Fraud and compromised account security

Account holders should report a lost or stolen debit card to the bank immediately.

Most online banking apps have the option to freeze a lost card or report a stolen card. Account holders who do not have online banking can phone their bank, or visit a branch with counter service.

Account holders can prevent a lost or stolen card from being used by contacting their card payment processor, usually either Visa or Mastercard.

How to get stolen money refunded

The bank normally refunds money that is stolen from the account holder if their card is used without their permission. The bank does not usually refund money if the person who uses a card enters a correct PIN.

Account holders can complain to the bank and the Financial Ombudsman if the bank refuses to refund the stolen money.

Some people share a bank account with another person if they do not have an account of their own.

Anyone who has been forced to share confidential security details can report it to the police. Financial abuse is a form of coercive control. It is a crime.

Sharing an account number and sort code with another person is usually safe as long as the account holder does not share other security details.

Shared bank account

A shared bank account is an informal agreement where two or more people use the account of one person. Sharing a bank account is a problem for people who have to prove their income and expenses. For example, proof of budgeting for a homeless application, or proof of income when they apply for legal aid.

The account holder could change details like their online banking security information or cancel their debit card, to prevent the other person from accessing funds in the account.

A person who shares a bank account with the account holder can apply for their own bank account to ensure their money is secure.

Compromised security of shared accounts

A person who shares their own account with another person has compromised their banking security. They are not refunded for any loss caused by sharing their details. This could include the other person drawing out money from a cash point or spending on a debit card.

Bank account holders can discuss compromised account security with their bank. They could change their online or telephone security information, and the bank can send them a new cash card or debit card.

Identity fraud happens when a fraudster uses someone else's personal details to buy a product or take out a loan. Many people don't realise this has happened until they receive a bill or have an application for credit turned down.

Victims of fraud can contact Victim Support and report it to Action Fraud.

The person's credit report could show other accounts and products the perpetrator has taken out in the victim's name.

Check the victim's credit report

Ask the three main credit reference agencies for a copy of the victim's credit report. They must provide the report for free.

The three main agencies are:

• Experian

• Equifax

• TransUnion

Ask the credit reference agencies to apply a notice of correction on the credit reference file. This provides an extra level of security if someone applies for credit in the person's name again.

Remove a CCJ made in error

Someone who has been a victim of fraud might have a County Court judgment (CCJ) against them for an unpaid debt. They can get advice about making an application to court to set aside the judgment.

A successful application to set aside a judgment means the CCJ is removed from the person's credit reference file.

Some people are victims of bank transfer scams, which are a type of fraud.

A bank transfer scam, sometimes called authorised push payment (APP) fraud, is where a scammer persuades someone to transfer money out of their bank account into a different one. The scammer does this by pretending to be someone else. They might pretend to be someone known to the victim, or be from a legitimate organisation like HMRC.

How to stop bank transfer scams

An account holder can prevent a bank transfer scam by double checking the person asking for a bank transfer is who they say they are. Account holders should not transfer money to organisations like HMRC without contacting them directly to confirm their bank details.

Account holders should check the confirmation of payee field when making an online payment. This shows whether the bank account details match the name of the person or organisation they are sending the payment to. It has been introduced by the Payment Systems Regulator as an anti-fraud measure.

Some bank transfer scams can be very difficult to spot. Scammers are able to make their phone and email contact details appear legitimate.

How to help someone who is the victim of a scam

Most banks are signed up to the Authorised Push Payment (APP) Scam Code. Banks that have signed up to this voluntary code will reimburse people who are not at fault. They should also take steps to protect their customers from fraud.

The APP code applies to transfers within the UK. It does not apply where the money has been sent overseas.

People who are victims of bank transfer fraud should contact their bank as soon as they become aware. Under the APP code, the person is entitled to a refund of the money as long as they had a reasonable basis for believing the payment was legitimate. The bank will ask the person what they thought the payment was for, and whether they checked details like the confirmation of payee field for an online transfer.

A professional could help their client to explain what they thought the payment was for, and highlight any difficulties the account holder has that means they are more vulnerable to fraud.

The Financial Ombudsman Service can deal with complaints about banks that do not comply with their obligations under the APP code.

Find out more about how to complain about a bank or lender.

Options when the APP code does not apply

The Court of Appeal has held that banks have a duty of care to account holders if they are making a transfer that could be suspicious.[1] For example, someone sending a large sum of money into an account overseas. The bank could be obliged to refund the money even when the APP code does not apply.

People should seek expert advice before attempting to reclaim their money through the courts.

CIFAS (the Credit Industry Fraud Avoidance System) manages the database of fraudulent conduct in the UK.

Member organisations such as banks report information to the database when they suspect a customer has been involved with fraudulent activity or they present a risk to business. The reports are known as 'markers' and warn financial institutions that a customer could pose a potential risk.

CIFAS offers protective registration for victims of identity fraud and advice on keeping identity safe.

When a person has a fraud marker

Some markers are designed to protect customers from fraud. For example, a person might see a 'victim of impersonation' marker on their credit report if they have been the victim of identity fraud. This warning reminds financial institutions to take extra precautions to ensure applications are genuine. It is on the person's file for 13 months.

Other CIFAS markers can remain on the register for up to six years. These might be added if an account is obtained with the intent to use it for fraud, or an account is taken over and used for unauthorised transactions.

Someone might not realise they have a marker against their name until they apply for a bank account or an existing account is closed unexpectedly.

Effect of a fraud marker

People with a marker on their file might find it more difficult to apply for a bank account or other financial product. Most banks won't open an account if someone has a CIFAS marker on their file.

It could also mean a bank closes existing accounts.

Remove a fraud marker

CIFAS markers can be challenged. A person should seek legal advice about this.

If someone has been told that CIFAS holds information about them, they can make a subject access request.

CIFAS has more information about how to make a subject access request.