Fraudsters ‘running riot’ on social media, says Which?

Social media websites are fuelling the fire of the UK’s fraud crisis by failing to clamp down on scammers selling people’s personal details through their platforms, a new Which? Money investigation reveals.

The consumer champion discovered 50 scam profiles, pages and groups across Facebook, Twitter and Instagram with clear evidence of blatant criminal activity.

This included advertising stolen identities, credit card details, compromised Netflix and Uber Eats accounts and even fake passports made to order. All were found easily by searching simple, barely disguised slang terms for fraud.

With fraud cases rising by a fifth in the last year and losses to coronavirus-related scams already reaching £2 million, Which? is concerned that the results of its investigation – carried out before the outbreak took hold in the UK – highlight how lax measures to prevent the trade of personal and financial information on these platforms could be exploited by criminals looking to take advantage of the crisis.

Tthe investigation uncovered an alarming post on one illicit Facebook group, detailing the full identity of a man in Yorkshire. His full name, date of birth, address and mobile number were all listed alongside complete financial information including his credit card number, CVV number and expiry date, sort code and the name of his bank.

The post had already been up for four months when it was spotted by Which?, and the details were even being given away for free, potentially as a tactic designed to prove the seller’s credentials for future deals.

Using the open electoral roll, a researcher was able to establish that the victim had lived at the address listed in the Facebook post at least as recently as 2018, along with individuals whose names and ages implied they were his wife and adult children – demonstrating how easy it would be for a scammer to exploit the details available in the Facebook post.

Meanwhile, one fraudster on Twitter offered full credit card details of someone with a ‘£13k+ balance’ for £100, or three sets of card details for £200. Another offered a phoney passport for £3,000, which could have potentially been used as proof of ID to open bank accounts and credit cards.

Twitter’s algorithm also made it all too easy to find criminal ID sellers. After searching for and viewing such accounts, the site suggested following ones offering similar services through its “who to follow” section.

In addition, Which? found Instagram users sharing price lists detailing how much it would cost to acquire full identities, as well as ‘fraud bibles’. These comprehensive how-to guides for novice hackers and scammers explain how to create fake identities and use stolen card details.

All 50 of the groups, pages and profiles were reported to their respective social media platforms via their in-site reporting tools.

Shockingly, Facebook initially refused to remove the post containing the clearly stolen details of the Yorkshire man, on the basis that it ‘doesn’t go against one of our specific community standards’.

When Which? requested a review of the decision through the reporting tool, the post was removed, but the hacker group it was posted on remained up.

While Facebook also removed a few other isolated posts that Which? reported, when a researcher checked six days later, it had allowed every page and group to remain. Instagram and Twitter had not removed any content at all.

It was only when the content was presented to the platforms’ media representatives that it was ultimately all taken down.

Which? believes it is unacceptable for social media platforms to take such a lackadaisical attitude to the fraudulent activity taking place on their sites.

With proposed regulation of illegal and harmful content on social media platforms – such as the criminal activity exposed in this investigation – a long way from being introduced, the consumer champion is calling for the sites to take much more responsibility and be proactive in removing such content and blocking criminals.

Jenny Ross, Which? Money Editor, said: “It’s astonishing that social media sites make it so easy for criminals to trade people’s personal and financial information, particularly as fraud is such a prevalent crime that can have devastating consequences.

“Social media firms must take much stronger action to prevent their sites becoming a safe haven for scammers, and should work with the financial industry and police to address serious flaws with their platforms.

Facebook, which also owns Instagram, said: “Fraudulent activity is not tolerated on our platforms, and we have removed the groups and profiles flagged to us by Which? Money for violating our policies.

“We continue to invest in people and technology to identify and remove fraudulent content, and we urge people to report any suspicious content to us so we can take action.”

Twitter said: “It is against our rules to use scam tactics on Twitter to obtain money or private financial information.

“Where we identify violations of our rules, we take robust enforcement action. We’re constantly adapting to bad actors’ evolving methods, and will continue to iterate and improve upon our policies as the industry evolves.”

 

Don’t be conned by cyber-skullduggery!

Thousands of people could be conned if they don’t pay attention, says leading tax and advisory firm Blick Rothenberg.

