Think all scam victims are idiots? You might be part of the problem

By Jason Costain, December 2024

• Why did they buy a car without seeing it?

• Why did they invest in something that was too good to be true?

• Why did they believe it was their bank’s fraud team calling?

• Why did they think Keanu Reeves needed money?!

If you work in the payments industry and can’t get beyond these questions, then frankly, you may be part of the problem.

People will always fall for scams

In order to get better at defending against scams, we need to accept the fact that humans fall for scams – and they’ve been doing so for thousands of years:

500BC Egyptian tax collectors used inaccurate weights to fool householders into paying more than they should

125AD the Pretorian Guard sold the rights to the Roman throne when they didn’t actually own them….and age-old expressions of “fool’s gold” and “too good to be true” owe their origins to scams

Blaming the victims of scams is a waste of valuable time and this same narrative of victim blaming is playing out in many countries.  We need to do more to understand the problem. 

Research from the UK speaks volumes:

47% of UK adults (24.9m people) showed 1 or more characteristics of vulnerability. Source: UK Financial Conduct Authority, May 2021[1]

People with characteristics of vulnerability are 12 times more likely to fall for a scam than people who aren’t vulnerable.

Source: UK FCA, February 2021[2]

1 in 7 adults have the literacy skills at or below those expected of a 9- to 11-year-old

Source: UK FCA, May 2021[3]

Too smart to be scammed?

If you are sitting there reading this thinking you are too smart to be scammed, research from VISA[4]found that those who consider themselves more knowledgeable about scams are more likely to fall for one.

The UK has been a global leader in recognising the threat posed by scams.  Despite its many critics, the scam refund code (a.k.a. The CRM) which was set up in 2021 and signed by the UK‘s top banks, has had a hugely positive impact.  It demonstrated the industry’s commitment to helping victims and it recognised that bank scam controls weren’t effective. 

The CRM code also created the financial incentive for banks to fund their fraud teams scam defence initiatives.  Prior to this, defences were inadequate (or in many cases non-existent) and fraud teams often struggled to the get funding and organisational support needed to put basic safety features in place. 

The CRM has also benefitted victims - by the end of 2023, 73% of UK scam losses were being reimbursed by CRM signatory banks as scam controls and recovery processes improved.

Historically, until the CRM came along, UK payment systems had been built to process high value payments instantly, even if most customers would never need such functionality.  With the advent of online banking, consumers were given the ability to send their life savings to someone they’d never met from the comfort of their own homes.  

With UK police dedicating only 2% of resources to fraud, despite it accounting for 40% of UK crime, the chances of getting caught are minimal.  The UK became a scammers paradise.

Bank Liability

How much banks should be liable for scam victim’s losses is still hotly debated across the world, but as the latest figures from the UK’s Payment Systems Regulator (PSR) show, there can be vast differences in scam-stopping performance between banks.

It can be a case of pot-luck as to what level of scam protection a customer can expect to get, or indeed whether they’ll receive a refund in the event of a loss.  

Even after 6 years of UK Finance reporting Authorised Push Payment (APP) losses and two annual cycles of the PSR naming individual banks and payment service processors, the differences in performance between firms is still huge.  PSR data[5] shows us that in 2023:   

• Smaller firms received 53% of all UK APP fraud volume despite only receiving 8% of UK consumer Faster Payments 

• Metro Bank is nearly three times more likely to allow its customers send payments to APP fraudsters compared to NatWest, for example 

• NatWest Bank refunded 62% of its customers losses, yet Metro only refunded 42% of victim losses

  
  

Of course, to commit APP fraud you need a receiving bank account through which to launder your stolen funds.  The data for the APP payments received by UK banks presents even more stark variances in performance…

• TSB Bank received nearly ten times more APP fraud payments proportionally than Santander

• Payment Processor Skrill’s accounts were used by criminals to launder the proceeds of APP fraud at a rate that was proportionately 450 times greater than Santander’s

With this level of performance disparity, it’s still somewhat pot luck whether a UK customer’s bank protects them when they are being scammed.  

The question of ‘how much a receiving firm should be liable for scam losses also needs to be carefully considered, especially when some receiving firms are receiving inbound APP Fraud payments at a rate that is 450 times greater than other firms in their sector.

The disparity in APP Fraud loss performance between financial services firms is likely to be far greater in other countries where regulators are yet to collect such data.  

What is also clear is that some payments firms have a lot more work to do and this undermines the current calls from bankers for social media firms to do more.

What is very clear from the published UK APP loss data is that there have been significant improvements in the performance of high street banks over the past two years.  Virtually all are sending and receiving less APP fraud money.  This is great news for UK society as a whole.  Other countries could learn a lot from the UK’s example of publishing APP Fraud data.

