***DELETE ANY OLD PAYEES ON YOUR ONLINE BANKING ACCOUNT
***IF YOU RECEIVE AN UNEXPECTED SUM OF MONEY AND THEN GET A CALL ASKING FOR IT BACK, ONLY REFUND IT VIA YOUR BANK
***CHANGE YOUR ONLINE ACCOUNT LOGIN DETAILS REGULARLY

I run a small business and today received a call from another local company. The chap said he’s just had a call from someone claiming to be me to say I have sent him a sum of money in error and can he refund it to a different bank account. He knew it wasn’t me, foreign accent, unusual circumstances, so he called me right away. I checked my bank account and sure enough, nearly £10k had been transferred to this local business today.

I’ll try and keep this short, so basically I visit the police station, call my bank and get the fraudulent payment refunded.

It’s terribly worrying that someone has accessed my account and done this.

The reason the lowlife managed to get this far is that I had paid money to this small business in the past and therefore he didn’t set up a new payee (an action that usually triggers a notification by text for a passcode to confirm). So using an existing payee he hoped that they would recognise me by name and take his word. What would then happen is the other small business would send back the £10k, then I would notice the payment and get it back from my own bank fraud team, and the other small business would then be £10k out of pocket.

This is what it all seems like anyway. If anyone knows these systems better and has any ideas what can be done to prevent it happening please let others know. It was a horrible experience.

It’s not just about them sending to another payee, someone has got hold of your login credentials to do so in the first place.

The usual tips apply, keep passwords unguessable and never written down or stored anywhere on your PC. Run regular malware checks, and if possible change passwords regularly. Consider using different memorable data than the real stuff – if the bank asks for the name of your school for example and it also appears on your Facebook page, consider changing it.

Was the payment made online or over the phone?

someone has got hold of your login credentials to do so in the first place

no other way of sending out of your account to do this

I checked my bank account and sure enough, nearly £10k had been transferred to this local business today

they got your login and password details

Which banks just use login and password and not some key thingy ?

I didn’t think it was that easy to change your details as its often a random number issued by the bank by letter, and a pin number or memorable word of which you only enter say the 2nd and 8th letter. For this reason it would take a keylogger some time to pick up your security details.

Could it have been done by an easier log in method, automated telephone banking, fraudulent cheque, smartphone app that someone has managed to replicate your log in? (I don’t use the smartphone app for mine but it appears to be a simpler/quicker log in)

They can’t have claimed they forgot their log in details as new ones would have been sent and you wouldn’t be able to log in to check it.

[Quote]Which banks just use login and password and not some key thingy ?[/quote] HSBC will let you log in without it then asks for it in order to do a transfer to a new paye. Not sure if it does for an old one.

I managed to close an accout in a branch of another bank at the weekend with nothing more than the account number and my date of birth.

There is a very high chance your PC/laptop/ phone is compromised. I have heard of a scam similar to this that used phone banking to make the txn but thats unlikely. I’m guessing you’re a RBS/NatWest customer because it allows you to put through faster payments to existing payees below £10k

Assume that ALL your accounts are compromised, including PayPal etc and I expect stw forum posts to now be in a foreign accent.

(Apart from being a god-like mountain biker, I was also the designer of card reader bank online security)

It’s Santander but i guess they’re similar. Would love 5 mins in a room with whoever is responsible.

If you don’t already, ensure you use a different password from everything else for your banking. Bank logins are difficult to compromise without a keylogging malware infection, but some other random website could be trivial.

@DrJ – many, if not most. As OP says a key is usually only required to set up a new PAYEE, it it’s an existing one then only username/password is common

My nationwide ap uses personal number but won’t let you setup new payees. On your computer does the anti virus software protect you from key logging ?