We wrote about cybercrime late last year. Little did we know how soon we would come to hear of a live experience. Our friend Peter, a pseudonym, had an unpleasant and stressful experience recently. He was persuaded to pay out a large amount of money that he might never have seen again. The people who tried to persuade him were, he believed at the time, from his bank, a well-known UK high street bank. They told him they were part of the bank’s fraud prevention team.
Peter told us: “I received a call from my bank telling me that my account had been compromised. Some money had been withdrawn that looked suspicious. Was I aware of it?” Peter replied that he did not know anything about it.
What happened next was a highly stressful 48 hours for him. It is worrying for us all. Peter kept extensive notes of all the conversations he had with the people talking to him. This is his story.
“During the initial call, I was suspicious. I asked the caller to verify who he was and how I could trust him. He said his name was Clive Graham and he was a member of the bank’s fraud prevention squad. He asked me to check the number he was calling from on the internet. It was indeed the bank’s fraud prevention hotline.” (Peter read out to us the number that is in use today.)
“After some security questions, ‘Clive’ went on to say that he would immediately freeze my debit card and sent me a text saying that he had done so. I recognised the phone number and the wording of the text from similar texts I had received from my bank and was further reassured.”
In a serious and confidential tone, ‘Clive Graham’ then told Peter that the bank was investigating a possible internal fraud. Members of the fraud team based in another country, he hinted, were pretending to be genuine bank employees but were criminals. As a loyal customer, would Peter help the bank to catch these people?
Peter said he would do whatever he could to help.
“’Clive’ said that, whatever happened, I was not to call the bank’s fraud prevention line,” Peter said. “If I did so, it would immediately alert the internal criminals and my accounts would be permanently at risk. The bank could no longer secure them from attack. He would always call me. I could understand why he said this and agreed,” Peter admitted.
In a series of long conversations, ‘Clive Graham’ then asked Peter to transfer online some money to a fictitious account that the Bank was scrutinising, to trap the account holder and alleged criminal. The amount was exact – £9999.99 – an obvious and easily traced amount, Peter thought. He made the transfer.
‘Clive Graham’ thanked Peter greatly, hinting that, if the criminals were caught, Peter might receive some compensation for his time and trouble. As Peter was being so co-operative, ‘Clive Graham’ would be transferring him to his boss, David Gray, for further action.
‘David Gray’ called a few minutes later.
“David had a strong Scottish accent,” Peter said. “He had the voice and tone that you instinctively trust. His first instruction to me was to agree a secret code that he would use every time he called me to ensure it was him calling. If the voice calling me did not use the code, I was to hang up. I thought this was very efficient and smart.”
That evening, ‘David Gray’ asked Peter to call the bank’s phone banking hotline to authorise the release of funds that had been ‘blocked by the bank’ into another fictitious account. He gave Peter exact instructions about what to say and how to answer the security questions the operative would ask. Peter did so successfully, and the money was transferred – again £9999.99 – to the same account.
The next morning, ‘David Gray’ called as promised using the secret code. Before he could release Peter’s accounts, there were a few things that Peter needed to do to make totally sure that his accounts were not compromised. The bank needed to catch the criminals with evidence. He wanted Peter to go to a nearby branch of the bank and make a transfer by CHAPS.
CHAPS is a high-value payment system, providing efficient settlement, risk-free and irrevocable payments. Transfers can only be done in person at a bank branch. Once made they cannot be reversed.
‘David Gray’ asked Peter to go to a specific branch where he could observe him making the transfer through the bank’s CCTV system. This would aid the prosecution of the criminals. The amount he was to transfer was large, but ‘David Gray’ assured him that it would be back in his account that night.
“I think someone was looking after me,” said Peter. “The first bank I went to was crowded and I would have had to wait too long. ‘David Gray’ was upset. I went to the next bank but could not park my car near enough. ‘David Gray’ was most anxious that I did the transfer before system cut-off time – 1500. So, as I was going to relatives that night, I decided to stop at a branch on the way to them. This branch was closed!”
By now, Peter was even more worried about what he was doing. The amount he was to transfer had got larger. Peter drove to his relatives and told them his story so far. He was worried if he was doing the right thing, despite believing the evidence he had received that the calls were genuine.
His relatives were immediately suspicious and told Peter he was being defrauded. “I told them,” said Peter, “about all the security checks I had made, the code words, the messages and texts I had received.”
“‘Don’t do this transfer, Peter,’ they pleaded. ‘Call the hotline even if it may alert real criminals.’” Peter began to be even more doubtful about what he had done. “’Can you imagine any bank in the world inviting one of its customers – on the phone – to help them investigate a fraud? It’s simply not credible,’ they told me. And of course, they were right. It was this remark more than any other that convinced me I was being defrauded. The scales fell from my eyes, and I realised just how stupid I had been. I was helping a crook take my money out of my accounts! Thank heavens, the logistics of getting to the three branches and a timely visit to my relatives prevented what could have been far worse.”
Fortunately, Peter’s story has a happy ending. When he called the real hotline, his bank was quick, efficient, and understanding. The bank cancelled the fraudulent transfers immediately. They suspended and then reset Peter’s accounts. Everything is back to normal.
“Looking back on the whole thing, I can see small clues that I missed,” said Peter. “The phone lines were very poor. There were long delays. David Gray did not seem to know the nearest bank branch to me. I had to tell him. Everything had to be done in a hurry – or something terrible would happen.
I was anxious all the time and desperately trying to verify that these people were really from the bank. They satisfied me on that every time. But I completely overlooked the obvious! Why would any bank do this with a customer? When you are in the middle of checking security details, you forget your common-sense and the big picture.”
Every bank has very clear guidelines about how to avoid the many different types of fraud. They say exactly what their staff may ask for – and what they will not – and what to do if you are suspicious in any way. How many of us read these guidelines?
Our friend Peter had a bad shock. His self-esteem will be lower for a while. But he was lucky. He did the right thing eventually. Nothing was stolen from him. His self-esteem will return. Others may not be so lucky.
One of them might be you.