Fraudsters are becoming more sophisticated in the ways they con you out of your precious savings
Unexpected phone calls over the weekends, fake threats of scams, fake bank accounts – they’re all things we need to look out for. But are the banks really doing enough to protect the wary older and tech-eager younger people?
“Old people? T-cha!”
There is a click and a sharp intake of breath. And, of course, an eye roll.
Or even: “Old people and THE INTERNET!”
There’s that click again. And the eyes positively swivel. Because old people – the point at which one actually becomes old is a moveable feast – won’t get with the programme and trust in technology and the banks. Some – doncha know! – are so untrusting that they are taking their money out of banks and leaving it stuffed under their mattress, or in kitchen cupboards, or in the attic.
Apart, that is, from the ones who turn up tearful or – because they are “of another generation” and therefore stoical – dry-eyed and resigned on assorted consumer programmes, to explain they will now end their days in penury. Because they trusted the banks too much.
And they also – silly codgers! – trusted the plausible-sounding villain on the phone who pretended to be their bank, and instructed them to take all their money and deposit it in an account somewhere in the Cayman Islands. For safe-keeping, obviously.
Or maybe they handed over a password. Who knows? Who cares?
It’s all their fault. Us young folks would NEVER be fooled like that.
Except the statistics don’t bear this out. According to the most recent data from a 2017 report by Age UK, online fraud is on the rise – but the largest category of victim by age is people under 55.
In part, that reflects the fact that far more young people use online banking facilities, so there are simply more of them to be victim. In part, though, it reflects a different and more cavalier attitude to data.
As one anti-fraud campaign makes very clear, it doesn’t take a lot of skill to run through an individual’s social media postings to skim a whole load of very interesting data, from debit and credit card numbers to full name, address and date of birth.
Possibly, too, older people are just less willing to own up to having been scammed.
Still, fraud is a thing: an everyday fact of life, and the solution for all of us, young and old alike is to be more careful. Share less. Get smarter with our passwording. Make life more difficult for the bad guys; though we may not eliminate the problem altogether, there’ll be a lot less of it.
Would that she would realise, and be grateful: we are working our socks off, making internet banking safe for Grandma!
At least, that is the message the banks want us to take away. It helps them greatly if those with less to lose take the side of the banks against those with rather more to lose, turning this from an issue of rational risk assessment and corporate failure into one of individual responsibility.
Let’s start with some basics. Full marks to a US organisation, the National Council on Ageing, for their explanation that “financial scams... are devastating to many older adults and can leave them in a very vulnerable position with little time to recoup their losses”.
Nul points to the press representative of a well-known UK charity whose first thought, when asked about the issue, was as above: that it’s all about a tech deficit on the part of older internet users, and expressed surprise when I departed from the standard script.
Let’s dig into that. I don’t wish to suggest that being ripped off is somehow not an issue for younger people, or that all older people are wealthy pension-hoarders, sat Scrooge-like on vast amounts of cash in their bank accounts.
Rather, there are structural reasons why the threat to the older generation is different not just in scale, but also in subjective and real-life impact.
Let’s start with average account holding. According to SunLife, one of the world’s largest and oldest insurance companies, over-55s have an average savings balance of £47,237 – almost double the UK average of £26,180 – while one-fifth of this age group have put away over £100,000.
There are good reasons why this may be the case. As children leave home, the nest becomes empty and many choose to downsize, swapping a larger house for a smaller one, while pension reforms mean many older people now take a chunk of their pension fund as drawdown.
That latter is what first alerted me to this issue, as I, too, recently “semi-retired”. Neither working full-time, nor stopped entirely. However, I have, as many others have done, “crystallised” my pension, transforming it from mystical treasure to pot of cash and drawn a chunk of it for personal use.
That, in turn, has two consequences. First, there is a lot more money sloshing around in my bank accounts than at almost any point in my life before. In time, I will tie some of that down again in various investments – but not via the instant fix of a World Cruise or a ludicrous sports car. (Though I might just splash out on a kitchen makeover.)
Second, that is serious money, not just in terms of amount, but in terms of what it is there for. It must last: it must, in fact, last the rest of my life, which may – according to fate or luck – be anything from a few months to 30 or 40 years.
So this issue is personal for me, and not just because I now fall squarely within the optimal victim demographic. But more of that later.
In October 2017, the BBC’s Rip Off Britain told the sorry story of an older couple impacted by fraud. Jane and Steven Caldwell ran a small business in Lancashire. After some 30 years in teaching, Steven retired and they decided to run a café together. A lump sum from Steven’s pension, and a small inheritance from his father, allowed the couple to pay off debts. Funds were earmarked to help their sons onto the property ladder.
This was not to be. One weekend, Jane answered the phone to a caller claiming to be from a centralised fraud team that works with banks over weekends (that is significant: many banks do not have fraud support on call over weekends, making this prime time for many fraudsters).
He warned Jane that her bank accounts were at risk of being hacked at that very moment. In a panic, Jane made several attempts to verify that the caller was genuine and was persuaded that he was.
