When Rod Owens received a text message from his bank he had no reason to think it was a fake.
It appeared in the same chain as previous messages from Santander and there were no obvious giveaways such as spelling mistakes or poor grammar.
The text asked if he had made a payment for £1,900 to iTunes and requested he call the number given if not.
Rod had no idea he was about to fall for one of the most devious tactics used by fraudsters and be conned into handing over more than £9,000 of his savings.
Scam: Rod Owens was tricked by a text sent to his phone that pretended to be from his bank
Known as number spoofing, crooks are able to call and send text messages that appear to come from your bank.
The fake texts pop up in the same thread as genuine messages. And when fraudsters call, the number that flashes up on your caller ID is identical to the one on the back of your debit card or on the bank’s website.
It is almost impossible to tell the difference between real calls and texts, and fraudulent ones.
Victims of bank transfer fraud routinely say the only reason they acted on the fraudster’s instructions was because the phone number looked correct.
They say they had no idea fraudsters had access to technology letting them replace their number with that of a bank.
Last week The Daily Mail launched a campaign for fairer treatment for victims of bank scams.
This is Money’s campaign for banks to help phone fraud victims was started in 2014 and scored a victory when banks and building societies stepped up their warnings to customers. We have continued to fight victims’ corners and in 2016 also launched our Beat the scammers section.
In the first six months of the year, around £145 million was lost to so-called authorised push payment fraud — where people are conned out of savings by sophisticated scammers typically posing as their bank, telecoms provider, HMRC or the police.
Today, Money Mail calls on the banks and the telecoms giants to do more to protect customers from fake calls and texts.
TEXTS YOU CAN’T SPOT ARE FAKE
Last week the head of fraud at Britain’s biggest bank admitted that even he cannot always spot fake text messages.
Paul Davies, retail fraud director at Lloyds Banking Group, told Money Mail criminals are so good at mimicking the format of banking messages that it can be impossible to tell real from fake.
For the text messages to be convincing, fraudsters need to know who you bank with. They might know a rogue employee there or get their hands on stolen personal details leaked after cyberhacks.
Criminals often trade this type of information on the so-called ‘dark web’. They might get hold of a bank statement if you fail to update your address or your post falls into the wrong hands.
Other conmen make phone calls posing as other legitimate firms you deal with and trick you into revealing who you bank with.
Rod Owens lost thousands of pounds to scammers who pretended to be his bank, Santander
Once they know your bank it is just a matter of using software freely available on the internet to mask their phone number behind another of their choosing.
They can then make calls where the number that displays on your screen is that of your bank. They can also use online technology to change the way text messages are labelled so they appear to come from a particular organisation, such as your bank.
Your phone will then display the name of that company at the top of the texts and group it with others you’ve had from that firm.
Rod, 49, was at the supermarket when he’d received the message warning he may be a victim of fraud. He dashed home to call his bank back as requested.
A well-spoken lady answered and went through security questions. She told him she would send a series of codes which he should read out. It wasn’t until two days later that he discovered he had been duped.
Fraudsters had taken control of his account and the numbers he’d read out were one-time passcodes to authorise payments from his account.
Handing them over meant the crooks had been able to empty his account of £9,204. They had taken the £7,704 he’d saved to pay his tax bill and left him £1,500 overdrawn.
Santander had attempted to contact Rod but the fraudsters had managed to block his mobile phone from receiving calls.
Santander agreed to write off the overdraft but refused to pay back the £7,704 because he had unwittingly authorised the payments by handing over the codes.
Rod, an electrician from Coventry, says: ‘I’ve always been able to spot scam emails. If the text hadn’t looked so official I wouldn’t have thought twice about calling the number given. It should be much more secure between banks and phone companies.
‘When I found out, I was panic-stricken and had to borrow money from my mum to pay the taxman.’
A spokesman for Santander says: ‘We are sympathetic to Mr Owens. Unfortunately, despite clear warnings not to, he gave away confidential security details including one-time passcodes which enabled the fraudsters to access his account.’
The Financial Ombudsman Service ruled in the bank’s favour.
Santander tried to contact Rod when they found out he had been a victim of fraud but the scammers blocked their calls coming through. They agreed to pay back some of his money
NEVER CALL PHONE NUMBERS IN TEXTS
One of the reasons people are being caught out is that there is no consistency over what information banks include in text messages. Fraud experts say people should never ring back a number in a text claiming to be from their bank in case it has been sent by a fraudster.
They should instead use the number on the back of their card or the bank’s website.
Yet despite this, some banks continue to include telephone numbers in text messages.
Lloyds Banking Group — which includes Halifax and Bank of Scotland — and Barclays, for example, both include their phone numbers in texts to ‘make it easier’ for customers to contact them. Royal Bank of Scotland — which includes NatWest — and Santander include phone numbers in some of their texts, but TSB does not.
Jim King and his wife, Anna, almost lost thousands of pounds after being tricked by scammers
Scott McGready, fraud expert and part of the national Cyber Security Tactical Advice team which aids law enforcement, says: ‘Spoof calls and texts are a major enabler of fraud. Banks need to be more streamlined. They should just all agree never to put telephone numbers in texts so there is no confusion.’
Anna King, 62, and her husband Jim, 66, from Warlingham, Surrey, lost nearly £13,000 last November after calling back numbers in text messages claiming to be from their bank.
The couple had each received messages they thought were genuine because they appeared in the same chain as previous NatWest texts.
But when they called the numbers given they were tricked into handing over vital security details. These enabled criminals to make payments totalling £12,857 from their account.
