Victims of unexplained fraud may have been deliberately targeted by bank staff who prey on customers with unmonitored accounts, experts have warned.
“Inside jobs” are becoming an increasing problem for banks, particularly at outsourced call centres. Many Times Money readers who have been victims of fraud say that their bank has refused to refund the money. “Inside fraud is a common problem,” Ross Anderson, a professor of security engineering at the University of Cambridge, says. “Banks sack maybe 1 per cent of their staff every year, mostly for small-time embezzlement.”
There are several court cases rumbling on that involve bank staff and fraud. Karl Edwards, a former bank manager for the Hagley Road, West Midlands, branch of Barclays, and Andrew Waters, a former employee of the same bank’s Croydon branch, have been charged with two counts of conspiracy. The prosecution alleges that the two men joined false names to wealthy customers’ accounts and withdrew £1.3 million. Both men deny the charges and are due to face retrial, along with three others, later this year.
There are many ways that staff could potentially defraud customers — for example, by ordering a new card and PIN without the customer’s knowledge and using this to withdraw money near the victim’s home. In this situation, banks may refuse to refund the money because, if the correct card and PIN is used, it is very difficult to prove that the transaction was fraudulent.
“Fraudsters will deliberately target inattentive people — for example, those who only receive annual statements, elderly people who are perhaps easily confused, or those who rarely use their accounts,” Mr Anderson says. “That is why it is so important to check your account regularly for suspicious activity.”
As well as bank branch staff, consumers may also be at risk from staff who work in outsourced call centres. Last December an employee of the Student Loans Company (SLC), who worked at an outsourced call centre in Glasgow, allegedly obtained 24 students’ bank account details and gained thousands of pounds from two of them. A spokeswoman for the SLC said that the students were reimbursed and the matter has been reported to Strathclyde Police.
Cameron Ross, of Veritape, which provides call-recording software, says: “Data theft from call centres is an increasing problem — not only for banks, but for any company handling customers’ financial information. All a fraudster needs for a spending spree is a person’s card number and three-digit security code.
“Centres are supposed to ensure that staff cannot leave the building with customers’ details, and that call recordings do not contain customers’ sensitive data. However, most UK call centres are not compliant with these guidelines.”
Nicholas Percoco, of Trustwave, an information security company, says that data breaches are a big concern for banks. “If a bank employee is being tapped by an organised crime group, they may pay that employee, say, £5,000 to install spyware software that can capture customers’ names, addresses and credit card details,” he says. “This could be done very quickly and is very hard to detect.”
Many victims of fraud complain that their bank does not explain how or why fraud occurred on their account, leaving them wondering if it was an inside job. They also say that banks appear unwilling to report fraudsters to the police.
Ronnie Menassa, 29, set up the website abbeyfraud.com after he fell victim to systematic fraud on his business account. Somebody set up numerous direct debits and standing orders, and the bank froze his account only when the fraudster tried to withdraw £32,000 in one go.
“It was so frustrating because Abbey [now Santander] may have known who was setting up these payments,” he says. “Either Abbey could not be bothered to follow it up or something more sinister was going on.”
Mr Menassa, who runs yooneeq.com, a virtual telecoms and business support company, had the money refunded, but all his business accounts were frozen for 12 weeks while Abbey sorted out the problems. A spokesman for the bank says: “We reported the incident to the police. If they wish to investigate, we will co-operate fully.”
Since Mr Menassa set up his support site, several other victims of apparent fraud, who are locked in a dispute with Abbey, have contacted him.
Despite new Financial Services Authority rules stating that a bank must refund any disputed transactions immediately, banks are still refusing to refund customers. Elias Selby, a 22-year-old student, says that a fraudulent cheque for £18,000 was paid into an account he rarely used. The cheque bounced, but first the criminals managed to spend all £18,000 within 20 minutes using a card and PIN at a betting shop. “Now Abbey is chasing me for the money,” Mr Selby says. “It has also ruined my credit rating. I’ve no idea how someone could have got my PIN or how a cheque can be spent before it clears. Abbey has not offered any explanation for the fraud; it has treated me like the criminal.”
A spokesman for the bank said: “All the disputed transactions were made using the original card and the correct PIN, with no failed attempts to enter the PIN. We are unable to accept responsibility for money that goes missing from customers’ accounts through their negligence.”
A spokeswoman for Barclays says: “Staff fraud is rare, but it can happen in any organisation. We take steps to minimise the risk and detect it quickly. Customers should be reassured that if they fall victim to fraud on their account, they won’t suffer financial loss, unless they are negligent with their PIN or password details.”
Instant access for fraudsters at Barclays
Barclays has been accused of failing to protect customers’ financial privacy after security flaws in its online banking were uncovered by a researcher at the University of Birmingham.
Ben Smyth, at the School of Computer Science, says that a hacker could easily view customers’ bank statements and transfer money between their Barclays accounts. “Security has been neglected in favour of usability,” he says.
If Barclays customers have forgotten their instant-access log-in details, they need only four pieces of data to retrieve it — surname, date of birth, 16-digit card number and three-digit card security code. Mr Smyth says that these pieces of information are too easy to obtain and this leaves people vulnerable to invasions of privacy.
Fraudsters would not be able to move money out of somebody’s Barclays accounts, but they could see a person’s recent transactions and account number and sort code.
A spokeswoman for Barclays says: “Instant access has very limited functionality and we have seen no instances of money being transferred out of accounts in this way.”
Baffled by how fraudsters gained bank details
Holly Noyes recently had some unexplained fraud on a Halifax account that she rarely uses.
The 25-year-old from Richmond upon Thames, southwest London, was contacted by Halifax’s fraud department when someone tried to use her card details to book a £2,000 flight to Morocco.
“Luckily, they stopped the transaction, so I didn’t lose any money,” she says. “I then noticed that a month earlier a fraudster had bought O2 credit worth £30.”
Ms Noyes had not used the account since about September last year. While there is no suggestion that the fraud was an “inside job”, she remains baffled as to how the fraudsters managed to obtain her bank details.
“I have always had the card on me and have never used it to shop online, so I do not know how someone was able to capture my card details,” she says.
When Ms Noyes googled this type of fraud, she found that many other people on consumer forums had found a bogus “O2 LTD pre-pay Slough £30” transaction on their statements. Slough is where the O2 office is based.
A spokeswoman for Halifax was unable to say how the fraud took place, but she added: “Security for customers is our priority. If we detect unusual activity on an account, we can contact the customer before allowing it to proceed.”
An O2 spokeswoman said: “We take every precaution to ensure that payments are genuine.”
Source: The Times Online – http://yoorl.info/?iM