First Direct - Security Issue

dcweather

MrFrugalFever said:

Everything we do and say is recorded and noted down somewhere in some fashion. Telling someone your details over the phone who is an official employee of a legitimate financial institute is no more risk than you popping your card details in to Amazon and ordering a birthday present.
if you had plenty of money, you may be a higher risk such as those who are categorised in banks as ‘high net worth’ customers, but as you’re not, i’d assume no employee is going to risk 14 years imprisonment for a couple of G, all of which would be reimbursed by the bank after investigation anyway.

MrFrugalFever said:

Everything we do and say is recorded and noted down somewhere in some fashion. Telling someone your details over the phone who is an official employee of a legitimate financial institute is no more risk than you popping your card details in to Amazon and ordering a birthday present.
if you had plenty of money, you may be a higher risk such as those who are categorised in banks as ‘high net worth’ customers, but as you’re not, i’d assume no employee is going to risk 14 years imprisonment for a couple of G, all of which would be reimbursed by the bank after investigation anyway.

Two points here. 1. I wouldn't make assumptions about the amount of money involved but certainly more than I can afford to lose. 
2. I wouldn't be under any illusion that the Banks will pay back your losses after a fraud. My friend was victim of an evil and highly sophisticated email fraud, albeit 4-5 years ago when these things were less well known and protected. Effectively he was in the middle of a two way email conversation with his son who lived abroad. The emails were discussing him transferring some money to his son as a temporary loan for some building work. His son said he would email him the bank details. All true. At this point his email was hacked and he got the reply "Thanks, dad, really good of you - these are the account details" The only way it could be spotted as fake was one letter different in the senders email address. As he had instigated the conversation he had no suspicions. He transferred a third of his life savings (he is a pensioner). Yes, with hindsight there were a couple of things he might have spotted these days. The next day he spoke to his son by phone and he hadn't received the money. Contacted all banks involved, the police fraud squad, BT email fraud and so on. They basically said "hard luck" you won't see that again. Go forward 18 months and, unbelievably the culprits were caught. A gang of 5 mixed internationals including one English and one Irish before you ask. They were found guilty at the Old Bailey (it made the news) of obtaining 20 million pounds by fraud.  He didn't get a penny back from Lloyds or Santander despite his evidence being used to convict them. The law has been strengthened since then but you can see my extra caution.

eskbanker

dcweather said:

2. I wouldn't be under any illusion that the Banks will pay back your losses after a fraud. My friend was victim of an evil and highly sophisticated email fraud, albeit 4-5 years ago when these things were less well known and protected. Effectively he was in the middle of a two way email conversation with his son who lived abroad. The emails were discussing him transferring some money to his son as a temporary loan for some building work. His son said he would email him the bank details. All true. At this point his email was hacked and he got the reply "Thanks, dad, really good of you - these are the account details" The only way it could be spotted as fake was one letter different in the senders email address. As he had instigated the conversation he had no suspicions. He transferred a third of his life savings (he is a pensioner). Yes, with hindsight there were a couple of things he might have spotted these days. The next day he spoke to his son by phone and he hadn't received the money. Contacted all banks involved, the police fraud squad, BT email fraud and so on. They basically said "hard luck" you won't see that again. Go forward 18 months and, unbelievably the culprits were caught. A gang of 5 mixed internationals including one English and one Irish before you ask. They were found guilty at the Old Bailey (it made the news) of obtaining 20 million pounds by fraud.  He didn't get a penny back from Lloyds or Santander despite his evidence being used to convict them. The law has been strengthened since then but you can see my extra caution.

