A Vicious NatWest Scam Is Helping Cybercriminals Steal People's Life Savings
We have talked about how unpleasant having your credit card stolen is. With that being said, in many cases, the damage could be limited.
Obviously, regulations vary from country to country, but it's fair to say that in many cases, victims of credit card fraud end up losing little or no money at all. Here's a relatively typical scenario: an online store you've used has your credit card details on file, but for one reason or another, it's not storing them properly. Cybercriminals find the information and use it to either create a duplicate card and withdraw money or buy items at your expense.
It's not your fault that your credit card data fell into the wrong hands, and although the bank is not to blame, either, it will often accept a small (in the grand scheme of things) loss and refund you your money.
Unfortunately, the crooks have come up with other ways of separating you from your cash, and if you fall for some of their schemes, your bank will not be willing to restore the balance of your account.
What is an Authorized Push Payment Scam?
Let's decipher the name. A pull payment would be, for example, a direct debit that you've set up to pay a monthly bill. It's called a pull payment because it's initiated by the service provider on agreed dates. By contrast, a push payment is a transaction that is initiated by you.
Authorized means that you have somehow proven that you are the account owner. That is, you have either logged into your online banking account with a password, or you have walked into a branch, and after providing an ID, you have ordered the bank to transfer a particular amount of money to someone else's account. The fact that we're talking about a scam obviously means that a criminal has duped you into doing it.
Authorized push payment fraud scams have been around for a while now, and they come in many different shapes and sizes. The old Nigerian prince scam and various types of online romance scams, for example, are among the most famous variations. The thing is, pretty much everybody has heard about these schemes, and not many people are falling for them nowadays.
Unfortunately, the crooks have been keeping up with the times, and they have come up with new, much more advanced and elaborate ways of scamming people out of their hard-earned money. Some of the customers of a British bank called NatWest can testify.
NatWest customers targeted by sophisticated scammers
Sarah Hudson, a teacher from Nottingham, England, fell victim to one of these schemes and ended up waving goodbye to just under £20 thousand or around $25 thousand. It all started with a phone call, which, Sarah's device said, was coming from NatWest, the bank she had been using for more than 20 years. In reality, she was talking to scammers who had somehow managed to spoof the bank's phone number. Next, a classic social engineering trick came into play.
The crooks told her that suspicious activity had been detected on her account, putting her in a state of panic. The fraudsters then explained that if Mrs. Hudson wants to ensure the security of her money, she needs to transfer it to a safe account which they had obviously already opened for her. They gave her the number and told her to wire precisely £19,960 to it.
Sarah became suspicious. First of all, after recently remortgaging a property, she had more than £19,960 in her NatWest accounts. In addition to this, the supposedly safe account was in a different bank – Barclays. The fraudsters had done their homework.
They lied to her that after initial sum goes through, they will be able to pull the rest of the money to the "safe account". In reality, they wanted £19,960 because any transaction worth over £20,000 is manually reviewed by NatWest. Then, they convinced her that they really work for the bank by giving her details of her most recent transactions as well as other information that is only available from within her online banking account. The truth was, they had somehow gained access to her online banking account and were using the information to fool her. The only reason why they couldn't transfer the money themselves is that, as an added security feature, NatWest gives its customers card readers that can only be operated by the account owners.
We can't really blame Mrs. Hudson for thinking that the people on the other end of the telephone line were really NatWest employees. Although some of the details were a bit sketchy, the phone number matched, and they had access to information that your regular run-of-the-mill scammers wouldn't have. She broke out her card reader and processed the transaction. Later, when she called the real NatWest fraud team, she discovered that she had been scammed. Worst of all, she learned that she is unlikely to see her money again.
Sarah Hudson isn't the only victim
iNews.co.uk, the website that publicized Sarah Hudson's story, previously reported on the case of Sophie Briggs who lost an even more substantial £40 thousand (more than $51 thousand). Reports from British financial organizations indicate that in 2017, UK businesses and consumers lost a total of £236 million (a little over $300 million) due to authorized push payment scams.
With large numbers of people being affected by this type of fraud, the movement for new regulations that should protect consumers has been fairly big, and in September, the UK's Payment System Regulator (PSR) announced that an industry code will be implemented in early 2019. According to PSR, it is designed to, among other things, make victims' lives easier and scams more difficult to pull off, though some experts are not sure whether it will be terribly effective.
Indeed, the fact that the Nigerian Prince scams have given way to elaborate, well-thought-out schemes such as the one described above goes to show that fraudsters tend to adapt to the new environment. Unfortunately, they will probably manage to find a way around next year's new industry code as well.