“Simple” and “sinister” are terms that best describe two separate scams readers have fallen victim to in recent days, and while the details differ, the outcomes are identical – people losing large sums of money in minutes.
First, there was Seamus. “I got a text message from eFlow,” his mail starts, which might prompt you to go “Oh no”.
“I had been using the tolls a lot more than usual over the last week or so. I had to drive to Belfast and to Dublin a couple of times and I just thought it was a genuine message from them,” he writes.
So, he followed the link and filled in all the info requested of him. “I went about my business until yesterday evening when I had to take money out of my account, the money wasn’t there and I realised straight away that I had been scammed. I contacted the fraud department of Permanent TSB and advised them,” he says.
The account was cancelled, but at that stage over €2,400 had disappeared.
He says the PTSB staff member “couldn’t tell me whether or not there was any chance of me getting my money back or catching anyone for this. I was just after being paid in the last couple of days and if this happened last week, I would have been fine.”
Separately, Alice Coyle from Clifden received a text message from what she thought was Electric Ireland telling her that her account was overdue.
The account might have been overdue, but it wasn’t Electric Ireland that had been in touch. Within minutes of responding to the message, Alice saw 10 grand being drained from her bank account.
The text message said her last payment had failed and warned her that if she did not visit a certain website and update her account, she risked disconnection.
“I knew I needed to do it at some stage as I’d just received the Electric Ireland bill the day before,” she says.
She also knew she had recently been issued with a new Revolut card and that the fintech had changed its Iban not long before and had asked customers to make sure all direct debits were up to date.
“So I clicked the f**king link,” she says with understandable ire.
“It opened an ‘Electric Ireland’ website which looked the part. A message in the middle of the page says “Action Needed – Update your details to avoid any interruptions to your account.”
She was asked for all sorts of details and provided them, admitting now that she was on “auto-pilot [with] other things on my mind. I did consider for a split second going to the Electric Ireland online account, where you can log in to check all your details and pay your bills, but what a pain, trying to remember login codes, and I think about how easy EI are making this to follow.”
She was nearly done when she was “transferred to Revolut” to authorise the details.
She was prompted to enter her passcode and wondered why she was being asked by Electric Ireland to do this outside of the Revolut app, on a separate web page, so she checked the web address, and it looked okay.
Then she went back to work.
She had received the first message at 2.26pm, and exactly 17 minutes later she got a call from a private number. The person – who spoke with an Irish accent – introduced himself as ‘Andrew’ from Revolut.
He asked her about the payment attempts she had made, stressing that he would not ask for any of her log-in or financial details. Then he said he needed to confirm that she had been making payments to Electric Ireland.
‘Andrew’ said he could see from his system that there had been three attempts to withdraw €5,000 from her account made in the last few minutes by scam artists. The good news was that Andrew was on the case and he reassured her that if she acted fast they could stop the money leaving her account.
Alice was horrified to realise she had “done the most stupid thing and clicked on the bloody link”.
She says she “slowly started to panic”.
She was, however, reassured by Andrew, who said they could get the money back. “I was now in a total panic, but so relieved Revolut were on the ball enough to catch it so quick.”
Andrew told her the payments could be reversed and said she “should receive an in-app message any minute now asking to approve the payment”.
The message was looking for authorisation for a €5,000 payment. Andrew told her she needed “to authorise it in order to be able to reverse it”.
“I click the big blue ‘Authorise’ button. He says “grand”. I watch the total go from 24k to 19k and say “Jesus that’s a bit scary, are you sure that’ll be okay?”
‘No problem, I’m just going to arrange for my supervisor to give you a call’— 'Andrew from Revolut'
Andrew assured her that all as well and that “we just need to complete the transactions in order to refund them. He starts asking me about the original scam text, what number did it come from, and could I read it out to him, so that he can get it logged. He chats away about how common they’re getting now and how sophisticated they’re getting.”
He mentioned the eFlow text message scam and scams from banks and apologised for interrupting Alice’s day. He said it wouldn’t take long.
“I start to wonder, how do I even know he is real?! It’s a private number... but that makes sense, they’re a bank. Andrew has a very normal Irish accent.”
She got another text message and again it was in the Revolut thread. Andrew said it was fake message and told her to ignore it.
“I’m getting bamboozled now with what’s real and what’s not,” she says. Then another message arrives asking her to authorise another payment for five grand, which she does, “and the balance goes from 19 to 14k before my eyes”.
She expressed concern to Andrew, asking if she could call him back. He offered to text her again and then he gave her an email address she could contact to confirm his credentials. Then he said he could arrange a call in a couple of minutes if she just authorised the last request for €5,000.
Alice says she said she would not do it, “and he said ‘No problem, I’m just going to arrange for my supervisor to give you a call’, and then he hangs up on me. I’m frozen now, which way is up? What’s just happened? I’ve just lost 10k.”