But that's an entirely different scenario - the issue being discussed in this thread is the prospect of a bank employee going rogue.  It's completely understandable that banks will be reluctant to reimburse customers caught up in frauds perpetrated by third parties (although as you recognise things have changed on that front too) but I'd be astonished if a bank wasn't held accountable if one of their employees defrauded a customer by misusing data gained in the course of that employment....

dcweather

eskbanker said:

dcweather said:

2. I wouldn't be under any illusion that the Banks will pay back your losses after a fraud. My friend was victim of an evil and highly sophisticated email fraud, albeit 4-5 years ago when these things were less well known and protected. Effectively he was in the middle of a two way email conversation with his son who lived abroad. The emails were discussing him transferring some money to his son as a temporary loan for some building work. His son said he would email him the bank details. All true. At this point his email was hacked and he got the reply "Thanks, dad, really good of you - these are the account details" The only way it could be spotted as fake was one letter different in the senders email address. As he had instigated the conversation he had no suspicions. He transferred a third of his life savings (he is a pensioner). Yes, with hindsight there were a couple of things he might have spotted these days. The next day he spoke to his son by phone and he hadn't received the money. Contacted all banks involved, the police fraud squad, BT email fraud and so on. They basically said "hard luck" you won't see that again. Go forward 18 months and, unbelievably the culprits were caught. A gang of 5 mixed internationals including one English and one Irish before you ask. They were found guilty at the Old Bailey (it made the news) of obtaining 20 million pounds by fraud.  He didn't get a penny back from Lloyds or Santander despite his evidence being used to convict them. The law has been strengthened since then but you can see my extra caution.

But that's an entirely different scenario - the issue being discussed in this thread is the prospect of a bank employee going rogue.  It's completely understandable that banks will be reluctant to reimburse customers caught up in frauds perpetrated by third parties (although as you recognise things have changed on that front too) but I'd be astonished if a bank wasn't held accountable if one of their employees defrauded a customer by misusing data gained in the course of that employment....

eskbanker said:

dcweather said:

2. I wouldn't be under any illusion that the Banks will pay back your losses after a fraud. My friend was victim of an evil and highly sophisticated email fraud, albeit 4-5 years ago when these things were less well known and protected. Effectively he was in the middle of a two way email conversation with his son who lived abroad. The emails were discussing him transferring some money to his son as a temporary loan for some building work. His son said he would email him the bank details. All true. At this point his email was hacked and he got the reply "Thanks, dad, really good of you - these are the account details" The only way it could be spotted as fake was one letter different in the senders email address. As he had instigated the conversation he had no suspicions. He transferred a third of his life savings (he is a pensioner). Yes, with hindsight there were a couple of things he might have spotted these days. The next day he spoke to his son by phone and he hadn't received the money. Contacted all banks involved, the police fraud squad, BT email fraud and so on. They basically said "hard luck" you won't see that again. Go forward 18 months and, unbelievably the culprits were caught. A gang of 5 mixed internationals including one English and one Irish before you ask. They were found guilty at the Old Bailey (it made the news) of obtaining 20 million pounds by fraud.  He didn't get a penny back from Lloyds or Santander despite his evidence being used to convict them. The law has been strengthened since then but you can see my extra caution.

But that's an entirely different scenario - the issue being discussed in this thread is the prospect of a bank employee going rogue.  It's completely understandable that banks will be reluctant to reimburse customers caught up in frauds perpetrated by third parties (although as you recognise things have changed on that front too) but I'd be astonished if a bank wasn't held accountable if one of their employees defrauded a customer by misusing data gained in the course of that employment....

eskbanker said:

dcweather said:

2. I wouldn't be under any illusion that the Banks will pay back your losses after a fraud. My friend was victim of an evil and highly sophisticated email fraud, albeit 4-5 years ago when these things were less well known and protected. Effectively he was in the middle of a two way email conversation with his son who lived abroad. The emails were discussing him transferring some money to his son as a temporary loan for some building work. His son said he would email him the bank details. All true. At this point his email was hacked and he got the reply "Thanks, dad, really good of you - these are the account details" The only way it could be spotted as fake was one letter different in the senders email address. As he had instigated the conversation he had no suspicions. He transferred a third of his life savings (he is a pensioner). Yes, with hindsight there were a couple of things he might have spotted these days. The next day he spoke to his son by phone and he hadn't received the money. Contacted all banks involved, the police fraud squad, BT email fraud and so on. They basically said "hard luck" you won't see that again. Go forward 18 months and, unbelievably the culprits were caught. A gang of 5 mixed internationals including one English and one Irish before you ask. They were found guilty at the Old Bailey (it made the news) of obtaining 20 million pounds by fraud.  He didn't get a penny back from Lloyds or Santander despite his evidence being used to convict them. The law has been strengthened since then but you can see my extra caution.

