You get a call from your bank and the informed voice asks to you to confirm the personal details they have on file, which you do. You are then asked whether you bought something at an electrical retailer recently for £120 and spent £235 in Birmingham, but neither transaction rings true.
The caller tells you they have blocked the payments but they must now secure your account, and say they will send you a notification to approve, or a code to pass on to them. You feel under pressure to protect your money, so you do what is asked.
Unfortunately, the person at the other end of the phone is not your bank but a criminal, and they have added your payment card to a digital wallet on one of their many smartphones. At some stage, your account will be emptied by purchases of expensive phones or designer clothes, which will then be sold on.
Banks have seen an increase in the number of attempts to exploit victims using the elaborate digital wallet fraud and have introduced new security measures to counter the threat.
Danai Antoniou, the chief scientist at Gradient Labs, a financial services AI company, says the approach from criminals can appear harmless as the victim is not being asked to move money.
“This is why most people don’t question it. If the notification says ‘never share this with anyone’ (or similar), they will pre-emptively mention it to the customer that this is a routine comment that comes with every notification – which is true, customers do become immune to warnings if they get warnings frequently,” she says.
“Victims often describe feeling panicked and pressured during the call, being told their account is under attack, or that their money is at risk. In that heightened emotional state, approving a notification feels like the responsible thing to do. The victim believes they’re protecting their account, when, in reality, they’re handing over the keys.”
Santander says that digital wallet fraud was the second biggest reason for card scam losses last year, while HSBC has reported an increase over the past 18 months.
UK Finance, the banking trade body, says that the number of attempts has surged, in part because security systems have prevented criminals being successful, forcing them to make more attacks.
What the scam looks like
The fraud can start with phishing where the victim provides personal and bank details after a text message that promises, for example, a winter fuel allowance payment, or an offer for cheap products on social media.
After a few weeks, enough time for the victim to forget about supplying details, the fraudster will contact them, claiming to be from their bank. They will know which bank because of the details already supplied by the victim.
They may ask the victim to confirm the address, or postcode, they have on file, in order to portray legitimacy. The criminal will then ask about some transactions, all fabricated, and when the victim says they don’t recognise them, the criminal will claim they have been stopped, and more measures must be taken to secure the account. They will say that a notification is on the way, and the victim should approve it to secure the account.
“The notification the customer receives is entirely legitimate, as it’s the genuine notification your bank sends when a new Apple Pay or Google Pay card is being added to a device, or the bank may send you a code via text, or in the app. They have just added your card into their Apple Pay or Google Pay and you are now receiving a text, or a notification, to approve it,” Antoniou says.
From there, the criminals can act quickly and empty the account of the victim. “They drain accounts at high-value merchants, such as tech stores and fashion retailers. The appeal is simple: electronics and designer goods can be quickly resold on the secondary market with minimal loss of profit during the money-laundering process,” she adds.
What to do
Banks don’t need your help to protect your account: they have systems in place to freeze and block accounts if needed. “Never trust anyone who calls you from your bank unless you arranged that phone call in advance. If somebody calls, tell them you will call the bank back yourself,” Antoniou says. And don’t use a number they give you: search on the web for the bank’s phone number, or use the one on the back of your physical debit or credit card.
Nationwide warns people to be aware of what any one-time passcodes they receive are being used for.
HSBC says it has put in new security measures to counter the threat of wallet fraud and more would be coming this year. “We are regularly reminding customers not to give out their details, such as one-time passcodes, and to treat them as carefully as you would your pin,” it adds.
UK Finance says: “Set up bank alerts in your app, and check your transactions regularly so you know about any suspicious transactions as soon as possible.
“If you think you’ve fallen for a scam it’s important to contact your bank immediately and report it to Report Fraud.”
Apple says it is not responsible for approving a card for inclusion in the wallet, but that it gives banks information that they can use to combat fraud.
Google did not respond to a request for comment.
