Save content
Have you found this content useful? Use the button above to save it to your profile.
Cybercrime visualisation - a red padlock unlocked amongst other locked padlocks
iStock_JuSun_AW_cybercrime

£53k scam sparks accountant's crusade against cyberfraud

by

Ruthless cybercriminals stole £53,000 from an accountant’s Revolut business account using a sophisticated type of fraud dubbed ‘account takeover scams’ by the banking industry – with the crime compounded by the fintech’s refusal to reimburse the funds. Now she is sharing her story in the hope it will raise awareness in the profession about the current cybercrime landscape.

20th Mar 2024
Save content
Have you found this content useful? Use the button above to save it to your profile.

“They kept me on the phone long enough to make payments in the background. Right at the end of the call, the man asked ‘how does it feel we’ve just spent your money?’ He was literally gloating.”

To regular attendees of accounting events or readers of AccountingWEB, Alex Falcon Huerta is an outgoing, articulate and successful practice owner whose knowledge of the accounting technology space has enabled her to operate successfully as a digital nomad.

But last month, she was targeted by advanced cybercriminals in a sinister new type of fraud known as account takeover scams, where scammers gain access to a person or business’s online accounts. A side business specialising in offshoring belonging to Falcon Huerta lost a total of £53,000, with 40 transactions under £1,000 going out in less than 24 hours.

Falcon Huerta has shared her story with AccountingWEB in the hope that it can raise awareness among accounting professionals about current cyber threats and the compensation banks are (and aren’t) willing to pay, and help people build more defences in their operations and processes.

Revolut ‘support’ call

One Friday evening in February this year, Falcon Huerta was at a friend’s house when she received a WhatsApp message from what she believed was Revolut’s fraud team. 

She had recently opened a business account with the fintech banking provider on behalf of her firm and was still familiarising herself with Revolut’s processes and procedures.

The WhatsApp message stated it was from Revolut support, and said there had been suspicious login attempts to her firm’s business account. This tied in with several emails she had received to her registered email address from Revolut on the same subject, advising her to change her password and providing a link to do so.

Then someone calling himself ‘Lewis’ from Revolut’s fraud team called. Falcon Huerta assumed the call was related to the login attempts.

“It seemed like normal protocol, particularly as I hadn’t got around to changing my password,” she told AccountingWEB. “I deal with other banks regularly, and when making overseas payments I occasionally get calls from banks to confirm them.”

Lewis told Falcon Huerta she needed to delete the Revolut app and not install it for a while, then asked her to send the login emails to [email protected] – a fake Revolut email address controlled by the cybercriminals.

Authentication process

It transpired that once the criminals had Falcon Huerta’s login email, they were able to click through to the next step of Revolut’s multi-factor authentication process for accessing an account from a new device.

Falcon Huerta then received a text message on the mobile phone she’d registered with Revolut asking for authorisation and containing a six-digit code, which she passed on to Lewis.

He then told her two payments were pending on her account for accounting apps she uses as part of the business, which the bank had blocked, and to unblock them they’d need authorisation. She received two text messages asking for payment authorisation, which contained the amount, the name of the apps in question and an authorisation code

It transpired that the criminals had access to Falcon Huerta’s account and had set up payments to HSBC accounts belonging to them, but using the accounting app names so they would show up on the authorisation text messages. It’s possible that both apps were chosen for this because Falcon Huerta has discussed using them on public broadcasts and social media.

Lewis then stated there were other pending payments, one to a bank for £20,000 and another two for cryptocurrencies of similar value, which Falcon Huerta couldn’t see. As she did not recognise the payments, the criminals asked her to install Splashtop SOS – a legitimate screen share support app used by IT support.

“I Installed the app on my phone thinking they needed it to show pending payments,” said Falcon Huerta. “What they were actually using it for was to record my screen and take data.”

They also asked her to log in to another banking app belonging to a separate bank, as there was a payment pending from this account. 

At this point, Falcon Huerta started to realise something wasn’t right. 

“A bank would never ask me to install an app,” she said. “I told them I’d check it later and would delete the support app. But they managed to keep me on the phone long enough to make payments in the background totalling £55,000. They were all transfers of just under £1,000, and they also spent £8,000 in Louis Vuitton in Dubai.”

Before the call ended, the fraudster took time to gloat, asking Falcon Huerta: “how does it feel that we’ve just spent your money?” and stating she had been lucky her laptop hadn’t been to hand, or they would have taken more.

No reimbursement, no evidence

Falcon Huerta then got in touch with Revolut support via its mobile app and explained what had happened.

Through Revolut’s genuine support team, Falcon Huerta changed her passwords, blocked her card and managed to block one last payment. 

As part of an investigation into the case, Falcon Huerta answered questions from Revolut’s support team and provided screenshots. She also reported it to the police and passed the police report to Revolut. The conversation with Revolut’s support was all done by app. 

After more than a week, Revolut told Falcon Huerta it would not reimburse her funds because she had given them access and authorised payments by passing on the emails and codes she received. The fintech provider added it would try and recover her from wherever it was sent, but as cybercriminals generally pull out funds immediately after they’ve stolen them, this is usually unsuccessful. 