He appeared to be calling from her bank’s customer services number. According to Jane, he appeared to be able to view recent transactions on her bank account. When she put the scam call on hold and attempted to call her bank’s customer services number, he was aware of what she was doing.
Convinced that the call was legitimate, Jane transferred £14,000 from the couple’s NatWest accounts and £90,000 from their Nationwide accounts, into a series of new, safe accounts set up in her name by the scammer.
He told her that she would be able to regain access to her funds on the following Monday. Delighted that disaster had so narrowly been averted, the couple opened a bottle of wine that evening to celebrate.
But of course, on Monday they were unable to access the new account, and every single penny of their savings was gone. As far as the banks were concerned, because Jane made the transactions herself, they had no reason to be suspicious and didn’t challenge the transactions as being fraudulent.
The cost of this fraud? In cash terms, just over £100,000. Later, they learned that the Nationwide had managed to halt approximately £24,000 of the transfer. But that still left them out of pocket to the tune of £80,000.
There are other costs. Two young men who now may never get a toe on the housing ladder. A business unlikely to survive, leaving a couple who wanted to contribute to their community poorer and, in years to come, more reliant on the state for support.
Then there is the personal impact. Jane told the programme: “I just felt sick, I had a crushing pain in my chest. I was having full-on panic attacks.”
Steven was outwardly more sanguine. He said: “The fact that the money came from my parents and my pension – it feels very personal. I feel my opportunity to help my children is gone. But I’m trying not to blame Jane, because I know she did what she did to protect it.”
Jane and Steven may come to terms with this disaster – they are relatively young and still have time to recover. The outcome for others, though, is frequently devastating. Poverty. Illness. Divorce: because no matter how hard you try, could you forgive a partner who gave away your pension?
This, though, is to regard the risk in purely monetary terms. There is a second aspect of this issue that banks and financial institutions are keen that people not examine too carefully. And that is perhaps the most uncertain aspect of all: whether your bank will accept that you have been scammed through no fault of your own, and whether they are prepared to compensate you.
Bank reaction to Jane and Steven’s case was par for the course. NatWest “regretted” it. They “deeply sympathised” with the couple’s distress.
Then they shifted gear: fraudsters were becoming increasingly sophisticated. NatWest were proactively educating customers in how to stay safe and secure. Customers should be ever vigilant against unexpected phone calls because, of course, the bank would never ask individuals to transfer money from an account due to security concerns.
Now they’re on a roll, moving smoothly from sympathy to self-promotion, casually informing viewers that they are the only UK bank to partner with National Trading Standards on their Friends against Scams initiative. Tellingly: “Friends Against Scams has been created to tackle the lack of scams awareness by providing information about scams and those who fall victim to them.”
Nationwide chimed in with more sympathy and understanding. And they had reduced the Caldwell’s loss by £24k. Otherwise, the scripts were interchangeable. Security is important. Education – again! – is key; customers need to get with the programme and understand banking procedures better.
That’s them told!
That is probably unfair to NatWest and Nationwide, since the same approach to fraud permeates the entire banking community. Barclays, for instance, will “refund [customers] in full for any transactions that they haven’t authorised – including any interest or charges that may have been incurred”.
However, “while we’ll do our best to protect our customers against fraud, it’s their responsibility to be alert when it comes to scams and tricks. Each situation will be assessed on its individual merits...”
And there’s the rub, as another case makes clear. Sylv is a feisty lady from north London: 75 years young, IT literate and still pursuing an active social life. In September an attempted purchase at the Hepworth Gallery in Wakefield was refused.
Her bank account, which should have contained £6,000, had been emptied over the preceding 24 hours. A further £1,000 – her overdraft limit – was also gone.
This, too, occurred on a Friday. She was able to contact the fraud team on the day it happened, but no significant investigation was possible before the following week. Eventually, after many, many hours on the phone arguing her case, the bank eventually agreed to refund her the money.
Though Sylv suspects she was lucky. The first response by the bank was to suggest she had taken the money herself. That’s a fair question: but Sylv remains unimpressed. She explains: “Both their tone and their attitude were wholly inappropriate to a 75-year-old pensioner who had just suffered significant loss.”
Besides, she wondered if they had simply been hacked and not told customers.
Still, they argued that whoever had taken the money must have had access to Sylv’s passwords and personal information, which, Sylv concedes, seems likely. But she has no idea how that could have happened.
What saved her, in the end, was that the scammer had phoned the bank about a Tesco delivery and its cost, and the bank had passed all of their activities without a squeak. That is, on the phone without passwords or passcodes, it was possible to pass bank security with personal information only.
In other words, the bank was implicated and this, Sylv believes, was a significant factor in their eventual capitulation. Even so, she had to insist that they listen to the recording of that call and compare her voice to the scammer’s before they would act. Otherwise, she suspects, matters might have gone very differently.
Like they did, for example, for a pensioner conned out of £45,000 in savings, or another who lost life savings of £4,000. In both instances, the banks decided that they had contributed to their own downfall, and so that was that.
Talk to fraud victims, and over and over again this seems to be their experience. Many do get their money back. Banks are wise; they know better than to antagonise a demographic that votes often and is influential with the political classes.
