With online fraud and scams on the rise, are your savings really safe? Don't bank on it
Unexpected phone calls over the weekends, fake threats of scams, fake bank accounts - they're all things we need to look out for. But are the banks really doing enough to protect the wary older and tech-eager younger people, asks Jane Fae
There is a click, a sharp intake of breath and then: "Old people and THE INTERNET!" Because old people won't get with the programme and trust in technology and the banks. Some are so untrusting that they are taking their money out of banks and leaving it stuffed under their mattress!
Apart, that is, from the ones who turn up tearful or - because they are "of another generation" and therefore stoical - dry-eyed and resigned on assorted consumer programmes, to explain they will now end their days in penury. Because they trusted the banks too much.
And they also trusted the plausible-sounding villain on the phone who pretended to be their bank, and instructed them to take all their money and deposit it in an account somewhere in the Cayman Islands. For safe-keeping, obviously. Or maybe they handed over a password. Who knows? Who cares? It's all their fault. Us young folks would NEVER be fooled like that.
Except the statistics don't bear this out. According to the most recent data from a 2017 report by Age UK, online fraud is on the rise - but the largest category of victim by age is people under 55. In part, that reflects the fact that far more young people use online banking facilities, so there are simply more of them to be victim. In part, though, it reflects a more cavalier attitude to data.
As one anti-fraud campaign makes very clear, it doesn't take a lot of skill to run through an individual's social media postings to skim a whole load of interesting data, from debit and credit card numbers to full name, address and date of birth. Possibly, too, older people are just less willing to own up to having been scammed.
Still, the solution for all of us is to be more careful. Share less. Get smarter with our passwording. Make life more difficult for the bad guys.
Let's start with some basics. Full marks to a US organisation, the National Council on Ageing, for their explanation that "financial scams... are devastating to many older adults and can leave them in a very vulnerable position with little time to recoup their losses".
Nul points though to the press representative of a well-known United Kingdom charity whose first thought, when asked about the issue, was as above: that it's all about a tech deficit on the part of older internet users.
Let's dig into that. I don't wish to suggest that being ripped off is somehow not an issue for younger people, or that all older people are wealthy pension-hoarders. Rather, there are structural reasons why the threat to the older generation is different not just in scale, but also in subjective and real-life impact.
Let's start with average account holding. According to SunLife, one of the world's largest and oldest insurance companies, over-55s have an average savings balance of £47,237 - almost double the UK average of £26,180 - while one-fifth of this age group have put away over £100,000.
There are good reasons why this may be the case. As children leave home, the nest becomes empty and many choose to downsize, swapping a larger house for a smaller one, while pension reforms mean many older people now take a chunk of their pension fund as drawdown.
That latter is what first alerted me to this issue, as I, too, recently "semi-retired". Neither working full-time, nor stopped entirely. However, I have, as many others have done, "crystallised" my pension, transforming it from mystical treasure to pot of cash and drawn a chunk of it for personal use.
That, in turn, has two consequences. First, there is a lot more money sloshing around in my bank accounts than at almost any point in my life before. In time, I will tie some of that down again in various investments - but not via the instant fix of a world cruise or a ludicrous sports car. (Though I might just splash out on a kitchen makeover).
Second, that is serious money, not just in terms of amount, but in terms of what it is there for. It must last: it must, in fact, last the rest of my life, which may be anything from a few months to 30 or 40 years. So this issue is personal for me, but more of that later.
In October 2017, the BBC's Rip Off Britain told the sorry story of an older couple impacted by fraud. Jane and Steven Caldwell ran a small business in Lancashire. After some 30 years in teaching, Steven retired and they decided to run a café together. A lump sum from Steven's pension, and a small inheritance from his father, allowed the couple to pay off debts. Funds were earmarked to help their sons on to the property ladder.
This was not to be. One weekend, Jane answered the phone to a caller claiming to be from a centralised fraud team that works with banks over weekends (that is significant: many banks do not have fraud support on call over weekends, making this prime time for many fraudsters).
He warned Jane that her bank accounts were at risk of being hacked at that very moment. In a panic, Jane made several attempts to verify that the caller was genuine and was persuaded that he was.