But that's an entirely different scenario - the issue being discussed in this thread is the prospect of a bank employee going rogue.  It's completely understandable that banks will be reluctant to reimburse customers caught up in frauds perpetrated by third parties (although as you recognise things have changed on that front too) but I'd be astonished if a bank wasn't held accountable if one of their employees defrauded a customer by misusing data gained in the course of that employment....

Yes I understand all that thanks, I was just giving people a bit of a heads up based on personal experience but it wasn't meant to be part of this thread, just somebody else raised reimbursement after fraud. By the way I absolutely would expect Banks to compensate customers victim of a proven criminal act. Drop in the ocean to them.  Anyway all set up now after the most long winded and cumbersome system of any financial institution I'v encountered. Don't bother if you are not IT and Smart phone savvy. It involves telephone set up with passwords and security questions followed by setting up a phone app with a different passwords to generate digital keys for your on line banking entry which requires another password different to your telephone,  and on line one! Perhaps they feel guilty knowing they read out your passswords in what is presumably an open office environment! Anyway, main thing - got my £100 switch :-)

eskbanker

dcweather said:
By the way I absolutely would expect Banks to compensate customers victim of a proven criminal act. Drop in the ocean to them.

It's a facile argument to try to correlate a personal opinion about the profitability of banks with legal liabilities for compensating fraud victims!  It's also way too simplistic to assume that banks were negligent every time, so holding companies accountable for matters beyond their control (such as 'man in the middle' email fraud) would never wash, although the (voluntary) APP scam code has gone some way to addressing areas that banks can legitimately be expected to control, as has the introduction of Confirmation of Payee....

born_again

dcweather said:By the way I absolutely would expect Banks to compensate customers victim of a proven criminal act. Drop in the ocean to them.  

Even when the customer has failed to take heed of advice given by the banks such as "We will never ask you to transfer funds to a safe account"
There are so many known & well publicised scams now, that people keep falling for and when asked about them, say "Oh Yes, I know about that", but i was in a rush so just did as they asked....

People really need to take responsibility for their actions and not expect business to pick up the tab for their lack of security.

Totally agree on the FD app etc. Nightmare is the only way to describe setting it up. And a hint going forward. If you change phones, don't just delete or transfer the app over. You need to deactivate the digital secure key 1st before you do anything.. Or you are back into the world of pain...

dcweather

born_again said:

dcweather said:By the way I absolutely would expect Banks to compensate customers victim of a proven criminal act. Drop in the ocean to them.  

Even when the customer has failed to take heed of advice given by the banks such as "We will never ask you to transfer funds to a safe account"
There are so many known & well publicised scams now, that people keep falling for and when asked about them, say "Oh Yes, I know about that", but i was in a rush so just did as they asked....

People really need to take responsibility for their actions and not expect business to pick up the tab for their lack of security.

Totally agree on the FD app etc. Nightmare is the only way to describe setting it up. And a hint going forward. If you change phones, don't just delete or transfer the app over. You need to deactivate the digital secure key 1st before you do anything.. Or you are back into the world of pain...

born_again said:

dcweather said:By the way I absolutely would expect Banks to compensate customers victim of a proven criminal act. Drop in the ocean to them.  

Even when the customer has failed to take heed of advice given by the banks such as "We will never ask you to transfer funds to a safe account"
There are so many known & well publicised scams now, that people keep falling for and when asked about them, say "Oh Yes, I know about that", but i was in a rush so just did as they asked....

People really need to take responsibility for their actions and not expect business to pick up the tab for their lack of security.

Totally agree on the FD app etc. Nightmare is the only way to describe setting it up. And a hint going forward. If you change phones, don't just delete or transfer the app over. You need to deactivate the digital secure key 1st before you do anything.. Or you are back into the world of pain...