For more detailed comparative data, see https://www.javloc.com/post/benchmark-fraud-data-can-be-a-powerful-tool

The UK Financial Ombudsman Service will no doubt also consider these performance disparities when it comes to making refund decisions on scam victim complaint cases.

Bank Impersonation scam Case Study, 4 November 2024:

Retiree’s Keith (age 78) and Janette (age 75) received a call, supposedly from Barclays fraud team, telling them there was an unusual card transaction on their account.  Such a call was not unusual – their bank made similar calls to them once or twice a year.  The fraudsters knew the last four digits of Keith and Janette’s debit card, spoofed a Barclays email address to send them ‘official’ Barclays documentation, and cloned Barclays auto-attendant so that it sounded like Barclays call centre when Janette called the number they’d been given.  

Over 6 hours, Keith and Janette were kept on the phone by the scammers and by 4pm they had been persuaded to make three payments, ostensibly to prevent an internal fraud from taking place.  Their payments totalled £85,500.  All payments were to bank accounts they’d never paid before.

Payment 1 10:30hrs £1,500 - went unchallenged by Barclays and the payment was processed.

Payment 2 12:00hrs £45,000 - the scammers told Keith and Janette that once they’d made this payment, they could expect a call from a ‘corrupt’ Barclays employee, so the scammers provided them a cover story to use to help catch the criminal.  The genuine payment verification call from Barclays duly happened, the conversation with Keith and Janette was brief, after which Barclays processed the payment.

Payment 3 £39,000 16:00 hrs– the scammers told Keith and Janette to expect another call from Barclays and duly provided them with another cover story, plus a fake invoice to support the reason for their payment.  

The Fraudsters had also created a new Ltd Company on UK Companies House and had opened a business account with Lloyds bank in the name of their new business – this ensured that the payment was a ‘Confirmation of Payee’ match.  As expected, a member of the genuine Barclays fraud team duly called Keith and Janette to verify the payment. 

The genuine Barclays investigator asked to see the payment invoice and looked up the (recently formed) beneficiary Ltd Company on Companies House.  The Barclays investigator convinced Keith and Janette to delay processing their payment due to concerns he had.

At this point, Janette sent me (we are ‘friends of friends’) an SMS to ask “how do I verify that a call from my bank fraud team is genuine?”.   We quickly uncovered the fraud and spent the next three hours on the phone to the genuine Barclays Bank Fraud Team, via the Stop Scams UK ‘159’ service.

What happened to Janette and Keith was a well-orchestrated attack.  The fraudsters targeted their victims using stolen card data and tailored their attack to mirror the Barclays fraud process, spoofing Barclays documents, email addresses, and phone call routines. The fraudsters worked in and around the genuine Barclays fraud process. This is a common tactic used by scammers and it added plausibility to the scam. 

None of what I am writing about is useful to criminals, by the way. Due to the amount or money at stake, they will likely know Barclays' processes better than most Barclays staff.

Due to Janette and Keith’s age, they are significantly more vulnerable to scams.  Additionally, Janette’s sister was receiving end-of-life care - the timing of the scam call could not have been worse.   

16 November 2024 – Janette’s sister died.

18 November 2024 – Barclays called Jannette and Keith to tell them they would be getting a full refund

I believe that Barclays made the right decision.  The Barclays Investigator's actions on Payment 3 were excellent and they saved the day, at least enough to cast doubt in Janette’s mind, triggering her SMS message to me.

Janette and Keith are far from alone.  

There were 232,000 scam cases in the UK in 2023 according to UK Finance.  It is estimated that over 90% of scams go unreported. 

Scams often succeed because they coincide with a time of crisis for the victim. 

Humans are fallible. Victim-blaming is pointless.  Instead, let's work together to improve bank defences against scams.

Jason Costain

Jason has worked in banking fraud prevention for 25 years, running fraud and financial crime defence teams at some of the UK’s best-known firms. If you want help designing improved fraud defence systems, contact Javloc.com

+Follow @ https://www.linkedin.com/in/jason-costain-b529746/

Further resources at javloc.com

More detailed bank scam performance data in support of this article can be found at: https://www.javloc.com/post/benchmark-fraud-data-can-be-a-powerful-tool

[1] https://www.fca.org.uk/data/financial-lives-2022-early-survey-insights-vulnerability-financial-resilience

[2] https://www.fca.org.uk/publication/research/financial-lives-survey-2020.pdf

[3] https://www.fca.org.uk/data/financial-lives-2022-early-survey-insights-vulnerability-financial-resilience

[4] https://km.visamiddleeast.com/en_KM/about-visa/newsroom/press-releases/prl-september2023.html

[5] https://www.psr.org.uk/information-for-consumers/app-fraud-performance-data/