.svg)
UK consumer watchdog Which? has issued a new warning on account takeover fraud at Revolut, based on the experience of two customers whose accounts were drained by scammers.
"Tom", 29, and "Anna", 36, lost a combined £205,000 when their Revolut business accounts were taken over by scammers just two days apart in early February.
The victims, whose real names have been changed, contacted Which? in the hope of increasing their chances of reimbursement — which Revolut has so far denied.
In both cases, the victims were targeted by fraudsters who posed as members of Revolut’s fraud prevention team.
Tom was hit first, when he received two calls from a private number in quick succession, and picked up as he was expecting a call from a business contractor.
The fraudsters told him they believed his account had been compromised, and asked him to follow their instructions to secure the account.
Tom then received an email from Revolut asking him to confirm that he had logged in from an unknown device.
He was then instructed to reply to the email with the words "block request", and then uninstall and reinstall the Revolut app.
This triggered a security code sent by text, which he shared with the fraudsters, on the understanding that it would be used to secure his account.
In reality, this enabled the fraudsters to pass one of Revolut's customer authentication checks.
After this, the fraudsters passed a final authentication by providing a selfie of Tom (it remains unclear how they obtained the selfie, and Revolut has refused to provide a copy of the image).
Once into the account, the fraudsters then set up several new payees to receive the funds that they were about to steal.
All of the new payees were HSBC bank accounts, given nicknames such as "Revolut fees".
Each newly created payee triggered a six-digit security security code check, and Tom did as instructed and provided the codes to the scammers, thinking that this would restore his account.
On the contrary, once the new payees were authorised, the scammers made 140 transfers to their own accounts in little more than an hour.
The account was drained of its entire £180,000 balance, but Revolut cancelled £15,000 of transactions after Tom reported the fraud, bringing his total losses to £165,000.
Anna was hit by similar tactics, except she maintains that she did not allow the fraudsters to take control of her account, since she was abroad with family at the time and had poor internet access.
In Anna’s case, the fraudsters made 38 transfers in less than ten minutes to HSBC accounts with nicknames such as "Google Workspace" and "Uber Uber".
After nine days of communicating with Revolut by chat, Anna was told in a “dismissive email” that she would not be refunded. Tom was told the same.
Inadequate controls
In addition to Which?, Tom connected with Jonathan Frost, a fraud and law enforcement expert and board member at the Stop Scams Alliance.
Speaking to Vixio, Frost said he has “direct knowledge” of the case, and is now supporting Tom in his efforts to have his losses reimbursed.
Describing both Revolut and HSBC’s failures as “egregious”, Frost said it is “crucial” to note this was not an authorised push payment (APP) fraud, since the fraudsters had taken control of Tom’s account.
“The losses are the result of unauthorised fraud, with the customer being the subject of complex social engineering,” he said.
The fraudsters were able to pass strong customer authentication (SCA) checks because they convinced Tom to hand over the verification codes that were sent to his device.
They then input these codes to their own device in a different location (and with a different IP address), and yet this still failed to trigger a lockdown of Tom’s account.
When making the payments to their own HSBC accounts — both through faster payments and by card — the fraudsters underwent confirmation of payee (CoP) checks.
But since they knew that their false nicknames would result in CoP mismatches, they were ready to accept the mismatches and proceed anyway.
Frost said it is “not uncommon” for PSPs to allow customers to proceed even when there is a CoP mismatch, though it is widely considered to be a red flag for account takeover fraud.
“I think both Revolut and HSBC should take a look at why they apparently don't treat CoP mismatches as a risk indicator,” he said.
Nonetheless, based on the subsequent account activity, the abnormally high transaction volume, values and velocity should have triggered action from both PSPs, Frost added.
In a statement shared with Vixio, a Revolut spokesperson said: “We take a data-driven approach to identify scam activity and use sophisticated fraud modelling for both inbound and outbound transactions to protect Revolut customers from falling victim to fraud.”
This includes “clear, unskippable warnings and direct interventions by our specialist fraud prevention teams.”
Will Tom be reimbursed?
While Which? encouraged Tom to “escalate” his complaint to the Financial Ombudsman Service (FOS), Frost said he “hopes” that will not be necessary.
“The more publicity, the more likely it is that Revolut will capitulate,” he said. “But if this is [its] final decision, then his only route is the courts or FOS.”
In Frost’s view, Tom is on strong legal ground under the UK’s Payment Services Regulations (PSRs) 2017 — a transposition of the EU’s second Payment Services Directive (PSD2).
Under the PSRs, a payment service provider (PSP) is required to reimburse customers for unauthorised or fraudulent transactions, unless the PSP can prove that the customer acted with “gross negligence” in failing to protect their account.
As an aside, Frost also noted that under PSD3, the EU’s forthcoming payments regulation, the account takeover techniques used by the Revolut fraudsters are “specifically addressed”.
However, after Brexit, the UK is no longer obligated to align its own regulations with PSD3.