She went into the Revolut app and clicked each of the two transactions for €5,000, selecting the “I do not recognise these payments” option.
She was then given a series of questions and was directed to a chargeback form. “I filed the two chargeback claims but I was too flustered to know what’s happening and was frantically looking for a way to contact Revolut. No way to talk to a human. No way to alert them of a scam.”
After having a frustrating “conversation” with a chatbot for too long, she got through to someone who told her “the possible outcomes but advised me to sit still and see if the ‘merchants’ go ahead and take the money. She says there’s a block on the payments but explains that only holds it until the merchant decides to go through with it. I ask how is that a ‘block’ if it doesn’t actually block.”
It is vital that criminals are stopped at the source from using convincing-looking phone calls, texts and social media advertisements, otherwise they will only step up their efforts to trick people into handing over their money— Revolut statement
There is so much that is alarming and upsetting about this scam, but when Pricewatch spoke to Alice the things she was most upset by were the inability to get through to a human being who could help her in a timely fashion, and the manner in which – she says – she was being effectively being blamed for the episode by Revolut. She accepts that she did authorise the transactions but says, reasonably, that she was the victim of a scam.
Pricewatch got in touch with Revolut. In a statement, it said it was “very sorry” to hear about the case, and said Alice Coyle had been “targeted by ruthless and highly sophisticated criminals”.
A spokesman said it takes its “responsibility to protect and support our customers extremely seriously, and we are fully aware of the industry-wide risk of customers being coerced by organised criminals”.
The statement went on to say that Revolut is “deeply concerned that large numbers of frauds are being enabled by criminals using fake social media adverts, fake texts and fake and spoofed phone calls. It is vital that criminals are stopped at the source from using convincing-looking phone calls, texts and social media advertisements, otherwise they will only step up their efforts to trick people into handing over their money.”
The statement said it “has been engaging extensively with the Government and industry over recent months in an effort to ensure that telecoms and tech firms take responsibility for these fake calls, texts and websites which enable frauds like this one”.
It said customers “should always engage with us in the Revolut app – not by phone – precisely so that they can be certain they are dealing with a Revolut staff member, and not a criminal”, adding that the company “will never call you about your personal account without first initiating the contact via the in-app chat”.
The statement said that once a payment is authorised, “there is nothing we are legally able to do to cancel the transaction... However, we do recognise that due to the complexity of payment settlement schemes this could have been made clearer, and we will review how we communicate this to customers in future.”
Problem getting worse
Scams are more sophisticated and more common than ever – and the problem is getting worse.
It is clear that telecoms companies and tech companies must do more to stop dodgy text messages coming, and if they can’t stop the messages they should be forced to pay a price to those defrauded on their platforms. But the financial sector has responsibility to look after their customers too.
Financial institutions are very quick to distance themselves from scams, pointing out that once a transaction is authorised by a customer there is little they can do
When crimes are reported to gardaí they can do their best, but given a lack of resources, the cross-border nature of the criminal activity and the speed with which scammers can move money from Ireland to anywhere in the world, they struggle to bring the perpetrators to justice.
For their part, financial institutions are very quick to distance themselves from scams, pointing out that once a transaction is authorised by a customer there is little they can do.
The picture is slightly different in the UK, where a so-called Contingent Reimbursement Model was introduced in 2019 with the aim of supporting victims of authorised push payment fraud (APP fraud).
The UK’s model is a long way from ideal, not least because right now it is voluntary, but it is better than nothing.
British consumer watchdog Which? has long been fighting the consumer’s corner over scams and believes that the CRM code “as it’s currently being implemented leads to a reimbursement lottery, as the rates of reimbursement depend on who customers bank with”.
It says a new mandatory code “should mean victims get their money back in all but exceptional circumstances” and says that “should lead to fairer and more consistent outcomes”.
But what of Ireland? Last week The Irish Times contacted the Central Bank, the Department of Finance, the Competition and Consumer Protection Commission (CCPC), the Banking and Payments Federation of Ireland (BPFI) and the banks to find out what they were doing about the curse of fraud and whether or not they might embrace – or enforce – a mandatory reimbursement scheme.
The Department of Finance said it was rolling out recommendations arising out of the retail banking review, including improving financial literacy.
“A large proportion of payment fraud is facilitated through false communications,” a spokeswoman said, adding that communications watchdog ComReg is “actively working with the telecoms industry through the Nuisance Communications Industry Taskforce (NCIT) to mitigate the scourge of scam texts and calls and to restore trust in the telecommunication industry”.
It said that in Ireland, payment service providers are regulated by the European Union’s revised Payment Services Directive (PSD2) which “provides the customer with recourse for unauthorised transactions. However, it does not directly provide recourse for the customer in the case of authorised push payment fraud.”