He appeared to be calling from her bank's customer services number. According to Jane, he appeared to be able to view recent transactions on her bank account. When she put the scam call on hold and attempted to call her bank's customer services number, he was aware of what she was doing.
Convinced that the call was legitimate, Jane transferred £14,000 from the couple's NatWest accounts and £90,000 from their Nationwide accounts, into a series of new, safe accounts set up in her name by the scammer. He told her that she would be able to regain access to her funds on the following Monday. But of course, on Monday they were unable to access the new account, and every single penny of their savings was gone. As far as the banks were concerned, because Jane made the transactions herself, they had no reason to be suspicious and didn't challenge the transactions as being fraudulent.
The cost of this fraud? In cash terms, just over £100,000. Later, they learned that the Nationwide had managed to halt approximately £24,000 of the transfer. But that still left them out of pocket to the tune of £80,000.
Jane told the programme: "I just felt sick, I had a crushing pain in my chest. I was having full-on panic attacks."
Steven was outwardly more sanguine. He said: "The fact that the money came from my parents and my pension - it feels very personal. I feel my opportunity to help my children is gone. But I'm trying not to blame Jane, because I know she did what she did to protect it."
Jane and Steven may come to terms with this disaster - they are relatively young and still have time to recover. The outcome for others, though, is frequently devastating.
This, though, is to regard the risk in purely monetary terms. There is a second aspect of this issue - and that is perhaps the most uncertain one of all: whether your bank will accept that you have been scammed through no fault of your own, and whether they are prepared to compensate you.
Bank reaction to Jane and Steven's case was par for the course. NatWest "regretted" it. They "deeply sympathised" with the couple's distress. Then they shifted gear: fraudsters were becoming increasingly sophisticated. NatWest were proactively educating customers in how to stay safe and secure. Customers should be ever vigilant against unexpected phone calls because, of course, the bank would never ask individuals to transfer money from an account due to security concerns.
Now they're on a roll, moving smoothly from sympathy to self-promotion, casually informing viewers that they are the only UK bank to partner with National Trading Standards on their Friends against Scams initiative. Nationwide chimed in with more sympathy and understanding. And they had reduced the Caldwell's loss by £24k. Otherwise, the scripts were interchangeable. Security is important. Education - again! - is key.
The same approach to fraud permeates the entire banking community. Barclays, for instance, will "refund (customers) in full for any transactions that they haven't authorised - including any interest or charges that may have been incurred".
However, "while we'll do our best to protect our customers against fraud, it's their responsibility to be alert when it comes to scams and tricks. Each situation will be assessed on its individual merits..."
And there's the rub, as another case makes clear. Sylv is a feisty lady from north London: 75 years young, IT literate and still pursuing an active social life. In September an attempted purchase at the Hepworth Gallery in Wakefield was refused.
Her bank account, which should have contained £6,000, had been emptied over the preceding 24 hours. A further £1,000 - her overdraft limit - was also gone. This, too, occurred on a Friday. She was able to contact the fraud team on the day it happened, but no significant investigation was possible before the following week. Eventually, after many hours on the phone arguing her case, the bank eventually agreed to refund her the money.
Though Sylv suspects she was lucky. The first response by the bank was to suggest she had taken the money herself. That's a fair question: but Sylv remains unimpressed. She explains: "Both their tone and their attitude were wholly inappropriate to a 75-year-old pensioner who had just suffered significant loss."
Besides, she wondered if they had simply been hacked and not told customers. Still, they argued that whoever had taken the money must have had access to Sylv's passwords and personal information, which, Sylv concedes, seems likely. But she has no idea how that could have happened.
What saved her, in the end, was that the scammer had phoned the bank about a Tesco delivery and its cost, and the bank had passed all of their activities without a squeak. That is, on the phone without passwords or passcodes, it was possible to pass bank security with personal information only.
In other words, the bank was implicated and this, Sylv believes, was a significant factor in their eventual capitulation. Even so, she had to insist that they listen to the recording of that call and compare her voice to the scammer's before they would act. Otherwise, she suspects, matters might have gone very differently.
