Share this page:
Stay connected:
Welcome to the Citywire Money Forums, where members share investment ideas and discuss everything to do with their money.

You'll need to log in or set up an account to start new discussions or reply to existing ones. See you inside!

Notification

Icon
Error

Fraudulent transaction due to bank not checking name on account
Lee Whitelock
Posted: 16 May 2017 17:31:18(UTC)
#1

Joined: 16/05/2017(UTC)
Posts: 3

Was thanked: 1 time(s) in 1 post(s)
A customer of ours has recently lost a large amount of money due to his emails being hacked and an email that we sent asking for a payment being intercepted, edited by the fraudster with their bank details and then forwarded. The customer unknowingly made the transfer (the email looked as if it has come from us).

The name he stated on the account when making the payment was our company name, but all other details would have been incorrect i.e the criminals.

I am aware that banks dont cross reference names with bank account numbers when dealing with faster payments, but if they had this criminal transaction could have been stopped.

Why don't banks cross reference names with account numbers and sort codes? So many fraudulent transactions could be stopped if they did.

You wouldn't be able to pay a cheque into someone else's account without the correct name, so why is online payments so easy to do this.

Would the banks have any liability? We are not talking about a small typo. We are talking about a completely different name on the account.

Any advice or experience with this would be greatly appreciated.
1 user thanked Lee Whitelock for this post.
Mr Helpful on 22/05/2017(UTC)
Law Man
Posted: 19 May 2017 16:56:44(UTC)
#2

Joined: 29/04/2014(UTC)
Posts: 189

Thanks: 62 times
Was thanked: 328 time(s) in 134 post(s)
In short, I do not know.

So: the bona fide payee was ABC Supplier Limited, and the buyer authorized the BACS transfer to ABC Supplier Limited at Sort Code 11-22-33 a/c 12345678; but the name on the recipient account for that Sort Code and account number given was A Criminal Limited.

It does seem remarkable that the bank holding the account in the name A Criminal Limited did not reject the payment; on the basis that the name on the BACS transfer was different.

You could try telephoning the BBA or FoS to ask the question. Otherwise check the terms of the defrauded buyer's bank account to see if that buyer/ money sender's bank was in breach of mandate - by not complying with the customer's authority to send the money to an account in the name of A Supplier Limited.

The moral seems to be NEVER use e-mails to communicate bank details. Always telephone the intended recipient (A Supplier Limited) and check the details.
Geoff James2
Posted: 19 May 2017 16:59:37(UTC)
#3

Joined: 11/08/2010(UTC)
Posts: 39

Thanks: 6 times
Was thanked: 19 time(s) in 10 post(s)
This is both a common and depressing fraud

Was it a retail or a commercial transaction?

To answer you question

Yes the banks should and could much more to prevent this type of fraud.

I believe the issue is operational costs vs benefit? You are asking for a system where the banks actively monitor transactions which sounds very simple and low cost (surely software can do this easily). That is until you then ask two questions.

1) What should the bank do when the vetting process produces an alert? The bank needs to stop the transaction and phone the customer who will be initially confused. The customer will need the process explaining etc. The call centre completing the phone calls will need to staffed 24x7. In many instances it will be a false positive and they will be interfering in a correct process, slowing money down, possibly causing charges to be incurred downstream for late payment.

2) Who gains from the added operational processes that the bank implements? The answer is clearly the customer. The bank gains nothing, except gratitude when they correctly stop a payment.

So we are expecting the banks to suffer the costs and the customers to gain the benefit. You can see why they are not eager. The business model is less than ideal?

Geoff
S_M
Posted: 19 May 2017 19:20:49(UTC)
#4

Joined: 17/03/2011(UTC)
Posts: 426

Thanks: 49 times
Was thanked: 197 time(s) in 134 post(s)
Two step verification with the use of a mobile phone generating a random code nips this in the bud. Santander offer this as standard, it beggars belief that others clearly do not.
markus
Posted: 19 May 2017 20:40:24(UTC)
#6

Joined: 02/11/2015(UTC)
Posts: 55

Thanks: 10 times
Was thanked: 42 time(s) in 29 post(s)
S_M;46935 wrote:
Two step verification with the use of a mobile phone generating a random code nips this in the bud. Santander offer this as standard, it beggars belief that others clearly do not.


Struggle to see how that would help in this case. (besides 2SFA via SMS is an improvement but isn't 100% guaranteed to be safe?)