The European Commission is currently conducting a review of PSD2, which is expected to examine the issue of scams including APP fraud.
The CCPC highlighted the role played by PSD2 but noted that “scammers are becoming increasingly sophisticated, which makes it harder for consumers to identify legitimate businesses and protect themselves. Currently, if a consumer authorises a payment to another bank account that turns out to be fraudulent, the consumer is very unlikely to obtain reimbursement.
“The CCPC would strongly support additional protections for consumers in this area. The international nature of many online frauds means any new protections would need to be introduced across the European Union in conjunction with the Central Bank of Ireland as the regulator.”
The Central Bank said it expects banks “to have robust measures in place to prevent and protect consumers from fraud” and said it was “important that consumers are informed of the risks of fraud and empowered and supported to avoid it, as well as being supported by their firm to mitigate the impact of frauds where they take place”.
A spokesman said it “fully supports the work under way at European level on legislation to better address the issue of push payment fraud in the legal framework. The Central Bank is working at a European level as a member of the European Banking Authority, whose report identified the need to consider the legislative framework in this area.”
The BPFI said “its members are fully committed to combating financial fraud and protecting customers through a range of measures”.
It highlighted its FraudSMART programme, which undertakes fraud prevention education and awareness for consumers and businesses, and said it was “currently participating in a ComReg-led project to reduce spoof callers, which has successfully blocked almost 10 million phishing calls since September 2022″.
It added that it has been working with members “to develop an industry Shared Fraud Database which is ready to implement pending legislative amendments currently under review with the Department of Justice”.
We can request that the receiving account is blocked. We urge customers to contact us as soon as possible if they feel they may be a victim of a scam— AIB spokeswoman
The BPFI added: “Shared fraud database schemes seen across Europe and operational in the UK for over 30 years, enable collaboration and sharing of information about known fraudsters, fraud schemes and emerging trends, allowing the industry to act in real time and prevent the fraud from taking place.” A spokeswoman said that while financial institutions “have a clear role to play in preventing fraud”, the vast majority of frauds now initiated online meant “we cannot do this alone. To effectively combat fraud, BPFI and our members believe that the development of a centrally led ‘whole of system’ response in Ireland is critical, bringing together social media companies, telecoms, financial services, the State and An Garda Síochána to devise appropriate strategies to better share intelligence, implement protections for consumers and develop barriers to criminals.”
Bank of Ireland highlighted awareness campaigns and fraud detection systems and processes as well as “a dedicated fraud team available 24/7 to catch fraud, alert customers to potential fraud and try to retrieve customers’ money when fraud does occur”.
A spokeswoman said its fraud prevention systems and personnel have prevented about 70 per cent of attempted fraud by criminals against our customers this year “and when a fraud did occur, our teams have recovered the majority of funds for customers”.
Permanent TSB said “in the majority of cases the customer is reimbursed by the bank. We also regularly communicate with customers to create awareness and provide warnings on specific scams.”
Revolut is deeply concerned that large numbers of frauds are being enabled by criminals using fake social media adverts and spoofed text messages and phone calls— Revolut spokesman
AIB said it was “continuously making significant investments to enhance our fraud-monitoring systems in response to new fraud threats and existing trends, to protect the best interests of our customers”. It pointed to its education efforts and engagement with the authorities, as well as “multiple layers of two-factor payment authentication and fraud monitoring”.
A spokeswoman said once a fraudulent payment is reported to it, “we can then report the fraud to the receiving bank and request for the funds to be returned. We can also request that the receiving account is blocked. We urge customers to contact us as soon as possible if they feel they may be a victim of a scam. By customers contacting us promptly, AIB can endeavour to prevent a fraudulent payment from processing, and in many cases we have secured a positive outcome for customers.
Revolut said it works “incredibly hard to protect our customers from financial crime. Like the gardaí and many others, we also offer our customers advice on how to protect themselves from crime”.
A spokesman said the “focus should be on stopping financial crime at the source, and Revolut is deeply concerned that large numbers of frauds are being enabled by criminals using fake social media adverts and spoofed text messages and phone calls. Banks and financial institutions are the last link in the fraud chain – and so by the time the customer is authorising the transfer, the fraud has already happened. By stopping these frauds at source, as part of a nationwide and EU-wide drive to target the criminals responsible, we believe consumers will be exposed to much less financial crime.”
He said that on the issue of reimbursement “it needs to be complemented by a targeted prevention strategy. This is because banks and financial services providers can and do stop their customers from losing money to fraud, but they can’t stop their customers from being targeted by fraudsters.”
He suggested that a policy of blanket reimbursement by banks for all frauds “will incentivise criminals to target more people and try more scams, and guarantee even greater payouts when they are successful”.