Like they did, for example, for a pensioner conned out of £45,000 in savings, or another who lost life savings of £4,000. In both instances, the banks decided that they had contributed to their own downfall, and so that was that.
Talk to fraud victims, and over and over again this seems to be their experience. Many do get their money back. Banks are wise; they know better than to antagonise a demographic that votes often and is influential with the political classes.
But still, the basic principle is flawed - the onus is on victims to prove to organisations (that are significantly more powerful) that they are not to blame. Hence the near universal insistence on customer responsibility and the notion that the best way to stop fraud is to educate customers.
Commenting on the Caldwell's loss, Dr Steven Murdoch, a banking security researcher at University College London, explained: "In other parts of the world, customer protection laws are much stronger - in America for example, the couple would have had their money back months ago. There are many ways that the banks could help reduce these types of fraud, potentially to negligible levels - but they have absolutely no incentive to do so."
This was echoed by Age UK, giving evidence to a parliamentary inquiry this autumn. They wrote: "We do not see any clear incentive for banks to act where they are not held liable for the loss."
There are two central issues with banks. Despite all the talk of customer focus and listening, delivering on what customers actually want is the last thing on their minds. They are also pathetically slow to close structural security loopholes.
In respect of the first, witness the continuing closure of local banks. The branch at which I first set up my main current account is now closing. I could now avail myself of phone or internet banking. Except I don't much want to do either. Following an episode when first, NatWest customer services, informed me of a glitch in their online security and then, their press office explained that their customer services were in fact misinformed, I have disabled internet banking entirely.
A factor in that decision is the amount currently sat in my account. Could I not, I asked both NatWest and Lloyds, have one online account for day-to-day transactions and another non-online account for everything else? That way I could spread the risk and, if ever my internet security were compromised, minimise any losses.
Er, no. Or to be precise, "Computer says no". Because once ONE account is online, EVERY account must be. Why? According to a helpful woman at my local NatWest, no one has ever asked for such a facility. But I was asking! No: there was no demand.
As for bank security, that is, as far as many who work in the IT industry are concerned, a joke. A continuing reliance on passwording is controversial, as is best advice that some banks still manage to deliver with a straight face: that is, passwords ought to be 15 to 20 characters, a mix of upper and lower-case letters, plus numbers and punctuation, preferably not spelling out a real word. They should be different for every account, every online service you use. And they should be changed once a month. Really? Has anyone ever done that?
Banks have come late to the use of biometrics to confirm identity, relying, instead, on information that is vulnerable to OSINT (open-source intelligence gathering techniques). After all, if a scammer is prepared to hack an individual's phone, or set up a fake call centre to extract money from a victim, is finding out their mother's maiden name really an obstacle?
They have come late, too, to dual authentication: that is, to insisting on a second back-up confirmation when large money transfers are requested. Though as some scammers are now developing techniques to intercept text messages to individuals, even that is not entirely secure.
Underlying all of this is banking arrogance. They are so used to "knowing best", that they cannot conceive that they might be at fault. An individual with little expertise in financial IT, and who in the hours and days following a major scam may be in serious shock, is asked to prove that they have not compromised their security in any way. In contravention of FSA rules that say the bank should give you the benefit of the doubt unless they can prove otherwise, many banks regard the fact of having been scammed as, itself, evidence of customer wrongdoing.
A recent rise in banks refusing to recompense individuals who have had money taken from their cards suggests they have learnt little. As for "verified by Visa": this is an accident waiting to happen, condemned at the outset by security experts. Yet banks continue to assert that this means that your online transactions are safe.
The real problem is that in an area growing more complex by the month, banks are demanding a level of responsibility and expertise from customers that is beyond reasonable.
As noted above, I am increasingly unwilling to use the internet for banking and - I said this was personal - I am not the average bank customer. For many years I worked on the IT side of finance; for over a decade, I dealt with issues of data security and the horror stories I encountered then made me permanently wary of IT.
So if pensioners and older people decide not to join the rush to internet banking, it is possible they are not quite the Luddites they are being made out to be. And younger people so enthusiastically, so smugly signing up to new tech solutions may in time come to regret that decision.