A Manchester woman lost £95,000 she inherited from her father in a sophisticated bank transfer scam. After a year-long battle she has managed to retrieve two-thirds of the cash.
Sally Flood enlisted the help of a law firm specialising in cybercrime and data breaches, and while she is pleased to have recovered a good chunk of what she had lost after “the year from hell”, she is furious about being left £35,000 out of pocket.
While her conveyancing solicitor’s email had apparently been hacked, she believes Lloyds Bank has questions to answer after the cash was paid into two of its accounts and then quickly withdrawn. “What I’d like from them is the rest of the money I’ve lost – I’m sure they wouldn’t miss it half as much as I’m missing it. I’m £35,000 down, and I’m sure that’s a drop in the ocean for them, but for me that’s a massive amount of money – it’s life-changing,” the 53-year-old says.
Spool back to a few days before Christmas 2018, and Flood had been looking forward to completing the purchase of an investment property for her children using money recently left to her in her father’s will. At the time, she was in regular touch with her conveyancing solicitor via email and telephone.
When she received an email purporting to be from her solicitor asking for a transfer of funds, she sent the first instalment – £50,000 – and then emailed a member of staff at the firm’s office to check the money had been received. She received a reply confirming receipt, and the following day, as requested, she paid the balance of £45,750. This was deposited into another Lloyds account after she was told the bank details had been revised because of an ongoing audit.
Flood, who works in a Stockport secondary school, says her heart sank when her bank (not Lloyds) later rang to say that Lloyds had noticed a discrepancy in the payee name. “I phoned my solicitor immediately, only to have them confirm their system had been hacked. The first email asking for the funds transfer looked very authentic. When I received a second email in response to mine, confirming receipt of the first transfer from my solicitor, I felt reassured and made a further payment.
“The fraudsters banked with Lloyds and, while the bank was able to refund an unspent £4,000 from their account, I have been advised they are unable to retrieve the remaining £35,000,” she says.
Fraud in the UK payments industry has soared. This type of scam is known as “authorised push payment” fraud and includes cases where email accounts – either those of individuals or the companies or tradespeople they have employed – are hacked in order to trick consumers into sending large sums to criminal accounts. Guardian Money has featured a number of these cases, and more than £1m a day is being lost to such scams.
Flood says a total of £95,750 was paid into the two Lloyds accounts and, shortly after, £91,280 was withdrawn. In February last year, £4,470 was recovered and returned. In a letter to her MP, Lloyds said “regrettably, as no further funds remain in the receiving accounts, we are unable to recover any more of the money transferred by Ms Flood”.
The bank added that “due to data protection, we are unable to disclose any information relating to the accounts”, but before that it had no knowledge of fraudulent activity, or concerns about the way the accounts were opened or managed.
Flood decided to enlist the help of Hayes Connor Solicitors, which specialises in data protection breaches and other cyber offences. Kingsley Hayes, the firm’s managing director, says: “The emails sent to my client were very authentic, containing details of the property being purchased and the desired date of completion, so Ms Flood had no reason to question it or anticipate that it may have been fake. They had hacked her solicitor’s email system.”
He says the firm investigated the crime and retrieved £57,000 from Flood’s conveyancing solicitor, as it was responsible for the lack of robust security measures on its system. “Unfortunately, as the incident took place before new consumer protection rights were introduced at the end of May 2019 via the new voluntary code of conduct, it will be difficult to retrieve the remaining stolen monies,” Hayes says.
This code requires banks to reimburse affected customers who meet the criteria. Meanwhile, from the end of March this year, name checks will be carried out when UK bank customers send money to other people as part of a regime known as “confirmation of payee”.
Flood says: “There are some outstanding questions that we would like answered by Lloyds … If they can prove they have done everything right, I’d walk away, but I don’t think they have.”
She suggests accounts receiving large sums of money being transferred to a different payee name, which was then withdrawn within a very short period, “should perhaps have caused some checks to be made by Lloyds”.
Flood advises others to be vigilant when transferring large sums: “This has been a lengthy and very painful fight … Our lives have been on hold since this happened. I blame myself and feel anxious and upset. It’s a lot of money to lose, and it’s even more upsetting because it was money left to us by my dad that was supposed to be for my children’s future.”
A Lloyds spokesperson told Money: “We have a great deal of sympathy for Ms Flood as the victim of a scam. We use sophisticated, multilayered procedures to prevent fraudulent account applications. In this case, both accounts passed all the relevant identity and verification checks. Once notified of the fraud we acted immediately to freeze the accounts, which allowed us to return the remaining funds to Ms Flood. We will continue to cooperate fully with the police with their investigation.”