NatWest blocked a further transfer for £7,800 but would not refund the money already taken because the couple had handed over details which enabled the payments.
Anna, a counsellor, says: ‘The messages were in exactly the same format as the ones from NatWest and there was no way I could tell the difference. I can’t believe the phone companies and banks allow this to happen.’
Jim, who runs a building services firm, says: ‘I’ve worked non-stop since the age of 16 to put money aside and these thieves just take the cash in a matter of hours.’
A NatWest spokesman says: ‘We take our responsibilities for preventing scams very seriously. We would remind customers to remain vigilant against any type of scam and they should never make a payment or divulge full security credentials, including card reader codes, at the request of someone over the phone purporting to be from their bank.’
Con: Jim didn’t question if the text was genuine as it was in the same format as previous texts
WHEN YOU CAN’T TRUST CALLER ID
Richard Emery, of fraud consultancy 4Keys International, says: ‘Banks should not send phone numbers in texts but should instead instruct customers to contact them using the number on the back of their card.
‘Regulators and phone companies also need to take urgent action to stop fraudsters spoofing phone numbers when they call as well.’
Jean Perry, 88, had no idea crooks were able change their number to make it look as though they were calling from a legitimate firm — a mistake that cost her £20,000.
She took a call last December from a man purporting to be from a Barclays fraud team who said crooks had tried to steal £2,000 from her account.
‘Michael’ was so well-spoken, Jean says. Her son Julian, 59, also spoke to the man and believed he was genuine.
Jean, whose late husband worked for Barclays for 40 years, asked the man to prove he was who he said he was.
Con artists can disguise themselves as bank staff to persuade people to hand over money
He told her to hang up and said he would call her back using the number on the back of her card. When he did, the Barclays customer services number flashed up on her phone.
‘Hindsight’s a wonderful thing. I should have put down the phone and called back Barclays myself,’ she says.
‘He seemed to know everything about my accounts, mobile phone number and so on. I got the impression he was looking at my online banking,’ she adds.
In the end, the bogus Barclays employee succeeded in tricking Jean into transferring £20,000 into a Nationwide account.
He talked her through the transfer and told her she would receive a text from Barclays asking if she wanted to make the payment, which she confirmed.
The fraudster then asked her to transfer another £25,000. But it didn’t go through.
As soon as Michael hung up, Jean received a call from Barclays’ genuine fraud team who told her that they hadn’t made the previous call.
It was only then that it became clear she had been conned and her savings were gone.
Deryck and Joyce Waterhouse were conned by a caller who was using their bank’s number
And because she had authorised the payment, Barclays said it was not liable for her loss.
Jean says: ‘This has been the most devastating experience and the sum I lost is life-changing.
‘What is most upsetting is the way that Barclays implied I was stupid. Thousands of intelligent people are being caught up in these scams on a regular basis.’
Barclays acknowledged it was evident that Jean was the victim of a sophisticated scam but has refused to refund her.
It claimed it did everything it could to protect her and her money including blocking the second payment.
TELECOMS GIANTS MUST ACT FAST
Deryck, 68, and Joyce Waterhouse, 71, from Gloucester were also conned by a caller using their bank’s number.
Deryck received a call in April this year from someone posing as Barclays bank. He was told someone was trying to hack into his account and he needed to move his money so it was safe.
He checked the number the caller used and it appeared to be the same one he calls every week to do his telephone banking so he agreed to transfer the money.
After visiting the branch he discovered £4,800 had been taken from his account. And because he had authorised the payment, Barclays refused to refund it.
Deryck, a delivery driver, says: ‘I wouldn’t have given any details if I had not recognised the number they were calling on.’
No refund: The Waterhouses’ were not refunded the amount the scammers took by Barclays
A Barclays spokesman says: ‘Customers would never be asked by their bank or the police to transfer funds into another account. Regrettably, it was not until the following day we were made aware of the scam, by which time no money remained in the account to be returned to Mr Waterhouse.’
Gareth Shaw, Which? Money Expert, said: ‘Banks should work with telecoms companies to introduce the necessary systems to stop fraudsters messaging people in this way. They must put a halt to this worsening problem and better protect their customers.’
BID TO CRACK DOWN ON SCAMS
Banks say they are working with telecoms companies and mobile network providers to block fraudulent calls and texts.
Barclays adds its premier customers can verify calls via their mobile app. When the bank calls, customers will receive an alert confirming the details of the employee who is calling.
If they do not get this alert they will know it’s a scam. The aim is to roll out this service to all customers over the next few months.
Mobile phone networks O2, EE and Three say they are working with banks and investing in technology to protect customers.
They say that they have previously worked with banks to eliminate a type of phone fraud where crooks stayed on the line after a potential victim had hung up.
They add that they are involved in the Home Office-led Joint Fraud Taskforce, which brings together government, regulators and law enforcement.
But experts say this work does not go far enough and that there are still many weaknesses in their systems.
Trade body Mobile UK, says the industry is working to identify fake message headers to prevent them from appearing in genuine message chains. If you receive a suspicious message you can send it to 7726 to be investigated.
A spokesman says: ‘Protecting customers from fraudulent mobile scams is, and remains, a top priority for all operators, and they continue to invest in new measures to help monitor and protect them.’
A spokesman for UK Finance says: ‘UK Finance and its members invest millions to protect customers from fraud and take the causes of scams such as spoofing very seriously.
‘Many of the solutions lie outside the financial sector which is why the industry works closely with network operators, government and other industry stakeholders to crack down on scam messages.
THIS IS MONEY’S FIVE OF THE BEST CURRENT ACCOUNTS