Fraudsters are already exploiting the new Authorised Push Payment (APP) fraud reimbursement scheme to trick consumers into revealing sensitive banking information, warns the consumer group Which?.
Starting on 7 October 2024, all firms utilizing Faster Payments will be required to refund victims of APP fraud for amounts up to £85,000. This means customers will receive genuine communications about the scheme from their banks and other payment providers.
Which? recently identified a sophisticated phishing email that appeared to be from NatWest, notifying recipients about “new UK Consumer Protection rules against fraud.” This email was sent on the evening of Tuesday, 10 September.
The email encouraged customers to “verify” their mobile numbers to ensure they would receive notifications about transactions made through their accounts and to report any suspicious payment alerts.
Those who clicked the provided link were directed to a convincing imitation of the NatWest website. This fraudulent site featured the correct branding and first requested a customer number or card number, followed by a PIN, password, home address, mobile number, and account details. This information would allow criminals to commit identity fraud and potentially access victims’ accounts.
Upon discovering the scam website, Which? promptly reported it to the domain registrar, the NatWest press office, and Google Safe Browsing. Despite these actions, the website remained active and was still capable of collecting bank login details and personal data from consumers six days later.
Which? is urging collaboration among different sectors, including banking, social media, and telecom providers, to enhance fraud intelligence sharing. “Improving the security landscape requires domain registrars to take more responsibility as well,” states Which?. “We’ve recently highlighted the prevalence of copycat bank websites in the UK, yet the companies behind these fraudulent sites are often omitted from broader discussions.”