Serious Account Takeover Scam
Revolut Customers Warned About Scam
Targeting Business Accounts

Consumer affairs magazine Which? has released details of two Revolut business banking customers whose accounts were drained as a result of a sophisticated account takeover scam.

Tom’s story

The first victim, Tom, received a number of calls from an unknown number and only eventually answered as he was expecting a call from a supplier. On the other end of the phone, the caller claimed to be contacting him from Revolut’s fraud department regarding suspicious transactions on his account. He was passed to several different ‘departments’ while on the phone and told to respond ‘block request’ to a genuine email from Revolut asking about a new login, and to delete and re-download the app.

Because he re-downloaded the app, Tom was sent another (genuine) text with an authorisation code to gain access to the app, which he shared with the individual on the phone, whom he believed to be calling from Revolut.

Unfortunately, the caller was a scammer impersonating the bank, who had now successfully got around Revolut’s security checks. Shockingly, the scammers were also able to pass the online bank’s ‘selfie’ authentication, which involves the account holder sending an image or video of themselves to confirm ID. It is still unclear how this was achieved.

The scammers set up and sent small-value transactions to new HSBC payees under names like ‘Revolut fees’ and ‘Revolut fees care’, which Tom approved as he still believed the caller to be legitimately calling from the bank. The scammers proceeded to make 140 transactions, totalling £180,000, in just over an hour.

Unfortunately, Tom still had not uncovered the scam, so when he was instructed to visit a web chat website that would help the ‘fraud department’ secure his account, he did as he was instructed. In fact, the link he was given was actually for an ‘Anydesk’ remote access session, which gave the scammers full control of his laptop, which was also already logged into a separate bank account with Wise, which they used to transfer themselves a further £28,000.

A text alert from Wise finally helped Tom see through the deceit, and he immediately hung up the phone to the scammers, exited the screen sharing on his laptop and reported the scam to Revolut via in-app chat (the only contact method Revolut uses for conversations with its customers). Between Revolut and Wise, Tom was able to recover some of the transactions, but he still suffered a total loss of £165,000.

Anna’s story

Anna was already on alert about potential Revolut scams, as her accountant had been targeted previously and had warned her to expect a call from Revolut about the data breach. Unfortunately, this made the scam all the more believable – and her accountant also later lost around £80,000.

Anna was contacted in the same way as Tom, via a telephone call from an individual claiming to be from Revolut’s fraud department regarding suspicious transactions; however, as she was on holiday with family at the time and unable to access a stable internet connection, she is sure that she did not approve any security checks that would allow the set up of a new device (such as the codes that Tom shared).

In less than 10 minutes and 38 separate transactions, Anna’s business account had been drained of £40,000. She reported the fraud to Revolut again via the in-app chat facility, and after nine days of conversation, she was told the bank would not refund her money.

Unfortunately, the conclusions of both Tom’s and Anna’s stories were not positive. In both cases, Revolut stated that because its multi-factor authentication checks had been completed in all cases – i.e. an initial email to confirm a login from a new device, an SMS authentication code to their registered phone number, and a ‘selfie’ to finally access the account – it would not refund the victims’ losses.

Frustratingly, although both victims requested copies of the photos used for the selfie authentication step – as neither completed this step themselves – Revolut has also refused to provide them, citing data protection laws.

A Revolut spokesperson approached by Which? commented:

“We are sorry to hear of (these) cases and any instance where our customers have been targeted by ruthless and sophisticated criminals. Each potential fraud case concerning a Revolut customer is carefully investigated and assessed independently of other cases. We are aware of a recent increase in advanced Account Takeover (ATO) scam attempts by criminals across the industry.

“We are continuously strengthening our fraud controls to stay one step ahead of this trend, introducing further direct interventions and sharing educational materials with our customers so they are able to spot the social engineering tactics of criminals.”

Tom and Anna have been instructed to escalate their complaints to the Financial Ombudsman Service (FOS).

While devastating, this type of account takeover scam is not new. It is just a twist on an old classic used by scammers to take unsuspecting victims’ money, known as authorised push payment (APP) fraud.

APP fraud is the umbrella term for scams where the ultimate goal is to move victims’ money straight out of their account and into the scammers’ account by circumventing some or all of the bank’s security measures. Often, these scams will involve an element of impersonation and manipulation so that the victim believes that the transactions are genuine and are helping to secure their account or pay for a service. Because the victim does not always spot the scam straight away, and the money is moved from their bank account instantaneously, the scammers usually move the money swiftly on, which makes it extremely difficult to recover.

Banks and financial institutions in the UK are – or should be – aware of these types of scams and should have robust systems and processes in place to detect or deter the scams as they happen, including:

• Providing scam warnings throughout the transaction process.
• Halting or pausing the transaction if the activity is suspicious.
• Contacting the customer directly if the transaction activity is out of the ordinary.

If Revolut refuses to reimburse the money you have lost due to an APP scam, and you do not believe that it has sufficiently had these processes in place, then you may have the basis to make a complaint to the Financial Ombudsman Service (FOS).

FOS is an independent, Government-backed body responsible for resolving disputes between financial institutions, such as Revolut, and their customers.

Sarah Spruce, Legal Director and Head of the Fraud and Scams team at TLW Solicitors commented:

“Clearly, scammers are keeping themselves up-to-date with the latest advances in bank security technology — such as selfie authentication — and so banks should also be keeping themselves up-to-date with the latest trends in scams, but Tom and Anna’s stories show that they clearly are not — or aren’t doing so sufficiently.

“You should be able to rest assured that, as long as you are not personally negligent, your money will be safe with your bank. If they have not carried out their responsibility to protect you and your money, you should know where to turn. My team supports APP fraud clients with bank complaints and FOS applications every day, with huge success, so please get in touch! Do not feel embarrassed or ashamed about what has happened – you are not alone and specialist help is available.”

TLW Solicitors successfully helped Revolut client Ms D recover over £11,000 she had lost to an APP scam on her personal account, in very similar circumstances to those experienced by Tom and Anna.

Ms D initially took her case to the Financial Ombudsman Service without help, after Revolut told her that the loss was her responsibility, but it was rejected. She then contacted the team at TLW Solicitors who reviewed and agreed to take over her case, collating her appeal for the Ombudsman and, ultimately, succeeding in securing her a full refund.

Our successful client said of the case:

“Without TLW’s intervention with the appeal, I do not think I would have been successful in securing compensation for the scam.

“Their knowledge of the financial regulations and important factors that I hadn’t even considered, such as my medical records, were crucial to bolstering the complaint and getting a successful outcome for the claim.”