Fiona Fernie, a partner at the firm said: “Within hours of the Government’s Coronavirus Job Retention Scheme (CJRS) there was significant activity by cybercriminals trying to cash in on the scheme.

“These were in the form of emails that purported to come from the Government and suggested that HMRC needed bank account details into which the grant should be paid.

“The wording most commonly used to-date is:

‘Dear customer, we wrote to you last week to help you prepare to make a claim through the Coronavirus Job Retention Scheme. We are now writing to tell you how to access the COVID-19 relief. You will need to tell us which UK bank account you want the grant to be paid into, in order to ensure funds are paid as quickly as possible to you’.

Fiona added: “Most scams focus on obtaining the banking details of the recipient either by suggesting they can claim some kind of financial benefit from following the instructions in the correspondence, (for example a tax refund to help protect themselves from the Coronavirus outbreak, a goodwill payment from HMRC or a large sum of money in return for a set-up payment), or that they have a ‘fine’ to pay as a result of some misdemeanour: such as leaving the house more than once a day during lock down.

“The most frequent forms of communication are emails and text messages purporting to come from Government or HMRC officials and are designed to lure the recipient into precipitate action before thinking carefully about the substance of the message.

“People should be aware that neither HMRC specifically nor Government more widely communicates with individuals either by email or by text, unless you have signed up to the relevant protocol with them.  Certainly, payments that can be claimed by taxpayers or fines that can be imposed are not dealt with in this way.”

Fiona warned: “The communications are designed to look entirely legitimate and as well as using official logos, fraudsters change the ‘display name’ on their email address to only show the name of the body they purport to represent. They are very clever.

“It is imperative to treat any email or text apparently received from an official body with extreme caution – if you are taken in it could be a very costly mistake.

“WhatsApp or social media messages are also used by cybercriminals and should be treated with similar caution.”

So, what should you do if you receive one of these messages? 

Fiona lists below some of the things that you can do to protect yourself:

  • Do not reply to these emails, texts, WhatsApp or social media messages
  • Do not call the phone number listed in an email or text
  • Do not click on any links or open any attachments in emails
  • Do not provide any personal or financial details
  • If in doubt about whether an email or text is genuine, click on/hover over the ‘display name’ email address from which you have received the email. This will show you the full details of the sender and will make it clear whether the email is from a genuine Government or HMRC source
  • If you are in doubt about the source of one of these messages which appears to be from HMRC, forward it to them. You can do this via email at phishing@hmrc.gov.uk or via text at 60599 (network charges apply) and then delete it.

Fiona said: “In addition, the National Cyber Security Centre (NCSC) has recently launched a reporting service urging the public to forward any questionable emails to report@phishing.gov.uk.  The NCSC’s automated scanning system then checks them, and immediately shuts down and removes criminal sites.

“However, there are other scams which are even less easy to spot, and which are designed to play on the other major anxiety caused by the Coronavirus pandemic – protecting our health.

“Of the over 2,000 online coronavirus scams which have been removed over the last month by the NCSC, almost 500 were fake online shops selling personal protective equipment items such as gloves and face masks which either never arrive or do not meet the required standards.  Some of the sites also distribute malware which damages the computer systems of those who visit the sites.

“Even charities are at risk: some have been contacted by fraudsters claiming to be from an organisation able to provide helpful information such as a list of ‘at risk’ elderly people in the community who may require support from the charity.  The recipient is then directed to click on a link leading to a fake website or a request to make a cryptocurrency (such as Bitcoin) payment, to enable the release of the information.”

Fiona said: “The messages are not confined to scams allegedly coming from this Government; one received yesterday by a colleague purported to come from the National Crime Investigation Center, USA which is part of the FBI – it was another scam.”

Dear Scam victim,

This is National Crime Investigation Center USA.

In our investigations from banks on International and National Funds Transfer (INFT) protocols in the past 10 years from all banks worldwide. We have come across your contact details and records with one of these Banks. In view of the carried investigations, we have contacted you confidentially for vital information toward your transaction with this bank. It was clear that the bank have delayed your payment thereby looking for a means to divert your fund to different individual account not belonging to you.