It would be nice if it were that simple - especially back 5 years or so ago.I just hope it doesn't happen to you. But just try and place yourself in a situation maybe like this:- Your daughter rings you from a holiday in America and tells you your grandchild has been knocked down in a road accident and is having specialist treatment in hospital. The fees are $10,000. She is stricken with fear and asks if you would temporarily pay the fees. Of course you say yes and so as you don't know them, she offers to send you her bank's details so you can transfer the money and she can pay the hospital by credit card. She sends you the details as agreed and you then make the transfer to her account. All as expected. She replies with "thanks dad, you're the best". It later transpires that her email account had got hacked, her mail was intercepted and replaced with a different account.You hadn't spotted that the new email had one lower case letter added to it. Too late , you just lost $10,000. Yes, you made a mistake but you were stressed and everything seemed perfectly legitimate. That's pretty much what happened to my friend. Incidentally Lloyds Bank took no immediate action after being informed of the fraud despite the receiving account not being closed till more than 24 hours after the fraud was reported. And I'm supposed to have sympathy with the Bank on not my "stupid" friend? 

Shakin_Steve

dcweather said:

born_again said:

dcweather said:By the way I absolutely would expect Banks to compensate customers victim of a proven criminal act. Drop in the ocean to them.  

Even when the customer has failed to take heed of advice given by the banks such as "We will never ask you to transfer funds to a safe account"
There are so many known & well publicised scams now, that people keep falling for and when asked about them, say "Oh Yes, I know about that", but i was in a rush so just did as they asked....

People really need to take responsibility for their actions and not expect business to pick up the tab for their lack of security.

Totally agree on the FD app etc. Nightmare is the only way to describe setting it up. And a hint going forward. If you change phones, don't just delete or transfer the app over. You need to deactivate the digital secure key 1st before you do anything.. Or you are back into the world of pain...

born_again said:

dcweather said:By the way I absolutely would expect Banks to compensate customers victim of a proven criminal act. Drop in the ocean to them.  

Even when the customer has failed to take heed of advice given by the banks such as "We will never ask you to transfer funds to a safe account"
There are so many known & well publicised scams now, that people keep falling for and when asked about them, say "Oh Yes, I know about that", but i was in a rush so just did as they asked....

People really need to take responsibility for their actions and not expect business to pick up the tab for their lack of security.

Totally agree on the FD app etc. Nightmare is the only way to describe setting it up. And a hint going forward. If you change phones, don't just delete or transfer the app over. You need to deactivate the digital secure key 1st before you do anything.. Or you are back into the world of pain...

It would be nice if it were that simple - especially back 5 years or so ago.I just hope it doesn't happen to you. But just try and place yourself in a situation maybe like this:- Your daughter rings you from a holiday in America and tells you your grandchild has been knocked down in a road accident and is having specialist treatment in hospital. The fees are $10,000. She is stricken with fear and asks if you would temporarily pay the fees. Of course you say yes and so as you don't know them, she offers to send you her bank's details so you can transfer the money and she can pay the hospital by credit card. She sends you the details as agreed and you then make the transfer to her account. All as expected. She replies with "thanks dad, you're the best". It later transpires that her email account had got hacked, her mail was intercepted and replaced with a different account.You hadn't spotted that the new email had one lower case letter added to it. Too late , you just lost $10,000. Yes, you made a mistake but you were stressed and everything seemed perfectly legitimate. That's pretty much what happened to my friend. Incidentally Lloyds Bank took no immediate action after being informed of the fraud despite the receiving account not being closed till more than 24 hours after the fraud was reported. And I'm supposed to have sympathy with the Bank on not my "stupid" friend? 

In my view, the crime you described is no different to being mugged in the park. It was theft, pure and simple, and there was/is no way that a bank could mitigate such an occurrence. 

An email account was hijacked, none of the banks systems were at fault.

soolin

dcweather said:

born_again said:

dcweather said:By the way I absolutely would expect Banks to compensate customers victim of a proven criminal act. Drop in the ocean to them.  

Even when the customer has failed to take heed of advice given by the banks such as "We will never ask you to transfer funds to a safe account"
There are so many known & well publicised scams now, that people keep falling for and when asked about them, say "Oh Yes, I know about that", but i was in a rush so just did as they asked....

People really need to take responsibility for their actions and not expect business to pick up the tab for their lack of security.

