The Fake Bank Security Alert
A plumber received a convincing phone call from someone claiming to be his bank's fraud team — and was talked into authorising a £6,000 transfer.
Attack Chain
- 1Phone number spoofed to show real bank number
- 2Victim verified with stolen personal data
- 3Urgency and fear used to prompt fast action
- 4Transfer authorised to criminal "safe account"
Background
A self-employed plumber in his 40s banked with a major high street bank and regularly used the mobile app for his business. He was used to occasional fraud alerts from his bank. One morning he received a call from a number that appeared on his phone as his bank's genuine customer service number.
The Attack
The caller said his account had been compromised and that criminals had tried to make transfers. To protect his money, she said, they needed to move his funds temporarily to a "safe account." She knew his first name, postcode, and the last four digits of his account — information likely obtained from a data breach. She talked him through transferring £6,000 to an account she described as a "secure holding account" controlled by the bank.
Response
When he later called his real bank to check, they confirmed the account he transferred to was not theirs. An Authorised Push Payment (APP) fraud claim was submitted. Because he had authorised the transfer himself (under manipulation), recovery was initially refused, but a Contingent Reimbursement Model complaint was raised.
Outcome
After a six-week dispute, his bank reimbursed £4,500. He lost £1,500 permanently. The technique used — spoofing the bank's number — is called "number spoofing" and is increasingly common.
Key Takeaways
- Banks will never ask you to move money to a "safe account" — hang up immediately if anyone says this
- Phone number spoofing means the number on your screen can be faked — a real bank number does not mean it is a real call
- If you receive a suspicious call from your bank, hang up, wait five minutes, and call back on the number on the back of your card
- Banks will never ask for your full password, PIN, or card number over the phone
- Know the term "Authorised Push Payment fraud" — if this happens to you, your bank has legal obligations to reimburse you under the 2024 rules
How to Prevent This
All guidesPause before you act on any urgent message
The defining feature of almost every scam — whether email, text, phone call, or social media message — is urgency. Criminals create pressure because they know that when you're panicking, you stop thinking carefully. "Your account will be closed in 24 hours." "Payment required today to avoid legal action." "This is your final notice." "Your computer is infected and you must act now." When you feel this kind of pressure from an unexpected message, that is the single strongest signal that you should slow down rather than speed up. Most genuine organisations — banks, HMRC, utility companies — do not demand you act within minutes or hours. Real deadlines come with days or weeks of notice and are communicated through multiple channels. Building the habit of pausing for five minutes before acting on any urgent communication — and using that time to verify through official channels — will prevent the majority of scams from succeeding.
Banks will never ask you to move money to a "safe account"
If anyone calls you and asks you to transfer your money to a different account to protect it from fraud — even if they appear to be calling from your bank's genuine phone number — hang up immediately. This is a scam called an Authorised Push Payment fraud or "safe account scam," and it accounts for hundreds of millions of pounds stolen from UK victims every year. Your bank will never ask you to: - Transfer money to a different account to keep it safe - Share your full card number or PIN over the phone - Withdraw cash and hand it to a courier - Download an app so they can "monitor" your account Phone numbers can be faked (called "spoofing"), so a call appearing to come from your bank's genuine number could still be a criminal. If you receive such a call, hang up, wait at least 5 minutes (criminals sometimes stay on the line to intercept your next call), then call your bank using the number on the back of your card. Since October 2024, UK banks are legally required to reimburse most APP fraud victims under the new Payment Systems Regulator rules. Know your rights.
What to do in the first hour after being scammed
If you've just realised you've been scammed or have given money or details to a criminal, the next 60 minutes matter more than any others. Step 1 — If money was transferred: Call your bank immediately using the number on the back of your card or on your banking app. Tell them you've been a victim of fraud and ask them to try to recall the payment. Speed is critical — some banks can intercept transfers before they clear. Step 2 — If you gave card details: Call your card issuer to cancel the card. Request a replacement. Check your recent transactions for any you don't recognise. Step 3 — If you gave your password: Change it immediately on the affected account and on any other account that uses the same password. Enable two-factor authentication if you haven't already. Step 4 — If you allowed remote access to your computer: Disconnect from the internet immediately (turn off Wi-Fi or unplug the ethernet cable). Do not use the computer again until it has been professionally checked. Step 5 — Report it: Call Action Fraud on 0300 123 2040 or report online at actionfraud.police.uk. Keep a record of all details: when it happened, what was said, how you paid, and any reference numbers. You are not foolish for being scammed. These are sophisticated criminal operations.