However, all bank officials who mishandled your transaction has been duly sacked and management dissolved and dismissed from bank work as a result of this attempt. Upon our investigation conclusion, we found out that your transaction was legitimate and for this reason, a compensation amount of $3,150,567.00 (Three million one hundred and fifty thousand, five hundred and sixty seven dollars) has been allocated to you for immediate payment through our accredited bank, Federal Reserve Escrow.

Kindly contact the compensation paying officer with the below details.

Fiona said: “Sadly, there are always those who are happy to exploit the problems of others to their own advantage.  Despite the many pressures we are all under in these difficult and unprecedented times: we must be vigilant so that we do not become their victims.”

Which? launches new scam alert service

Which? is launching a free scam alert service to warn consumers about the latest fraud attempts and give advice about how they can protect themselves, as criminals exploit the coronavirus outbreak to unleash a new range of scams.

With more than £1.2 billion lost to scammers in 2019, fraud has become one of the most prevalent crimes in the UK, which often results in devastating consequences for victims.

In recent weeks, scammers have rushed to exploit the widespread fear and confusion caused by the pandemic.

Which? has heard many reports of different types of coronavirus-related scams including:

  • Bogus phishing texts from HMRC claiming the taxman has been forced to issue refunds due to coronavirus, and providing a link for readers to “calculate their refund”.
  • Fake messages purporting to be from the government, requesting people pay a fine for breaching the coronavirus lockdown rules.
  • Emails encouraging people to use their time during the coronavirus lockdown to invest in bitcoin.
  • Unsolicited calls from fraudsters offering to enrol vulnerable people onto coronavirus vaccine trials for a fee.

To help consumers separate the scams from legitimate communications being sent by firms, government and organisations about coronavirus, Which? is launching a free scam alert service.

Available to everyone, those signing up will receive warnings about the latest scams as the consumer champion uncovers them, along with information about how to spot a scam and protect themselves against falling victim to fraudsters.

Around £2 million has already been lost to coronavirus-related scams in England, Wales and Northern Ireland, according to Action Fraud figures, while the National Cyber Security Centre has detected 2,500 government-branded scams since the start of March.

Earlier this week, GCHQ urged the public to be more vigilant than ever for online fraud attempts as families face an “unprecedented threat from cyber criminals”.

Google has said scammers are sending 18 million hoax emails about Covid-19 every day, while security experts say they have discovered more than 700 fake websites mimicking Netflix and Disney+ signup pages as criminals try to take advantage of the lockdown to harvest people’s bank details.

Financial bodies including the Pensions Regulator, Financial Conduct Authority and Money and Pensions Service also issued a joint statement urging savers not to make rash pension decisions, over fears that scammers will try to exploit people’s concerns about the impact of the outbreak on their finances.

Gareth Shaw, Head of Money at Which?, said: “The coronavirus outbreak has created the perfect storm for scams, with fraudsters using callous tactics to exploit people’s fears and vulnerability for their own financial gain.

“As new scams spring up daily, our alert service aims to help people protect themselves and their loved ones.

“Everyone should be extra cautious about clicking on links in any unsolicited emails and texts or answering calls. Make sure your computers, mobile phones and tablets are supported by the latest security updates, and consider installing antivirus software to minimise threats.”

The free service from Which? is available at: which.co.uk/scam-alerts

Public encouraged to be vigilant and report scams

MSP for Edinburgh Pentlands, Gordon MacDonald, has encouraged people in the capital to be aware of scams and fake news following an increase in reports across Scotland about scam emails, text messages, and doorstep callers.  

Across the UK there is evidence fraudsters are increasingly targeting members of the public, as well as organisations of all sizes, with emails, texts, telephone calls, social media messages and online shopping scams relating to the outbreak.

Police Scotland have now launched a new Shut Out Scammers resource to protect the public and businesses from COVID-19 related scams. The UK’s National Cyber Security Centre (NCSC) has also launched an email reporting service, which the public can use to report any suspicious activity.

SNP MSP Gordon MacDonald said: “While the community response to the coronavirus outbreak across Edinburgh has been overwhelmingly positive, it’s disappointing to see a few individuals taking advantage of the situation with unsolicited emails, phone calls and text messages.  