Totally agree on the FD app etc. Nightmare is the only way to describe setting it up. And a hint going forward. If you change phones, don't just delete or transfer the app over. You need to deactivate the digital secure key 1st before you do anything.. Or you are back into the world of pain...

born_again said:

dcweather said:By the way I absolutely would expect Banks to compensate customers victim of a proven criminal act. Drop in the ocean to them.  

Even when the customer has failed to take heed of advice given by the banks such as "We will never ask you to transfer funds to a safe account"
There are so many known & well publicised scams now, that people keep falling for and when asked about them, say "Oh Yes, I know about that", but i was in a rush so just did as they asked....

People really need to take responsibility for their actions and not expect business to pick up the tab for their lack of security.

Totally agree on the FD app etc. Nightmare is the only way to describe setting it up. And a hint going forward. If you change phones, don't just delete or transfer the app over. You need to deactivate the digital secure key 1st before you do anything.. Or you are back into the world of pain...

It would be nice if it were that simple - especially back 5 years or so ago.I just hope it doesn't happen to you. But just try and place yourself in a situation maybe like this:- Your daughter rings you from a holiday in America and tells you your grandchild has been knocked down in a road accident and is having specialist treatment in hospital. The fees are $10,000. She is stricken with fear and asks if you would temporarily pay the fees. Of course you say yes and so as you don't know them, she offers to send you her bank's details so you can transfer the money and she can pay the hospital by credit card. She sends you the details as agreed and you then make the transfer to her account. All as expected. She replies with "thanks dad, you're the best". It later transpires that her email account had got hacked, her mail was intercepted and replaced with a different account.You hadn't spotted that the new email had one lower case letter added to it. Too late , you just lost $10,000. Yes, you made a mistake but you were stressed and everything seemed perfectly legitimate. That's pretty much what happened to my friend. Incidentally Lloyds Bank took no immediate action after being informed of the fraud despite the receiving account not being closed till more than 24 hours after the fraud was reported. And I'm supposed to have sympathy with the Bank on not my "stupid" friend? 

I do like to see how scams work so that I can spot new variations but I don't understand this one.

Between your daughter phoning you and you getting the fake email- how did the hacker manage to be right by your daughter when she made the call, know how her email account details 'looked' and managed to get an email to you before the real one that your daughter sent?  Or are you saying that it wasn't your daughter on the phone and just someone that knew all her email details . knew she had a child and could mimic her voice?

Also nowadays you would need to confirm before making such a large transfer that the payee was correct, so the hacker now would also have to ensure they had time to set up an account that exactly replicated the one in your daughters name . I have an account with HSBC and struggle even to send known people any money as I don't always know exactly what name their account is in- I tried setting up a new transfer to myself at a different bank and failed the initial attempt as I had put my name in full whereas the new bank had used initials and a surname - 

born_again

dcweather said:

It would be nice if it were that simple - especially back 5 years or so ago.I just hope it doesn't happen to you. But just try and place yourself in a situation maybe like this:- Your daughter rings you from a holiday in America and tells you your grandchild has been knocked down in a road accident and is having specialist treatment in hospital. The fees are $10,000. She is stricken with fear and asks if you would temporarily pay the fees. Of course you say yes and so as you don't know them, she offers to send you her bank's details so you can transfer the money and she can pay the hospital by credit card. She sends you the details as agreed and you then make the transfer to her account. All as expected. She replies with "thanks dad, you're the best". It later transpires that her email account had got hacked, her mail was intercepted and replaced with a different account.You hadn't spotted that the new email had one lower case letter added to it. Too late , you just lost $10,000. Yes, you made a mistake but you were stressed and everything seemed perfectly legitimate. That's pretty much what happened to my friend. Incidentally Lloyds Bank took no immediate action after being informed of the fraud despite the receiving account not being closed till more than 24 hours after the fraud was reported. And I'm supposed to have sympathy with the Bank on not my "stupid" friend? 

It begs a couple of questions.
Was the daughter on holiday at that time?
Why no travel insurance?
Why did they not already have daughters account details on account already? 
Why was she not using the CC in the 1st place. As you can not put a CC in a credit balance.
Why not take the details over the phone (text) or write them down.