But still, the basic principle is flawed – the onus is on victims to prove to organisations (that are significantly more powerful and in every way better resourced than they are) that they are not to blame: that they did not somehow compromise the ramshackle security put in place to safeguard their life savings.
Hence the near universal insistence on customer responsibility and the notion that the best way to stop fraud is to educate customers.
Commenting on the Caldwell’s loss, Dr Steven Murdoch, a banking security researcher at University College London, explained: “In other parts of the world, customer protection laws are much stronger – in America for example, the couple would have had their money back months ago.
“There are many ways that the banks could help reduce these types of fraud, potentially to negligible levels – but they have absolutely no incentive to do so.”
This was echoed by Age UK, giving evidence to a parliamentary inquiry this autumn. They wrote: “We do not see any clear incentive for banks to act where they are not held liable for the loss.”
There are two central issues with banks. Despite all the talk of customer focus and listening, delivering on what customers actually want is the last thing on their minds. They are also pathetically slow to close structural security loopholes.
In respect of the first, witness the continuing closure of local banks. In December 2017, NatWest and Yorkshire Building Society announced significant branch closures. The month before, Lloyds did likewise.
The branch at which I first set up my main current account is now closing. I discovered this, courtesy of a cheerful letter from RBS group talking about how much choice I had and suggesting, apparently, that this was good news. I could now avail myself of phone or internet banking.
Tell that to Sylv and her friends, none of whom are celebrating the demise of the local branch where the fact that you were likely known, in person, to staff provided welcome re-assurance.
Besides, I don’t much want to do either. I dislike the lengthy waiting that attends most phone interactions. And following an episode when first, NatWest customer services, informed me of a glitch in their online security and then, their press office explained that their customer services were in fact misinformed, I have disabled internet banking entirely. To date, I find I hardly miss it.
A factor in that decision is the amount currently sat in my account. Could I not, I asked both NatWest and Lloyds, have one online account for day-to-day transactions and another non-online account for everything else? That way I could spread the risk and, if ever my internet security were compromised, minimise any losses.
Er, no. Or to be precise, “Computer says no”. Because once ONE account is online, EVERY account must be. Why? According to a helpful woman at my local NatWest, no-one has ever asked for such a facility. But I was asking! No: there was no demand. Which is odd, since according to Barclays, they do offer a facility enabling customers to “de-link” their accounts.
I am almost tempted to shift my banking to Barclays: except they, too, are branch rationalising, recently reducing my local branch to loads of machines, and one surviving cashier.
As for bank security, that is, as far as many who work in the IT industry are concerned, a joke. A continuing reliance on passwording is controversial, as is best advice that some banks still manage to deliver with a straight face: that is, passwords ought to be 15 to 20 characters, a mix of upper and lower-case letters, plus numbers and punctuation, preferably not spelling out a real word. They should be different for every account, every online service you use. And they should be changed once a month.
Really? Has anyone ever done that?
Banks have come late to the use of biometrics to confirm identity, relying, instead, on information that is vulnerable to OSINT (open-source intelligence gathering techniques). After all, if a scammer is prepared to hack an individual’s phone, or set up a fake call centre to extract money from a victim, is finding out their mother’s maiden name really an obstacle?
They have come late, too, to dual authentication: that is, to insisting on a second back-up confirmation when large money transfers are requested. Though as some scammers are now developing techniques to intercept text messages to individuals, even that is not entirely secure.
Underlying all of this is banking arrogance. They are so used to “knowing best”, that they cannot conceive that they might be at fault. Which in turn is why the conversation, when a customer suffers significant loss, so often goes the way it does.
An individual with little expertise in financial IT, and who in the hours and days following a major scam may be in serious shock, is asked to prove that they have not compromised their security in any way. In contravention of FSA rules that say the bank should give you the benefit of the doubt unless they can prove otherwise, many banks regard the fact of having been scammed as, itself, evidence of customer wrongdoing.
Yet the record of banks themselves is not good. In the earliest days of ATMs, individuals who reported withdrawals for which they were not themselves responsible frequently found themselves visited by the police – who would accuse them of attempting to defraud the bank. Despite evidence that such cases were misguided, it took many years before banks accepted that customers could be defrauded without being at fault.
However, a recent rise in banks refusing to recompense individuals who have had money taken from their cards suggests that banks have learnt little.
As for “verified by Visa”: this is an accident waiting to happen, condemned at the outset by security experts. Yet banks continue to assert that this means that your online transactions are safe.
The real problem is thatc One friend who works in IT told me recently of her plans to install a serious safe at her property, to keep a few thousand pounds there against the eventuality of banking issues.
As noted above, I am increasingly unwilling to use the internet for banking and – I said this was personal – I am not the average bank customer. For many years I worked on the IT side of finance; for over a decade, I dealt with issues of data security and the horror stories I encountered then made me permanently wary of IT.
So if pensioners and older people decide not to join the rush to internet banking, it is possible they are not quite the Luddites they are being made out to be. Because the risk, and the attitudes of British banks compounding that risk, means that NOT joining in is the truly rational decision. And younger people so enthusiastically, so smugly signing up to new tech solutions may in time come to regret that decision.