RBS customer lost thousands of pounds in scam

I’m sure some will have seen this:

To be quite honest with you: I have some sympathy with the bank here: True, a “security question” was answered incorrectly, but I’m sure that happens all the time. Who remembers all their security questions and answers? I certainly don’t.

There is really only so much you can do in case of phone banking, and it’s really why I think phone banking needs to die.

1 Like

I have zero sympathy for the bank, what they did was shocking. You expect the highest levels of security when dealing with banks. What is the point of having security questions if you can get them wrong and still transact?


Well, I guess I don’t. Based on my experience banking security is terrible.

The point is, and it’s not terribly clear from that report, that this isn’t exactly what happened. Here is how I understand what happened after reading the article multiple times:

  1. Imposter phones up wants to do a large transfer.
  2. Bank calls back on customer’s home number as required for large transfers.
  3. (Unknown to bank that number has call forwarding activated to redirect to imposter’s phone - this is fairly irrelevant to the story as such.)
  4. Imposter answers. Clears authentication with correct security info. Requests one transfer and that is actioned.
  5. During the same call the imposter requests a second transfer.
  6. Second authentication (presumably with different security questions) is required.
  7. Imposter fails that authentication and the second transfer is not set up.

The problem is after failing the 2nd authentication the 1st transfer wasn’t recalled. Personally I think that’s not completely unreasonable as authentication was successful for that transfer.

When they failed security the call was flagged as “potential account takeover”. When the account holder got in touch to report a fraudulent transaction, why they didn’t put two and two together is beyond me!


That I agree with!

Lucky this’ll never happen to me because I’m skint :wink:


It’s understandable to get a question wrong, but if you deny the second transaction after asking more questions, why would you not recall the first? Or if don’t, at least take liability and refund the account holder who has done nothing wrong here.

Or if some hacker comes up with a way to clone iPhones overnight and our Starling accounts are cleared out, do you think I have to accept I’ve lost all my money?

I feel like if they managed to do that Apple would end up paying it all, via fines.

Or if some hacker comes up with a way to clone iPhones overnight and our Starling accounts are cleared out, do you think I have to accept I’ve lost all my money?

If this happens then you have much more to worry about than your Starling account, and in fact you wouldn’t be targeted to begin with because it would be foolish to burn such an exploit just to empty someone’s account. The exploit itself would be worth way more than whatever’s in that account.

In a recording of the fraudulent phone call obtained by Watchdog Live, a woman can be heard incorrectly answering a security question relating to Charlotte’s occupation.

Despite this, a transaction of £4,318 is approved by the bank and it is only after the caller requests a second transaction, and is unable to answer additional security questions, that a warning is raised on Charlotte’s account.

The first transaction was only made after the incorrectly answering a security question, now that is itself is not an issue, I’ve done that in the past. However its poor training at the bank, if a customer still gets information incorrect on the same call then its obvious that because the first one went through they are trying their luck with another one.

1 Like

Speaking only as a customer of RBS:

When I phone to make a new payment I need to give my customer number, PIN and Password. Where did the fraudster get this I wonder? (information that is supposed to be kept private obviously)

Probably malware on the victim’s computer or phone.

One of my favourites with NatWest is when they ring you to try sell you something.

The call always starts with ‘Can you just confirm your identity by giving me your post code and the X and Y digits of your password’?

No i bloody won’t - you phoned me… I don’t know who the hell you are!


Or published through a breach elsewhere: most people reuse passwords.

But that fraudsters seems to have known quite a bit about their victim, as they also managed to convince the phone company to forward phone calls.

1 Like

The good news with legacy bank “passwords” is that the requirements are so low (in fact, you often can’t set up a secure password) that a banking password is unlikely to be reused anywhere because it wouldn’t pass the minimum complexity requirements for any other website.


Nice one! Haha! And so true!