These people work on the basis that people will not double check the details. But that is where people need to stop & think. Taking a deep breath & few mins out to check, before jumping in and moving money. It will not make any difference at the end. 


How did the email account get hacked at just that point. Or is the whole story a work of fiction by the scammer? Which is a well know one.

Well end of the day who you have sympathy with is up to you, but you (and the rest of us) are paying for the fact someone did not do their due diligence...

It's not about being heartless, it about being realistic. Stop, Think & Check. Not just act.

Perhaps we need to go back to 3 day banking payments. Stops these scams in their tracks.

Tokmon

dcweather said:

born_again said:

dcweather said:By the way I absolutely would expect Banks to compensate customers victim of a proven criminal act. Drop in the ocean to them.  

Even when the customer has failed to take heed of advice given by the banks such as "We will never ask you to transfer funds to a safe account"
There are so many known & well publicised scams now, that people keep falling for and when asked about them, say "Oh Yes, I know about that", but i was in a rush so just did as they asked....

People really need to take responsibility for their actions and not expect business to pick up the tab for their lack of security.

Totally agree on the FD app etc. Nightmare is the only way to describe setting it up. And a hint going forward. If you change phones, don't just delete or transfer the app over. You need to deactivate the digital secure key 1st before you do anything.. Or you are back into the world of pain...

born_again said:

dcweather said:By the way I absolutely would expect Banks to compensate customers victim of a proven criminal act. Drop in the ocean to them.  

Even when the customer has failed to take heed of advice given by the banks such as "We will never ask you to transfer funds to a safe account"
There are so many known & well publicised scams now, that people keep falling for and when asked about them, say "Oh Yes, I know about that", but i was in a rush so just did as they asked....

People really need to take responsibility for their actions and not expect business to pick up the tab for their lack of security.

Totally agree on the FD app etc. Nightmare is the only way to describe setting it up. And a hint going forward. If you change phones, don't just delete or transfer the app over. You need to deactivate the digital secure key 1st before you do anything.. Or you are back into the world of pain...

It would be nice if it were that simple - especially back 5 years or so ago.I just hope it doesn't happen to you. But just try and place yourself in a situation maybe like this:- Your daughter rings you from a holiday in America and tells you your grandchild has been knocked down in a road accident and is having specialist treatment in hospital. The fees are $10,000. She is stricken with fear and asks if you would temporarily pay the fees. Of course you say yes and so as you don't know them, she offers to send you her bank's details so you can transfer the money and she can pay the hospital by credit card. She sends you the details as agreed and you then make the transfer to her account. All as expected. She replies with "thanks dad, you're the best". It later transpires that her email account had got hacked, her mail was intercepted and replaced with a different account.You hadn't spotted that the new email had one lower case letter added to it. Too late , you just lost $10,000. Yes, you made a mistake but you were stressed and everything seemed perfectly legitimate. That's pretty much what happened to my friend. Incidentally Lloyds Bank took no immediate action after being informed of the fraud despite the receiving account not being closed till more than 24 hours after the fraud was reported. And I'm supposed to have sympathy with the Bank on not my "stupid" friend? 

If she sends and email from her email account to another the email will go through. Even if the hacker has access to her email account there is no way for them to stop that email once it has been sent so they would have to send an additional one with different bank details which should raise suspicions. 
When you say the email had "one lower case letter added to it" i assume you mean it was actually sent from a different email address but similar. But this would be very unlikely because if the scammer had access to her email account they could just send the email from here genuine email, if they didn't have access then they wouldn't know about bank details being sent at all so couldn't carry out the scam. 

Even if we ignore all the inconsistencies with the email in this story; if this happened then the person sending the money would be very concerned and would want to make sure the money arrived correctly so would take extra care. Plus the fact they will treat first and charge after then there isn't a big rush to send the money.  
You also mention that she is paying the bill by credit card, so she wouldn't need the money transferred at all in that case as you don't load a credit card with money.

Then when you add all the things people have mentioned about travel insurance etc this story has more holes in it than a block of swiss cheese!.