“During this coronavirus crisis, everyone should take extra care to ensure that they only share information from trusted sources, ask for identification from all doorstep callers, and never hand over any personal information. 

“It’s vital that people in our capital remain vigilant against scams during this challenging time and report any suspicious activity to the relevant authorities.”

Across the UK we are seeing evidence that fraudsters are increasingly targeting the public and organisations with emails, texts, telephone calls and WhatsApp messages offering advice and treatment for the coronavirus.

They are setting up fake websites selling products and offering ‘cures’ or testing kits. Scammers have also been setting up bogus websites asking for donations for victims or promoting awareness and prevention tips. Cold callers have been contacting organisations suggesting they must have specific measures in place by a certain deadline.

To help members of the public protect themselves from becoming a victim of fraud:

  • Be vigilant and on guard if someone turns up unexpectedly
  • but don’t rely on them. Identity cards can be faked – phone the company to verify their identity
  • Never let people try to persuade you to let them into your home even if they are asking for or offering help – they may not be genuine. If someone is persistent, ask them to call at another time and arrange for a friend or family member to be with you
  • Don’t feel embarrassed – genuine callers expect you to be careful
  • Never provide any personal data such as your full name, address and date of birth – scammers can use this information to steal your identity
  • Don’t keep large amounts of money in your home
  • If in doubt, don’t answer the door.
  •  Never feel pressured into making a decision on the spot. Any legitimate trader/helper will be happy to return at a later date
  •  Never be afraid to say ‘No thank you’ and close the door
  •  Be sceptical if you receive an email, text or WhatsApp message about the Coronavirus, and never click on any attachments or links
  •  Don’t allow yourself to be pressured into donating money, and never make donations by cash or gift card, or send money through transfer agents such as Western Union or Moneygram
  •  Remember, it’s your home. There’s no reason why anyone should ever enter your home against your wishes.

    Who can help me?

    To report a crime call 101 or in an emergency 999.

    If you have concerns about a purchase that you have made, contact Advice Direct Scotland on 0808 164 6000. – www.advice.scot

    Further information on dealing with scams and fraud is available from our partner sites, who can offer further information, support and advice:

 

 

Police issue email scam warning

We’re aware of an email scam going around which appears as if from the Government and NHS, asking for charitable donations to help fund their efforts.

Criminals will use any opportunity they can to defraud the public out of money, often impersonating professional and legitimate organisations.

  • Don’t allow yourself to be pressured into donating money, and never make donations by cash or gift card, or send money through transfer agents such as Western Union or Moneygram.
  • Be sceptical if you receive an email, text or WhatsApp in relation to #Coronavirus, and never click on any attachments or links.
  • Never provide personal data such as your full name, address and date of birth – scammers can use this information to steal your identity.

Further information on dealing with scams and fraud is available from Trading Standards Scotland and Citizens Advice Scotland or visit: http://ow.ly/G5yg50yQ4qu

#COVID19
#ShutOutScammers

Police warn of coronavirus scams

Police Scotland warn that there has been an emerging trend of criminals taking advantage of the increasing concern around the spread of the Coronavirus in the UK.

Reports include people visiting homes posing as police officers and health officials in an effort to scam the occupants or gain entry.

Tactics used include the criminals offering fake Coronavirus testing and fake services to assist those who are unable to leave their homes including the delivery of shopping and other essentials. 

Vulnerable individuals including the elderly have been specifically targeted.

Please be vigilant and share this information.

Police can be contacted on 101 or 999 in an emergency or please call Crimestoppers in confidence on 0800 555 111.

Which? calls for mandatory transfer scam protections

Which? is calling for vital fraud protections to be made mandatory, as the consumer champion reveals more than £1 BILLION is estimated to have been lost to bank transfer scams in just three years.

With measures set to come in that should significantly reduce the amount of money lost to this type of fraud, Which? is also raising concerns that some banks are not committed to introducing the protections on time, or even at all.

Which? analysed bank transfer fraud statistics since the start of 2017, a few months after it first highlighted the threat from these devastating scams with a super-complaint.

