Bank scams – don’t bank on your bank to help
Bank scams – don’t bank on your bank to help
Every now and again there is a flurry of concern about fraudsters posing as bank employees, tricking bank customers into providing personal details which are then used to scam them. We see it in the news again this week with banks saying that a scam attempt happens every 15 seconds. [1] Yet questions remain over what the banks are actually doing to minimise opportunities for fraudsters.
This article originally appeared on Fraud Intelligence.
It is standard practice, for example, for banks to call customers on the mobile phone number they hold for them and then, before explaining the reason for the call, say “Can I just as you a few security questions – can you confirm your mother’s maiden name, your date of birth, your first car [, etc.]?” So the ordinary customer provides the information to the bank employee and they accept that is the way it is done. The problem occurs when a fraudster phones a bank client pretending to be from the bank and asking similar questions – how is the customer supposed to tell the difference? Basically they can’t and in many cases, rather than phoning back on a known bank number, they provide the details requested and are then scammed.
This happens because of the ludicrous practice (as outlined above) operated by the banks. Why, if they need to speak to a customer, can they not simply ask them to call back on the number already provided to them and ask for extension whatever? Surely that is better than phoning a client and asking them to divulge confidential information to a caller whom they have no way of knowing is genuine or otherwise?
There is also concern that some banks do nothing to help clients who are the victims of fraud or attempted fraud. In one case, a fraudster entered a retail bank branch claiming to be CEO of a company that has its account with the same bank. He asked to pay in a cheque (which of course later bounced) and at the same time sought to cash a cheque, (ostensibly from the company’s cheque book). In fairness, the teller was suspicious and contacted the relationship manager for the company. He promptly called the CEO and quickly established that he had not been near the bank. It transpired that the cheque number was from a book of sequential numbers that had not at that stage been issued to the company (so there were also issues as to how that cheque had fallen into the hands of the fraudster) and it was a clear case of attempted fraud notwithstanding which the bank refused to allow the CEO to see CCTV footage of the person who had impersonated him and attempted to defraud his company. Nor would they provide sight of the fraudulent cheque with his forged signature – ludicrously citing data protection as a reason not to provide information that could identify the perpetrator to the would-be victim.
In another case, an employee who worked in the Accounts department of a company in London started transferring small amounts (circa £2,000) from the company bank account to his personal account (both accounts held at the same bank). No-one in the company (whose procedures it has to be said were sadly lacking but have now been strengthened) or the bank picked up on this and so he increased the amounts to circa £50,000 per time until he had illicitly transferred over £600,000 from the company account to his personal account over a four-month period before the fraud was discovered. We were retained to investigate but ran into complete intransigence on the part of the bank which refused to provide any information as to the fate of the money stolen from its corporate client. There are two issues here:
- The bank’s procedures failed to spot or flag up extra unexplained credits of substantial sums to the account of an individual whose account hitherto was credited only with his salary (about £2,500 per month);
- When the fraud was discovered the bank did nothing to help the investigation.
In this case, evidence was passed to the Police who successfully prosecuted and the perpetrator was sentenced to 18 months in gaol; however, the victim company has been forced to sue the bank in order to force it to divulge information as to the fate of the stolen money.
The last point with banks is their dogmatic adherence to the policy of providing exactly the same reference for an exemplary employee as one dismissed for fraud or other malpractice, i.e. “In accordance with the bank’s policy we confirm that John Smith was employed in the position of Cashier form date to date”. This allows the fraudster to have the same chance (as the exemplary ex-employee) of being re-employed elsewhere (unless professional pre-employment screening roots out the fact he/she was dismissed).
In conclusion, it is hypocritical for the banks to cry foul when they themselves could do much more to reduce the opportunities for fraudsters who scam bank customers.