Online financial scams: how vulnerable are we?

by Stephen Meade on March 28, 2016

  • SumoMe

There is a reasonable chance that most of us, at some point in our lives, will experience fraud, in one form or another.

As technology continues to advance and we store more of our personal data on phones, tablets or digital storage platforms like the Cloud, we become increasingly vulnerable to hackers and scams.

Whereas someone – short of breaking into a bank – would have once had to physically steal our post to access our financial statements, hackers can now find out previously private and confidential information with a few clicks of a mouse, a cleverly replicated email or an invitation to re-enter a password or account details.

Now, as scams and hacks become more sophisticated – keeping up with the advancing rate of technological progression – so, too, do the efforts of professional institutions, such as banks, hospitals and online companies that hold significant accounts of customer information, to uphold their commitment to data protection and prevent fraud taking place – or so you would assume.

However, a recent high profile case demonstrated flaws in the protective action taken by banks, in particular, and highlighted a desperate and urgent need for an update in protocol and best practice.

Last year, Mrs Vivian Gabb was in the final stages of completing the purchase of a house when she received an email – which she believed to be from her solicitor – providing her with the firm’s bank details and requesting payment of the pre-arranged deposit, £50,000. Mrs Gabb transferred the money, only to be informed four days later that the funds had not ended up with her solicitors, but in the bank account of a fraudulent imposter, set up in her solicitor’s name and used to monitor Mrs Gabb’s email activity.

On contacting both her bank (Halifax), and the bank that the fraudulent account was held with (TSB), Mrs Gabb was informed that, as the funds had been immediately withdrawn on clearing in the fraudulent account, there was nothing that either financier could do to assist her in recovering the money – her £50,000 was irretrievable.

Both banks maintained that due to the type of fraud Mrs Gabb had fallen victim to, they were not responsible for her financial loss: she had ‘willingly’ made the payment and authorised the funds leaving her account herself.

Remarkably, as banking practice currently stands, banks are only obliged to check that the basic account details are correct when making a CHAPs payment – there is no requirement for them to check that the account details match the payee name provided. (A high profile example of this is the Tidal Energy Limited case, where Tidal was given incorrect account details by a fraudster impersonating one of its suppliers.  See more here.)

In this case, had Halifax checked whether the payee account name matched the account number, the bank would have been immediately alerted to the fraud, and Mrs Gabb would not have authorised the payment.

This type of scam – known as ‘social engineering’ – exposes individuals to a huge risk of fraud. In this case, Mrs Gabb had been in regular correspondence with her solicitor via email (which the fraudster had monitored), and so there was no reason for her to be suspicious of the request when it came through. What’s more, as social engineering relies on human interaction, rather than a technical method of intrusion like credit card scamming, it places victims wide open to their own accountability. As with Mrs Gabb’s case, banks currently hold no obligation to reclaim, investigate or compensate lost funds that have been ‘willingly’ transferred by the account holder – even if that account holder is working off of false information.

Worryingly, this type of fraud is on the rise. Internet safety advice website Get Safe Online says that more than half of people in the UK have been a victim of an online crime, and 15% of people have been victims of either attempted or successful hacks of their email account.

Furthermore, in a Freedom of Information Request submitted on behalf of Mrs Gabb, it emerged that, since 2010, there have been more than 5830 complaints about interbank transfers and, of these, 652 were complaints about frauds or scams. The Financial Ombudsman was unable to provide information about how many CHAPS payments were made to the wrong account, as they ‘do not record this information in a searchable form’ in their system.

Certainly, it seems likely that there are other individuals who have fallen victim to social engineering and made CHAPs payments to a fraudster in error – perhaps they may not even be aware of having done so. One way to challenge the current banking policy could be to bring a class action – where several cases are brought together as one – to campaign to change policy, and ensure that banks do all that they have in their power to prevent a cycle of criminal profit, to their customers’ detriment.

From a legislative stand point, it is clear that a change in policy, procedure and best practice needs to take place if the institutions that we trust with our data, sensitive information and, in Mrs Gabb’s case, life savings, are to properly protect us and our assets.

Regarding CHAPs payments, it has been established that a number of banks actually do call the payee bank to verify the account name against the account number – a precaution that, should Halifax had taken, would’ve saved their customer the loss of £50,000. Surely it is the responsibility of banks to make these checks mandatory, rather than taking them only as an extra precaution?

In this age of increasing cyber fraud, customers ultimately use banks to protect themselves against theft and fraud – generally a bank account is perceived as more secure than stuffing cash under the mattress. It seems reasonable, then, to expect them to update their policies and use the full extent of their knowledge and power to protect what they have been entrusted with, rather than leave their customers vulnerable to fraud.

Stephen Meade

Stephen Meade

Stephen Meade is a commercial disputes lawyer at Cardiff and London based Capital Law – The Legal 500’s Welsh law firm of the year:
Stephen Meade

Latest posts by Stephen Meade (see all)

Previous post:

Next post: