My son fell for an Authorised Push Payment scam via Revolut

rgb68

On Saturday afternoon my son got a call from what he thought was RBS.
The fraudsters convinced him to transfer £600 and £400 from his RBS current account to his Revolut account i.e. all the money he had. From his Revolut account, £750 was sent to Coinbase and £300 to Transak, which I think are both connected with cryptocurencies. He didn't realise we was sending money to these from Revolut but thinks there were some notifications that appeared on the Revolut app that he approved. This all happened over 40 minutes, he quickly realised he was scammed and is kicking himself for falling for this. He was reported it to Action Fraud and contacted Revolut who were less than helpful.

I understand that reimbursements from APP fraud should be easier now since last month, but not sure what to do.

I was hoping someone might have some advice on how to proceed. 

eskbanker

https://help.revolut.com/help/security-logging-in/authorised-push-payment/ explains the way they deal with these - if he didn't succeed in getting them to recognise and understand what happened then he needs to keep trying until he finds one of their employees who understands their new statutory obligations, as nobody else can sort this out for him....

jimjames

rgb68 said:

From his Revolut account, £750 was sent to Coinbase and £300 to Transak, which I think are both connected with cryptocurencies.. 

When you say "was sent", do you mean "he sent"? Or had the fraudsters got control over his Revolut account? Money doesn't move without being instructed so someone must have triggered it.

rgb68

jimjames said:

rgb68 said:

From his Revolut account, £750 was sent to Coinbase and £300 to Transak, which I think are both connected with cryptocurencies.. 

When you say "was sent", do you mean "he sent"? Or had the fraudsters got control over his Revolut account? Money doesn't move without being instructed so someone must have triggered it.

I got a few more details. They convinced him the money transferred to Revolut needed to be transferred to his RBS savings account so that RBS could "track the money and it was insured" and they would arrange that. He gave them his Revolut card number and 3 digit CVV number and accepted the notifications. So I guess they used his card details to make purchases on Coinbase and Transak which he then unwittingly approved. That might explain why there was no obvious warnings.

eskbanker

rgb68 said:
He gave them his Revolut card number and 3 digit CVV number and accepted the notifications. So I guess they used his card details to make purchases on Coinbase and Transak which he then unwittingly approved. That might explain why there was no obvious warnings.

It also explains why Revolut aren't accepting it as an APP claim, because that only applies to bank transfers, not debit card purchases.

1957DfurdPensionist

rgb68 said:

On Saturday afternoon my son got a call from what he thought was RBS.
The fraudsters convinced him to transfer £600 and £400 from his RBS current account to his Revolut account i.e. all the money he had. From his Revolut account, £750 was sent to Coinbase and £300 to Transak, which I think are both connected with cryptocurencies. He didn't realise we was sending money to these from Revolut but thinks there were some notifications that appeared on the Revolut app that he approved. This all happened over 40 minutes, he quickly realised he was scammed and is kicking himself for falling for this. He was reported it to Action Fraud and contacted Revolut who were less than helpful.

I understand that reimbursements from APP fraud should be easier now since last month, but not sure what to do.

I was hoping someone might have some advice on how to proceed. 

Hang on, do hang on a moment here!   Sorry this is a relatively old thread but it is about a very topical current problem. Which bank's customer intiated the first APP described in this thread - sounds to me like there were two, one of which was pushed by the fraudsters but not under their direct control (from RBS current account to Revolut account), and then back from Revolut to RBS Savings account which was of course under fraudsters control if they requested whilst impersonating RBS and were given Revolut card details to move the money back "safety" in the RBS savings account?

I have seen various interpretations of the October 2024 duties - I have heard of this "bank transfers" not "card transactions" distinction but I noted that Revolut's interpretation on one of their webpages made no such distinction, and that it was inconsistent with a very similar different Revolut webpage.

I believe the intention of the law change was to cover all similar types of APP - it shouldn't matter what kind of authorisation it is, the core of the matter is that all of these authorised cases are pushed by fraudsters.  Otherwise  what is the rationale behind lawmakers leaving a mighty apparent loophole for fraudsters to exploit as in this case?

eskbanker

1957DfurdPensionist said:
I have seen various interpretations of the October 2024 duties - I have heard of this "bank transfers" not "card transactions" distinction but I noted that Revolut's interpretation on one of their webpages made no such distinction, and that it was inconsistent with a very similar different Revolut webpage.

I believe the intention of the law change was to cover all similar types of APP - it shouldn't matter what kind of authorisation it is, the core of the matter is that all of these authorised cases are pushed by fraudsters.  Otherwise  what is the rationale behind lawmakers leaving a mighty apparent loophole for fraudsters to exploit as in this case?

It's quite clear what it and isn't in scope of the new regulations:

Covered:

• Payments made within the UK. You are not covered for a payment sent overseas.
• Payments made using Faster Payments.
• Payments made using CHAPS.
• Payments from personal bank accounts and payments made by micro-enterprises and certain charities.

Your bank may have different rules and processes if you are sending money within the same organisation. They will make you aware of this if the rules are different.

Not covered:

There are some situations where you won’t be able to get your money back under this reimbursement scheme. This includes if:

• You paid using cash, a cheque, or a credit, debit, or prepaid card.
• You paid using a payment system not covered under this scheme.
• It’s a civil dispute: for example, if you’ve paid a genuine retailer or business but you aren’t satisfied with the product or service you’ve received.
• You have acted fraudulently yourself – including if you have lied or misrepresented your circumstances for financial gain.
• It’s a payment you have made to another account that you control.
• The payment you made is unlawful: for example, if the payment was for an illegal item.
• It is a payment to and from an account with a credit union, municipal bank, or a national savings bank (state-owned savings bank in the UK).

Remember, you may have reimbursement options under other rules, so always seek advice.

https://www.ukfinance.org.uk/authorised-push-payment-fraud-reimbursement

It's only ever been about direct bank transfers, since the days of the voluntary code that preceded this wider implementation, so it's not a loophole that other payment methods aren't included, it's by design - there are already other mechanisms that protect card payments, including preventative ones such as the requirement for 2FA and also chargeback for after the event.

1957DfurdPensionist

It may be clear to you @eskbanker, but with Revolut and other challenger banks, especially those deliberately operating beyond the confines of previous what we might call legacy mechanisms, payment methods and standards, it is far from clear to me that these regulations are effectively designed, implemented or regulated everywhere.  When is a card not a card for example?  Revolut, like many card providers strongly propounds the use of one-time virtual numbers instead of numbers on a card, even whilst any physical card is temporarily or long-term frozen for example.  When used, the virtual details facilitate a transfer from a bank account which seems to be able to contain multiple currencies and not just one currency.  Is a Revolut card, or one-time set of virtual numbers still a debit card?  I would say the physical card is simply a payment card provided by a "bank" which is not a credit card, and the virtual numbers serve merely as a one-time payment authentication "code" not "card" 

A telephone number can also be used to transfer funds between Revolut accounts or a unique Revolut username.  So many ways to make the money move out of your "bank" account, eh?  Are they not all "bank transfers"?  We seem to be dancing on a pin if still trying to argue they are not!

What is Revolut Pay?  It is not a card transaction, is it?  So how does a merchant benefit from using it to get paid?  The merchant may long have contracted with a third party intermediary payment service provider of their own (a bit like those that provided the means and the machine to receive card payments in the dim distant past).  Thesedays a third party such as Stripe might be used to process a one click Revolut Pay type online transaction, I believe?  Is that a bank transfer?  Is two factor authentication involved?  Why is 2FA relevant in a discussion about APP? Even if it was 10FA, if the victim authorised it upon being pushed to pay by a fraudster, then it is still APP fraud, right?  Which party is responsible for APP reimbursement after payment through semi-opaque intermediaries like Stripe?  Would the only means for getting a refund via Revolut normally be via a chargeback?

DullGreyGuy

1957DfurdPensionist said:

It may be clear to you eskbanker, but with Revolut and other challenger banks, especially those deliberately operating beyond the confines of previous what we might call legacy mechanisms, payment methods and standards, it is far from clear to me that these regulations are effectively designed, implemented or regulated everywhere.  When is a card not a card for example?  Revolut, like many card providers strongly propounds the use of one-time virtual numbers instead of numbers on a card, even whilst any physical card is temporarily or long-term frozen for example.  

But they're not, it's mainly smoke and mirrors. 

They are a small company, by global banking standards. They can do something novel within their own space but when you are talking about making payments etc you are talking about interacting with over 30,000 different other banks around the globe, hundreds millions of different companies that accept cards and all need to use unified systems for it to work.

Revolt was founded in 2015. A decade earlier my US bank offered virtual credit cards and one time use card numbers. In the US where consumer protection is much less, these sorts of things have been common for much longer. However, they are simply a "card", they use the standard Mastercard/Visa network and work like a regular card issued by a long established bank.

Dont believe the propaganda 

The concepts of ApplePay and GooglePay are much more revolutionary but then you are talking about the 1st and 4th largest companies globally by market capitalisation who do have the influence and money to actually change how the global banking system works but even then they are relatively modest nudges compared to other industries.

eskbanker

1957DfurdPensionist said:

It may be clear to you @eskbanker, but with Revolut and other challenger banks, especially those deliberately operating beyond the confines of previous what we might call legacy mechanisms, payment methods and standards, it is far from clear to me that these regulations are effectively designed, implemented or regulated everywhere.

My answer was specifically in the context of the APP scam regulations and how they're defined to apply to Faster Payments or CHAPS but not 'cash, a cheque, or a credit, debit, or prepaid card'.

Although the generic material doesn't address the Revolut direct transfer mechanism ("Your bank may have different rules and processes if you are sending money within the same organisation. They will make you aware of this if the rules are different"), this is clarified within the Revolut link I shared earlier:

What types of payment are eligible?

• Payments made to a UK account number and sort code
• Instant fiat currency (GBP, EUR, etc.) transfers from your UK Revolut account to another Revolut account

However, OP conceded that their son did pay by debit card, hence my 21 November post above....

1957DfurdPensionist

Having worked for a global bank myself in the dim distant, I appreciate it is hard for those brought up with old ideas to take on board nuances of the very varied payment services now developing further in previously unthought of (or thought impossible) ways every day.  In the same way fraud is developing ahead of the new services.

But back to basics, if I have understood everything correctly, the first post described how money in an RBS current account was "pushed" by fraudsters as a payment to Revolut (no doubts so far?) almost certainly as a Faster Payment.  It was authorised and conducted in the normal way by the victim and no direct access to RBS was given to the fraudsters.

Stage 2 of the fraud was to "push" the same money from Revolut back to RBS but to the "safety" of a savings account.  In that case card no. and CVV were given to the fraudsters in exactly the same way one might ordinarily give such detail to RBS to credit an RBS credit card account perhaps?  So nothing stupid about the OP's son doing that when he thought he was talking to RBS.  That was another authorised push payment, but some contributing forumites have used all their energy on arguing Stage 1 as disbarred from regulatory scope, and even describing the OP as "conceding" something thereby seemingly taking sides with or even seemingly making representative statements on behalf of the not so empathetic UK banking industry.  Are we agreed so far?

So, take a deep breath and chill a bit ... is there any APP we might suggest can be reimbursed under the seemingly flakey October 2024 regulations and implementations here?  Can anyone tell us why Stage 1 cannot be dealt with by RBS fraud department as bog-standard APP?  Afterall, it was an RBS customer who kept all his money with RBS who was being targeted and the fraudsters were impersonating RBS throughout in order to get their greedy mits on it all one way or another.  Agreed?