays, made lunch at home, resisted buying shoes I didn’t need. It was an investment in my future and a safety net for the present. It was a reminder that despite my chaotic, always-running-late, can’t-add-up-without-a-calculator tendencies, I am fundamentally gritty and responsible. The scam had wiped all of that away. For days I could hardly eat. My sleep became even more tattered. My work suffered. Two days after it happened, I vomited by the side of the road.
In the end, my bank couldn’t get my money back from the scammers, and ActionFraud – the branch of police that handles fraud and cybercrime in the UK – said they weren’t able to pursue my case. But after two weeks and several lengthy phone conversations, NatWest concluded that I’d “conducted all the checks necessary” before making the payment to the scammer, and refunded me in full. NatWest is signed up to a voluntary code introduced in 2019, which states that banks should reimburse fraud victims who meet certain requirements. When I found out my case had been deemed to meet those requirements, I started shaking so much I had to lie down.
But I was very, very lucky. Not all UK banks are signed up to the code, and even those that are won’t necessarily refund you: banks refused to reimburse scam victims in 59% of cases in the six months after the code was introduced last year, prompting accusations that the current system is essentially a “refund lottery”. In a recent report, consumer watchdog Which? concluded that even banks signed up to the code are “relying too heavily on fraud warnings, placing unreasonable expectations on victims and failing to properly assess vulnerability”.
Katy Worobec is managing director of the economic crime department at UK Finance, which is pushing for the voluntary code to be made law. She says that the current code needs to be complemented by legislation as clearer rules would mean “everybody knows exactly where they stand”.
“Ultimately, we want to make sure fraudsters have fewer opportunities to get away with funds, because they’re the winners at the end of the day,” she says. Scam legislation should also apply to social media platforms, telecoms companies and search engines, she adds. “It’s been painted as the banks’ problem to solve, but a lot of the reasons why social engineering is possible – spoof phone numbers, for example – are out of banks’ control.”
Jason Costain, head of fraud prevention at NatWest, tells me that the bank is “committed to doing everything we can to help our customers especially when they have been the victim of a scam”. He agrees with Worobec’s assessment that other sectors need to step up. Scammers “regularly exploit the services offered by the telecoms providers and social media and operate with minimal risk of police intervention,” he says. “The government and regulators need to expand their multi-sector approach if the UK is to effectively tackle the level of organised criminality that we are seeing.”
But it seems clear to me that many banks could be doing more. They could be sending all of their customers regular emails and mobile app notifications warning against specific scams, for example. They could be adding disclaimers to the backs of debit and credit cards to prevent scammers pulling the ‘check the number’ trick. They could be offering explicit, tailored alerts when transactions are made, rather than just generic scam warnings. I’d even argue that unusually large transactions to unfamiliar accounts should be temporarily blocked, while banks confirm their legitimacy.
Some banks are doing these things already. But there are real inconsistencies – and ordinary people are falling through the cracks.
What I’ve learned about avoiding APP scams – and what to do if you’re caught out
- If you receive a call from your bank, utility company, HMRC or any other organisation asking you to ‘confirm’ any personal details or transfer money, hang up immediately and call the organisation directly after looking up their number online. Genuine organisations won’t mind waiting while you phone them back.
- Ideally, call back on another phone, as scammers can keep the line open even if you hang up. If you can’t use another phone, wait at least 10 minutes before redialling.
- Don’t assume you’re immune to phishing texts or emails just because you’re generally tech-savvy. Be particularly alert to any messages saying there’s a problem with one of your accounts or payment details.
- If you do fall victim to an APP scam, document everything. Write down everything you remember about the scam as soon as possible, and take notes during every conversation you have with your bank. Make audio recordings if you can. If you’re refused a refund and decide to make a complaint to the Financial Ombudsman, this evidence could be crucial in helping your case.
- Talk about it. Being scammed is profoundly traumatic, and shutting yourself off from your loved ones will only make you feel worse. Also, scammers thrive in secrecy and shame – the more we talk about the problem, the more others will know what to watch out for.
For more advice on how to avoid being scammed, visit takefive-stopfraud.org.uk
Images: Getty; Unsplash