The projected total lost since then, based on current trends, now stands at a staggering £1.1 billion, according to the research.

During that period, the sums lost to this type of scam, also known as authorised push payment (APP) fraud, have risen rapidly, while the payments regulator and banks have been slow to introduce much-needed protections for consumers.

According to Which?’s projections, £97 million could have already have been lost in the first three months of this year alone.

Alarmingly, analysis suggests that almost a third of the total losses since 2017, equating to £320 million, could have been prevented if a simple system of checking names on bank transfers had been in place during that period.

This important measure – known as confirmation of payee (CoP) – is finally due to be introduced by most of the UK’s major banks by the end of March.

CoP ensures that a check is made on whether or not the name a customer enters when making a payment matches the account details it is being sent to. It helps to stop fraudsters from posing as trusted organisations such as a bank or solicitor and tricking people into making payments to them.

The Payment Systems Regulator (PSR) has only directed the six biggest banking groups to sign up by 31st March, but Which? believes all banks must join the scheme in order for it to be effective.

The consumer champion asked all banks when they planned to introduce Confirmation of Payee.

Of the banks that have been directed to sign up, RBS Group (including Royal Bank of Scotland, NatWest and Ulster Bank) and HSBC (including First Direct) were unable to confirm a specific date when asked if they would be ready by the regulator’s deadline.

On the other hand, Lloyds Banking Group is ahead of the pack, implementing CoP from 2 March 2020 for Bank of Scotland customers, before rolling it out to Halifax and Lloyds customers throughout the rest of this month.

Of the banks that haven’t been directed to sign up by the regulator, several have said that they plan to deliver the system by the end of the year.

However, Metro Bank told Which? that it has no current plans to implement CoP at all – despite this being a requirement of the voluntary industry code on APP scams launched in May 2019, which Metro Bank signed up to.

It did not elaborate on why it is does not intend to introduce CoP, but says the voluntary code gives customers significantly increased protection against authorised push payment scams.

Metro Bank said: “We take our customers’ security extremely seriously and have a range of safeguards in place to help defend them against fraud, which we constantly review and update in light of increasingly sophisticated tactics from fraudsters.

“We have no plans to implement Confirmation of Payee currently, but can reassure our customers that they will continue to be protected. Metro Bank is a voluntary signatory of the Contingent Reimbursement Model Code, giving customers significantly increased protection against authorised push payment scams.”

Amid concerning reports of banks failing to follow the code’s rules around reimbursing blameless APP scam victims, Which? is concerned that a voluntary approach to ensuring victims are treated fairly is no longer viable.

The next set of UK Finance figures on bank transfer scams is due for release in the coming days. It should show an increase in the amount of money being reimbursed to victims of bank transfer fraud, as banks signed up to the code begin implementing the greater protections it offers.

Which? believes the code and CoP should be made mandatory and that the government must consider directing the PSR to ensure all banks are signed up. The consumer champion is also encouraging all consumers to put pressure on their bank to sign up to both the code and CoP.

Gareth Shaw, Head of Money at Which?, said: “The UK has been in the grip of a fraud crisis for years, but new security measures offered by the banking industry should finally give people better protection against increasingly sophisticated fraudsters.

“At the end of this month, we should get a true sense of how well the industry is tackling the issue. It is vital for all banks to commit to basic name-check security, and the whole industry should sign up and follow through on the protections offered by the scams code.

“If the banks fall short of making these commitments themselves, these initiatives must be made mandatory by the government.”

Beware Coronavirus scams

Cifas, the UK’s leading fraud prevention service, is warning people not to fall victim to scams being circulated involving the coronavirus.

Fraudsters are increasingly targeting the public with emails, texts and WhatsApp messages offering advice and treatment for the coronavirus, as well as setting up fake websites selling products and offering ‘cures’.

Scammers have also been setting up bogus websites asking for donations for victims, or promoting awareness and prevention tips.

To help members of the public protect themselves from becoming a victim of fraud, Cifas is offering the following advice:

  • Be sceptical if you receive and email, text or WhatsApp message about the Coronavirus, and never click on any attachments or links.
  • Never provide personal data such as your full name, address and date of birth – scammers can use this information to steal your identity.
  • Don’t allow yourself to be pressured into donating money, and never make donations by cash or gift card, or send money through transfer agents such as Western Union or Moneygram.
  • If you think you’ve been the victim of a scam, then speak to your bank immediately and report any fraud to Action Fraud on 0300 123 2040.

Mike Haley, CEO of Cifas, said: ‘Fraudsters are always looking for new ways to prey on people’s fear and anxieties, and so it’s very likely that these scams will only increase as Coronavirus spreads.

‘My advice is to not let fraudsters scare or pressure you into making any hasty decisions. Take your time and do your research, and remember to never hand over personal or financial details – don’t let criminals benefit from this serious situation.’

Kate Bevan, Which? Computing editor, said: “Scams are among the most prevalent types of crime in the UK so it is seriously worrying that coronavirus is creating a perfect environment for fraudsters and scammers to thrive using a range of loathsome tactics.

“Help protect yourself by being extra cautious before clicking on any unsolicited emails and texts or answering calls. Make sure your computers, mobile phones and tablets are supported by the latest security updates, and consider installing antivirus software to minimise threats.”

Sharp rise in DVLA scams

DVLA has revealed a 20% rise in scams reported to their contact centre, with 1,538 reports about suspected vehicle tax scams during the last 3 months of 2019.

DVLA has released pictures of some of the cons being used by scammers to trick motorists into handing over their money.

It comes as new figures show a 20% increase in scams reported to DVLA, with 1,538 reports made to agency in the last three months of 2019.

The reports of suspected web, email, text or social media scams were up from 1,275 in the same period in 2018. DVLA has released the images of recent scams reported to help motorists be aware of what to look out for and issue a clear warning that if something offered online or by text message appears too good to be true, then it almost certainly is.

Scammers are targeting unsuspecting customers with links to services that don’t exist and messages of tax refunds, all of which are fake.

The reports also show that driver and vehicle documents are for sale on the internet. DVLA is advising anyone with concerns about any calls, texts, emails or suspicious activity online, to always report these to the police via Action Fraud immediately.

DVLA chief information security officer David Pope said: “We’ve released examples of real life scams to help motorists understand when a scam is at work. These websites and messages are designed to trick people into believing they can access services that simply don’t exist such as removing penalty points from driving licences.

“All our tax refunds are generated automatically after a motorist has told us they have sold, scrapped or transferred their vehicle to someone else so we don’t ask for anyone to get in touch with us to claim their refund.

“We want to protect the public and if something seems too good to be true, then it almost certainly is. The only trusted source of DVLA information is GOV.UK

“It is also important to remember never to share images on social media that contain personal information, such as your driving licence and vehicle documents.”

A spokesperson for Action Fraud said: “This can be a stressful time of year, sorting out finances for the year ahead. Fraudsters are aware of this and are using different ways to trick people.

“Taking a couple of minutes to familiarise yourself with a few simple online safety tips can be significant in protecting yourself from becoming a victim of online fraud.

“You should always be cautious when sharing personal information online and avoid being scammed by only using GOV.UK for government services online, such as the DVLA.

“If you believe you have been a victim of fraud, please report it to us.”

Which? – Banks are denying reimbursement to innocent scam victims, despite new rules

Which? is concerned by early signs that some of Britain’s biggest banks are refusing to reimburse blameless victims of devastating transfer fraud, despite the introduction of new industry standards intended to protect fraud victims.

Banking customers lose life-changing sums every day through bank transfer scams – with Which? even hearing from a victim who lost £500,000 through his restaurant business.

It was hoped that the introduction of a voluntary industry code in May 2019 would ensure that all blameless victims get their money back, finally reversing the trend of people being left out of pocket.

But Which? has heard from a number of people who say they have been denied reimbursement unfairly – with a worrying trend emerging of banks relying on fraud warnings to justify not refunding customers. These decisions from banks fly in the face of the voluntary code most banks have signed up to, which pledges to reimburse all blameless victims.

It is now much more common for online or mobile banking customers to see fraud warnings when transferring money, as banks seek to meet new code standards by introducing a range of different features aimed at making a customer think twice about whether they are being scammed.

