How banks enable Instagram scams
- Jason Costain
- Jul 8
- 3 min read
You'll have no doubt heard that lots of scams start on social media (around 75% according to UK Finance). It's a regular complaint we hear from banks.
The pics below are of a scam site I came across today on Instagram selling Paul Smith designer goods at ridiculously low prices (yep, if it seems too good to be true, it probably is....). At time of posting, this site is still live.
This type of scam is part of a £400million online card fraud problem for UK banks. It is the biggest single cause of losses reported by banks.
➡️ ACTION: If you see a dodgy advertiser on Instagram then click on the three dots at the top right of your phone screen and "Report Ad". I suspect Instagram simply wait for a threshold number of reports to be received before doing anything so every click counts ⬅️
In the meantime, Instagram will happily collect money from the criminals in payment for their scam Ads. Morally acceptable? You decide.
According to UK Finance, there were 2.5million cases of remote purchase card fraud in 2024 (+22%) costing the industry £400million and, just like in the scam below, roughly half of these were "authorised" by unwitting consumers.
‼️ Notice from the pics below how these scammers are able to accept card payments ‼️
Not only have criminals been able to dupe Instagram, they've also duped an Acquirer (aka a bank or payment services provider) into giving them payment card acceptance capability.
At its heart, we are looking at a fundamental failure in KYC here (Know Your Customer).
KYC checks are as critical for banks as they are for Instagram, and yet they are often dumbed down to meet minimum regulatory requirements, rather than being beefed up to prevent crime.
The problem seems particularly common amongst 'new entrant" banks who are desperate to gain market share. The regulator catches up with them eventually, as in the recent fines of Monzo Bank and Starling Bank (see LINK in comments)
Sadly, weak KYC means criminals can enter the ecosystem and carry out fraud.
In creating a scam site to take a victims card details for non-existent Paul Smith bargains, the scammers have not only blagged Instagram, they've blagged a bank.
As you can see from the screenshots, I used my digital card from Wise.
There's a nil balance, so the transaction was declined (this isn't Wise's fault...their digital card replacement service is excellent btw. If this resulted in a fraud loss, they'd have no doubt refunded me).
I don't know which Acquiring bank processed my card payment below (I have my suspicions, and Wise will definitely know), but the Acquirer too are enabling scams, in the same way Instagram are.
So, if you work in a bank, the next time you are tempted to blame social media for enabling scams, it's worth thinking about what more you could do.
Smarter banks are beginning to aggressively profile higher risk acquirers.
For many years, banks have profiled Merchants (each merchant has a unique merchant ID that identifies them with VISA, MasterCard etc). In a similar way to analysing the fraud at a particular merchant, banks should also profile fraud at an Acquirer level.
This requires fraud analytics teams to segment card fraud losses into the different Acquiring firms. It takes time to set up, but once done, an issuing bank will start to identify that some acquirers are more fraud prone than others. Combined with other data (a never before seen Merchant ID, for example) card issuers can make fraud rules more targeted. Such data also makes for far more powerful conversations between the card schemes and regulators.
Jason Costain
