The number ID flashes up on your phone identifying the call as coming from your bank. But beware – caller ID can be easily spoofed by fraudsters, as one Cambridge businesswoman found to her cost after crooks convinced her she was talking to her legitimate bank, and then emptied her account of £90,000.The businesswoman also accuses her bank, Metro, of lax security procedures that enabled the crooks to set up payments to accounts at Barclays, through which the money was siphoned from her account.
Jane Holden says the fraud started with a phone call to her mobile which showed it was from Metro’s 0345 business banking number. Although Metro has now agreed to refund her the £90,000 following the Guardian’s intervention, she says the episode has left her shocked at how vulnerable bank customers are. She says she now plans to move to another bank.
Her case started in late February when, while abroad, she realised that she had missed four calls to her mobile all from the same number, 0345 080508, which she knew to be Metro Bank’s business call centre. When they rang again in the evening and she was able to answer, the caller claimed to be from the bank’s fraud team.
“I was told it was concerned about fraudulent hotel bookings I had made using Booking.com,” she says. “I questioned how I could verify they were calling from the bank and they directed me to the Metro website to check any number calling is genuine, which I did. The number on my phone also matched that on the back on my bank card.”
She had also received, during the day, a confirmation booking text that appeared to have come from Booking.com.It was by this point I was convinced I was talking to the bank. They then said they needed me to clear security to discuss further, and asked me for characters from my password and from my memorable word, just as my bank does.They must have had access to my online banking membership number as I don’t know this, and I was not asked for it.To cancel the hotel bookings they said they would send me ‘a payee code’ as the fraudulent payments had been set up as ‘faster payments’.I received three text messages which I read back to them. It all happened very fast,” she says.
Unknown to her, the fraudsters had changed the phone ID on their system to show Metro Bank’s number on her handset, which is easily done. They had also faked the Booking.com text. Armed with the codes she had read out, they set up payments out of her account. With access to both her personal and business account they were able to subsequently take £90,000 through a series of payments – all paid to one of three Barclays accounts that they used to launder her money.
“They somehow had my mobile and the whole of my debit card number – not just the last four digits – you have to have ones from the middle to make the payments,” she says. “All along, the person I spoke to was very professional and sounded exactly as though they worked in a bank fraud call centre. I am an internet-savvy businesswoman who runs a successful business, and this can happen to anyone. It was a terrible moment when Metro told me that they believed I had been grossly negligent and would not refund me. I later found out that the fraudsters also changed my internet banking password and memorable word while logged in, allowing them to access my account multiple times. And yet Metro sent no text notifications. I’d have thought that was a basic security measure.”
Metro Bank told Money: “We take our customers’ security extremely seriously and have a range of safeguards in place to help defend them against fraud, which we constantly review and update in light of ever-changing and increasingly sophisticated tactics from fraudsters. We have taken the opportunity to undertake a further review of this case as we always want to do the right thing for our customers. I can confirm, as a result of this case being reviewed, and revisiting the facts available to us, we will be offering a full refund to the customer.”
* Jane Holden is not her real name
The warning signs
Fraudsters using fake – or spoofed – phone numbers to help convince their victims is not new, but it reached an epidemic in recent months due in part to the ubiquity of smartphones.
It is surprisingly easy for a fraudster to change their phone’s caller ID to mimic that of a bank or other government agency. There is nothing to stop a fraudster inputting any bank’s customer service number which is automatically displayed on the mobile handset.
If the receiving smartphone has that bank’s customer service number in their phone’s contacts list, the handset will recognise that and tell the person that NatWest or whoever is calling.
Similarly, texts that come in from the fraudsters using a spoofed number, will show up as being from the bank – often appearing alongside legitimate texts sent out by the bank. Last week, Which? warned consumers to be on their guard against this growing problem. The same goes for trusted organisations like HMRC, the DVLA or TV Licensing or well-known brands such as Apple or PayPal.
It says texts have been particularly effective at duping customers because of the way smartphones group messages that claim to come from the same source.
If you receive a voice or automated call – either at home or on your mobile – that claims to be from your bank, hang up. Having cleared the line, phone the bank yourself on the number shown on your bank card. Texts should be treated as equally suspicious.
The banks have said they can’t prevent scammers using technology to impersonate them, as they don’t control the gateways through which spoofed texts are sent.
A genuine bank will never contact you asking for your pin, full password, or to move money to a safe account.
Should banks refund customers in cases such as this?
Last autumn, the Financial Ombudsman Service put banks like Metro on notice that blanket refusals to refund in such circumstances will no longer be tolerated. Instead, banks will have to take into account the “evolution and sophistication” of fraud.
The chief ombudsman, Caroline Wayman, told the banks that it was not fair to automatically call a customer grossly negligent simply because they’ve fallen for a scam. “That’s especially true in light of the sophisticated way criminals exploit banks’ security systems – and convince customers that their money is at risk,” she said at the time.
Banking regulations state that the bank must refund any payment that was not “authorised” by the account holder. Account holders whose account has been emptied by a fraudster cannot be said to have “authorised” such payments, therefore they should be refunded.
A year ago Money featured the case a Kent-based businessman, who lost £20,000 after fraudsters were able to go into the Brixton, south London branch of mobile phone company EE and take over his phone account, which they used to set up a series of new online payments, that subsequently emptied his Metro account. Metro told him that it would not refund him claiming he had been grossly negligent. FOS later ruled against Metro and ordered the bak to refund him.
He said then: “I’ve used internet banking for over 15 years and have never been a victim of online fraud; however after only seven weeks of being a Metro customer I have fallen victim to online fraud. I wish I read reviews online before opening the account as I see this appears to be a bigger problem with Metro,” he told Money.