Scammers Swindled Money out of 85,000 Banking Customers in the UK Last Year

Authorized Push Payment Scam in the UK

How much trouble can a harmless tweet get you in? As it turns out, quite a lot. In fact, it can turn you into a target for criminals who'll try to steal thousands from you. UK's The Guardian recently told the story of a banking customer who fell victim to a scam that started with an innocent reply on the world's favorite microblogging platform. The said customer, whom The Guardian called Michael Johnson, is just one of the 85 thousand British individuals who lost a total of £354 million or $449 million due to fraud in 2018, but it must be said that the scheme he was targeted by turned out to be particularly sophisticated.

The tweet

Johnson was a customer of the British Metro Bank, and he wasn't especially happy. He and his business partner needed to open a new business account at Metro, but despite the fact that Johnson was already a customer, the bank wasn't proving to be especially cooperative, and what should have been a simple process was taking quite a lot of time. The frustration had already built up when Johnson's business partner noticed a tweet from Metro Bank's social media team which asked for some feedback on how the bank's doing. She decided to reply and explain what she and Johnson had been put through.

Shortly after, she received a call from what appeared to be Metro Bank's customer service department. The person on the other end of the line (who presented himself as "Neill") told her that he had seen her tweet, apologized for the inconvenience that the bank might have caused, and promised to assist fixing the problem as quickly as possible.

The call

Because Michael Johnson was the one who already had an account with Metro, solving the issue involved talking to him. His business partner saw no problem with giving "Neill" some more details, and she kept her fingers crossed that the account will finally be set up.

When Johnson's phone rang, it said that the call was coming from Metro Bank's customer service number, and after he picked up, he was left with the impression that the person he was talking to was actually rather good at providing quality customer service. In fact, according to Johnson, "Neill" "was excellent all the way through".

The communication certainly sounded legitimate. "Neill" was performing all the expected security checks. He asked the right questions, and he interrupted the phone call several times in order to ensure that everything is as it should be. Despite the three decades of experience as a chartered accountant, Michael Johnson failed to spot anything suspicious.

Shortly after his communication with "Neill" had ended, however, Johnson received yet another call from Metro Bank's customer service team. This time, it wasn't "Neill". It was a real customer service agent who told Johnson that he had been scammed out of £9,200 (about $11,660).

The scam

"Neill" was completely honest when he said that he had noticed the tweet sent by Johnson's business partner. He saw the opportunity and set about doing some reconnaissance around Johnson's business. The conversation with the business partner gave him some additional details, and by the time he was ready to talk to Johnson, he had everything he needed.

"Neill" had done his homework. He spoofed Metro's real customer service number, and Johnson recalled that he was using all the right terminology. He was also careful not to ask for the full login credentials – an all too common mistake made by crooks like "Neill". By asking for a few characters at a time, however, the scammer managed to piece together Johnson's password, and his social engineering skills helped him get his hands on the two-factor authentication codes that were sent as an SMS. "Neill" promised that he needed all that information in order to transfer the payees from the old account to the new one, but in reality, he was using it to steal Johnson's money.

"Neill" did make one mistake – he called Metro Bank's customer service number, impersonated Johnson, and asked when the money would go through. The bank got suspicious, and, after confirming the fraud, tried to stop the transactions. Despite this, Metro's team initially said that they had managed to intercept only £2,400 (around $3,000) of the stolen funds. Johnson was told that he'd never see the rest of the money again, but after The Guardian started asking questions, the entire sum was reinstated into his account.

Authorized push payment fraud – a ruthless scam that is difficult to protect against

When their customers get scammed, banks have an active interest in trying to help out and ensure a more solid and long-lasting business relationship. The fact of the matter is, however, that Johnson got his money back only because of The Guardian's microphones and cameras.

What we described above can be classified as Authorized push payment fraud. It's a relatively new type of financial scam, and one of the first things you need to know about it is that while you're likely to get your money back if someone compromises your credit card, there are few rules and regulations that can protect you if you're a victim of an Authorized push payment scam.

The logic is that if you are successfully targeted by an Authorized push payment scam, you are the one authorizing the payment which means that you've only got yourself to blame. Some might say that this is a cruel thing to say. Others will argue that banks can't just reimburse anyone who claims to have inadvertently fallen for a social engineering trick.

The fact of the matter is, however, that as the stats from our first paragraph show, Authorized push payment is thriving, and the attack against Michael Johnson can serve as proof that the scammers are getting more and more sophisticated. As a result, staying out of harm's way is becoming harder, and unfortunately, there is no algorithm or a to-do list that, if completed, will ensure your security. Of course, this doesn't mean that you can't stay safe.

We've often talked about how all emails should be treated with suspicion. The same skepticism should be applied to incoming phone calls as well, especially when they're supposedly coming from the institution tasked with taking care of your money. The moment you see something suspicious, hang up, call the bank yourself, and make sure that everything is fine. You should realize that generally speaking, relaying sensitive information through the phone is not a brilliant idea, and you must learn not to let the customer service agents' sweet talking get to you.

May 29, 2019

Leave a Reply