However, a Which? survey found that almost half (49%) of people are not even aware that new fraud warnings had been introduced by banks – further evidence that victims should not be arbitrarily turned down for reimbursement because they have “ignored warnings”.

Case study – Michelle, 38, London

Which? spoke to Michelle, 38, who lost almost £33,000 after responding to a text message about a ‘suspicious payment to Airbnb’ in August 2019. It appeared to come from Lloyds Bank’s usual phone number, sandwiched between two genuine messages, so she called the number supplied. Over the course of an hour Michelle was persuaded to transfer her money to a new account, in the belief that hers had been hijacked by criminals.

Lloyds says although it has sympathy for Michelle it will not reimburse her, on the grounds that she ‘did not take sufficient steps to verify that either the text message or the person she spoke to on the phone were genuine’, and that she authorised the payments despite receiving ‘specific warnings’ stating that Lloyds would never ask a customer to move money to other banks.

Michelle had no reason to believe the text was fake, and Lloyds is yet to explain the ‘sufficient steps’ she ought to have taken. And, while she did notice an online warning about fraud when she made the first payment, the criminal on the phone was able to quickly dismiss her concerns.

She said: “It was very urgent and compelling. My two-year-old daughter was running around while I was on the phone to them for an hour. I saw the warning about Lloyds never asking me to move money into a safe account and flagged this over the phone. They assured me that these were not “safe” accounts but “new” accounts.”

Which? has advised Michelle to escalate her case to the Financial Ombudsman Service.

Which? – working with two leading academics – also analysed the effectiveness of banks’ fraud warnings, to establish whether they are adequately ‘understandable, clear, impactful, timely and specific’ – as set out in the code.

The experts raised concerns about elements of the warnings from some of Britain’s biggest banks.

One researcher voiced concerns over the ‘generic’ messages displayed by First Direct, HSBC, Lloyds, Natwest and Royal Bank of Scotland. Petko Kusev, from Huddersfield Business School, said that it was perfectly rational for customers to ignore generic information when conducting bank transfers.

A second researcher, Patrick Fagan from Goldsmiths University, suggested that some warnings can come too late, as once people have already been targeted by scammers they typically commit to seeing the action through. Mr Fagan suggested that banks use targeting and personalisation to make these warnings more persuasive.

Which? supports the introduction of fraud warnings as an important defence in preventing scams. However, Which? believes that banks must prove their fraud warnings are fit for purpose and should not be used as a means to simply deny reimbursing blameless victims. If a bank can’t prove its warnings are effective then the customer should not be deemed at fault.

The consumer champion also wants the industry code to be made mandatory for all current account providers as many providers still haven’t signed up to the vital fraud protections.

Jenny Ross, Which? Money Editor, said: “People are losing life-changing sums of money every day to devastating bank transfer fraud – so it’s shocking that some current account providers still haven’t signed up to offer their customers vital protections.

“All banks must prove that their online warnings are up to scratch – especially if they are denying victims reimbursement, as we’ve seen in some cases.”

The consumer champion put banks’ fraud warnings under the spotlight, and found:

  • Asking customers to tick a box to confirm they have understood the warning could prove more effective than warnings that take consent for granted.However, Which? believes this is still a low bar for establishing consent.

  • Nationwide’s ‘STOP AND THINK’ message ahead of a transfer was deemed to be effective at providing customers with concrete, clear imperatives.

  • Which? is critical of HSBC’s approach that gives customers the option of hiding warnings, raising the likelihood that customers might not see them at all.

  • Meanwhile, customers could easily miss important wording and rush through a transfer if it is towards the bottom of a screen, such as First Direct’s warning.

Banks that have not signed up to the code:

Bank of Ireland, Citibank, Clydesdale and Yorkshire Bank, Danske Bank, First Trust Bank, Monzo, N26, Tesco Bank, and Virgin Money. Although TSB is not a signatory of the code, it promises to reimburse all victims of fraud under its ‘Fraud Refund Guarantee’, launched on 14 April 2019.

The Lending Standards Board is responsible for overseeing the new voluntary code and assessing how firms are implementing the standards set out in the code.