Service provider: Emails client ->Please send me £x to sort code 11-11-11 a/c 123456
Man in the middle attacker intercepts email: modifies email with new account details
Customer/Client: Ok, email says I need to deposit £x to 22-22-22 a/c 234567
S_M
Posted: 20 May 2017 03:43:59(UTC)
#7

Joined: 17/03/2011(UTC)
Posts: 426

Thanks: 49 times
Was thanked: 197 time(s) in 134 post(s)
markus;46938 wrote:
S_M;46935 wrote:
Two step verification with the use of a mobile phone generating a random code nips this in the bud. Santander offer this as standard, it beggars belief that others clearly do not.


Struggle to see how that would help in this case. (besides 2SFA via SMS is an improvement but isn't 100% guaranteed to be safe?)



Service provider: Emails client ->Please send me £x to sort code 11-11-11 a/c 123456
Man in the middle attacker intercepts email: modifies email with new account details
Customer/Client: Ok, email says I need to deposit £x to 22-22-22 a/c 234567


Of course it does, it creates an extra layer of security and given the mobile device will be independent of any attempt to make a bank transfer as soon as the text message is received that should set the alarm bells ringing. The hacker would need to intercept your mobile device as well, and they wouldn't know you use two step verification until they attempt a bank transfer. It's all about having the right security and being aware of the risks fraudsters pose to your business or your personal online activity.

I use two step verification for everything that offers it, including access to emails. I also turn over tens of thousand of pounds in financial transactions on line every month. I have never been scammed or subjected to any online fraud.
Lee Whitelock
Posted: 22 May 2017 08:54:48(UTC)
#5

Joined: 16/05/2017(UTC)
Posts: 3

Was thanked: 1 time(s) in 1 post(s)
S_M;46935 wrote:
Two step verification with the use of a mobile phone generating a random code nips this in the bud. Santander offer this as standard, it beggars belief that others clearly do not.


Thanks everyone for replying,

The two step verification above wouldn't have helped in this instance. Even if the customer had received an alert asking him to check, he would have checked, confirmed the account number and sort code and proceeded.

It's the fact banks don't check account names for online payments. You could send a payment to any account with the name Santa Claus as the recipient and it would still go through!

Whats needed, is a system where you need to enter in the correct account name/recipient as well as the account number and sort code. If they don't match, no payment.

Surely this is possible? A bit like when making an overseas transfer you need to enter the BIC, IBAN and SWIFT code correctly otherwise it's gets rejected.

Sara G
Posted: 22 May 2017 10:00:14(UTC)
#8

Joined: 07/05/2015(UTC)
Posts: 404

Thanks: 552 times
Was thanked: 581 time(s) in 253 post(s)
The problem with automated systems ensuring that the name matches exactly is that so many transactions would get blocked due to small differences - e.g. J Bloggs Builders / J Bloggs Ltd. Even then, in some cases fraudsters could change their names to match the genuine recipient as happens in some property fraud.

I have 2FA wherever possible but if I have to pay tradesmen via BACS / Faster payments and they email me the details, I call the office to confirm that the email is genuine and the bank details are correct before proceeding. A bit cumbersome if you are making lots of payments, but better than losing money.
1 user thanked Sara G for this post.
dyfed on 22/05/2017(UTC)
Mr Helpful
Posted: 22 May 2017 10:55:05(UTC)
#9

Joined: 04/11/2016(UTC)
Posts: 175

Thanks: 192 times
Was thanked: 184 time(s) in 96 post(s)
When the payment is significant, we make a 'trial' initial payment of £10.
We then check with the recipient that the £10 was received safely into the correct account, before making the main transfer.

So far, so good.

Quite how the OP could securely put this into effect with his customers without being unduly cumbersome, don't know.
1 user thanked Mr Helpful for this post.
dyfed on 22/05/2017(UTC)
Lee Whitelock
Posted: 22 May 2017 11:08:24(UTC)
#11

Joined: 16/05/2017(UTC)
Posts: 3

Was thanked: 1 time(s) in 1 post(s)
Mr Helpful;47016 wrote:
When the payment is significant, we make a 'trial' initial payment of £10.
We then check with the recipient that the £10 was received safely into the correct account, before making the main transfer.

So far, so good.

Quite how the OP could securely put this into effect with his customers without being unduly cumbersome, don't know.


This is a good idea. Think we'll implement this.
Mickey
Posted: 22 May 2017 11:40:58(UTC)
#10

Joined: 21/06/2010(UTC)
Posts: 293

Thanks: 656 times
Was thanked: 260 time(s) in 135 post(s)
Mr Helpful;47016 wrote:
When the payment is significant, we make a 'trial' initial payment of £10.
We then check with the recipient that the £10 was received safely into the correct account, before making the main transfer.

So far, so good.

Quite how the OP could securely put this into effect with his customers without being unduly cumbersome, don't know.

That's brave, we send £1 in such cases :-) We haven't had any seller complaining about getting the payment in two transactions.
+ Reply to discussion

Markets

Other markets