I’m writing about a scam a colleague fell into that led to a loss of £85,000 for our small business.
Fraudsters carried out the scam via the company’s Revolut account in a complex mix of hacking, phishing and identity theft, carrying out a dozen digital credit card transactions ranging from £2 to 22,000. Revolut refuses to refund money. Please help.
Anon.
Revolut insists that in your colleague’s case it issued sufficient warnings that invalidated your company’s claim for a refund
SALLY HAMILTON ANSWERS: Yours is just one of a number of worrying cases that have recently come to light involving Revolut customers, all of whom had their accounts raided by fraudsters using sophisticated account takeover techniques.
An account takeover occurs when a criminal pretends to be a bona fide customer, usually after obtaining personal information through ‘phishing’ or other means.
The scammer takes control of an account, for example by adding their own device to the account or by posing as the bank to convince the victim to download software that allows them to remotely access the account on their own computer. the customer can manage.
As in your case, the criminal will typically do this by calling the victim and posing as a member of the bank’s fraud team to warn of a security breach that he believes requires urgent action.
Once the fraudster has control of the account, he transfers money to other accounts via bank transfer or payment card, often ending up abroad. Scammers can target all kinds of accounts, including banks, cell phone companies, and credit card companies.
Consumer group Which one? reported last month on two cases, both involving Revolut’s small business customers, who lost £165,000 and £40,000 in the scam.
Not long after, website AccountingWEB exposed the case of an accountant who had similarly looted £53,000 from her Revolut account. None of these losses were reimbursed by Revolut.
The scammers seem to find the process of taking over the account effortless and come back to taunt the victims. Your colleague was called after the attack and said: ‘This was the easiest £85,000 I have made. You live and learn’.
Revolut, which offers banking services with linked payment cards but does not currently have a banking license in Britain, insists that in your colleague’s case it issued adequate warnings which invalidated your company’s claim for a refund.
One of the victims from the Which? The report contacted me to express how annoying he found Revolut’s advertising campaign on the London Underground, which claims the payment card has ‘too many security features for one ad’.
It lists many, but highlights some in bold, including “we’re monitoring your account for suspicious activity” and “single-use virtual cards to protect your online payments.”
These features did not appear to protect your colleague. He and the other victims report near-copy stories of how they were tricked into handing over data to scammers using elaborate social engineering techniques, who then made multiple transactions on their accounts.
In your company example, the victim was contacted by text message by someone posing as a member of Revolut’s fraud team, who convinced him that someone was trying to access the company’s account without permission and that he needed to act quickly to to stop this.
The crooks were so convincing that he took the steps they recommended in an effort to protect the company’s funds. But this advice was only the first step in the scammers’ cruel scheme to steal from the account.
A text message arrived, apparently from Revolut’s fraud department, with a code, which your colleague fatally keyed into his phone. This allowed the fraudsters to take further security measures, take over the account and operate from another device, sending payments from the account totaling £85,213.
Revolut says there will be no refund as the steps in the authentication process have been completed successfully. You say that an important alert email, an early step in this security process, was not opened by your colleague. Revolut disputes this and suggests it was clicked or forwarded.
One of your biggest concerns is the dozens of high-value payments that have gone out in quick succession to recipients who have never been paid before, including the money transfer service WorldRemit.
In the previous year only two transactions of over £1,000 had been debited from the account and none before that. A colleague with higher authority on the account eventually discovered the suspicious transactions and blocked the card in question. But the scammers managed to create a new virtual card and continued making payments.
Payments that appeared as pending were also allowed to continue even after the fraud was reported to Revolut. Waiting offers no protection, it seems.
Revolut told me that the money for an outstanding payment ends up in the customer’s account in a ‘blocked’ state, is no longer under control and therefore cannot be cancelled. It says it tried to recover the money from the recipient companies but was “unsuccessful.”
I know there are many who believe that victims of such scams should not be compensated. It’s their fault, they suggest. But I feel different. These people were manipulated and controlled by highly skilled fraudsters.
Out of natural fear for their finances, they acted quickly, believing they were protecting their company’s money. Until someone is the target of such devious tricks, it is impossible to know how he or she will react. Customers trust their account providers to be the last safe bastion for their money and expect them to do more to intervene.
Revolut may not be the only account provider targeted, but scammers have apparently discovered a weak link that needs urgent tightening.
A Revolut spokesperson said: ‘We are continually strengthening our fraud controls to stay ahead of new trends, introducing further direct interventions and sharing educational material with our customers so they can spot criminals’ social engineering tactics. Revolut will never call you without first confirming via our secure in-app chat.”
The spokesperson added: ‘We are aware of a recent increase in attempted advanced account takeover (ATO) fraud by criminals across the industry and are deeply concerned that large numbers of frauds are being enabled by criminals using bogus and spoofed phone calls and text messages. We encourage people to be vigilant.”
Revolut’s reference to fake calls and messages is certainly justified. Your case suggests that it is all too easy for scammers to pose as a company and use texts and emails that appear genuine.
At my encouragement, your colleague is now taking his case to the Financial Ombudsman in the hope that he will take a different view of the refund.
Homeowners should beware of fake emails pretending to be home improvement brand Homebase, Action Fraud has warned. Tricksters are trying to lure DIY fans with congratulatory emails claiming a chance to win products like drills from tool company DeWalt. The scammers claim that you can ‘answer and win’ by clicking on a link, but the links lead to phishing websites designed to steal personal and financial information. Action Fraud has received 3,500 reports of the scam emails. Do not click on any links in the email, but forward it to report@phishing.gov.uk
- Do you have a consumer problem that you need help with? Email Sally Hamilton at sally@dailymail.co.uk – include telephone number, address and a note addressed to the offending organization giving them permission to speak to Sally Hamilton.
- Please do not send any original documents as we cannot take responsibility for this. No legal liability can be accepted by the Daily Mail or This is Money for any answers given.
Some links in this article may be affiliate links. If you click on it, we may earn a small commission. That helps us fund This Is Money and keep it free to use. We do not write articles to promote products. We do not allow a commercial relationship to compromise our editorial independence.