As part of its explanation, Revolut said their records showed the criminals had passed a ‘selfie check’, where a customer uses their mobile phone camera to verify their identity against a photo ID. After passing the check, the fraudsters had been able to log in and change crucial details in Falcon Huerta’s account. When asked to provide evidence of this selfie check, Revolut said they couldn’t because it was part of their internal process. 

‘Failing to take any accountability’

“Revolut allowed 40 transactions under £1,000 to go out in less than 24 hours, they didn’t stop any of them and I didn't receive notifications,” Falcon Huerta told AccountingWEB. “They allowed payments to go out to accounts that weren't actually the stated companies but were ones controlled by organised criminals. 

“[Revolut] is now failing to take any accountability for this, and not giving me any evidence as to why they are not reimbursing me," she continued. "They left a window open, the scammers have got in, and Revolut is allowing this to happen – they are doing nothing about it.”

Currently, banks do not have to refund victims of scams, known as authorised push payment or APP fraud. However, some have signed up to a voluntary code of practice which came into force in 2019. According to the finance industry trade body UK Finance, only 64% of the money lost to APP scams was returned to victims in the first half of 2023, 

However, from 7 October 2024, new rules will come into force that make it mandatory for banks to refund most APP fraud victims.

‘Invasion of privacy’

“You just don’t think it’ll happen to you,” said Falcon Huerta “I use a lot of technology and I’m an experienced business owner. When I look back at everything written down, there are obvious red flags, but you don’t see it in the moment. You’re thinking about whether you’re doing the right thing to protect your funds, your business, your employees and your clients. 

“Friends I’ve talked to about this have since told me I should always call support lines back if I’m unsure,” she continued. “It’s a tough lesson to learn and it feels like a real invasion of privacy. 

“I’m letting people know to raise awareness, even at the risk of experiencing a victimised position to scammers. I want to share information that could assist accountants and their clients so they don’t find themselves in this situation

“I’m resilient so this won’t affect my position. It’s a minor challenge to overcome for me, but  I know that’s not the case for everyone and I wouldn’t want anybody to experience something like this. I will do everything in my power to ensure the pirates don’t win.”

Revolut response

Founded by British businessman Nikolay Storonsky, Revolut offers 'e-money' current account-style banking without Financial Services Compensation Scheme (FSCS) protection or overdraft facilities. 

It has more than six million customers, but according to news outlets has recently found itself increasingly targeted by a surge in scams. Recently, Sky News reported that two customers had lost more than £200,000 after account takeover scammers gained access to their logins – with the fintech refusing to refund the losses because its multi-factor authentication checks had been completed.

With permission from Falcon Huerta, AccountingWEB raised her case with Revolut.

A Revolut spokesperson told AccountingWEB: “We are sorry to hear of Ms Falcon’s case … Each potential fraud case concerning a Revolut customer is carefully investigated and assessed independently of other cases.

“We are aware of a recent increase in advanced Account Takeover (ATO) scam attempts by criminals across the industry,” continued the statement. “Revolut is deeply concerned that large numbers of frauds are being enabled by criminals using fake and spoofed phone calls. Revolut will never phone you without first confirming via our secure in-app chat. If customers are in doubt, we encourage them to reach out to us via in-app chat for support.

“If you think you have fallen victim to a scam, freeze your cards immediately and contact Revolut customer support via our secure in-app chat."

Replies (43)

Please login or register to join the discussion.

Tom Herbert
By Tom Herbert
20th Mar 2024 13:42

In keeping with the spirit of the site we've left the comments open, but given the nature of the story, we'd be grateful if you could make your comments constructive and empathetic.

Thanks,

Tom

Thanks (4)
Replying to TomHerbert:
avatar
By Postingcomments
20th Mar 2024 21:15

Yes, god forbid anyone should be criticised or called to account for their actions.

To use modern parlance, that wouldn't "be kind" would it? Oh no!

Thanks (4)
Replying to Postingcomments:
avatar
By graemep
21st Mar 2024 11:06

Exactly what I thought.

It is not even really the "cyber" part of it that was the problem. What happened here was that a plausible conman talked someone into helping them steal their identity.

Thanks (1)
Replying to Postingcomments:
Tom Herbert
By Tom Herbert
21st Mar 2024 11:22

I think the key word you've missed in your knee-jerk reaction is 'constructive'.

We pride ourselves on AccountingWEB's community spirit and its ability to provide information that helps accountants do their jobs better.

If you've got nothing helpful to add and just want to gloat at someone who's just lost a considerable amount of cash through an innocent mistake, maybe walk on by.

Thanks (13)
avatar
By Justin Bryant
20th Mar 2024 15:26

Thank God I'm a luddite with not much awareness of these non-traditional banks or whatever they're called (fintech is it?)

Thanks (3)
Replying to Justin Bryant:
avatar
By Paul Crowley
20th Mar 2024 16:51

With you on that.
Old school banks are easier to understand, even if they are unhelpful.

Thanks (3)
avatar
By JustAnotherUser
20th Mar 2024 15:59

I urge anyone dealing with client data, running a business or otherwise to be honest with yourself and upskill yourself on these matters.

There are layers & layers of failure here by the victim. The fact they knew the victim had recently opened an account with revolut indicates historic failure.

These scammer may fire 10,000 shots before they hit a target but they do a huge amount of work to make those 10,000 more likely to be targetable.

simple steps..
-don't give out any information if they call you
-don't share codes
-don't install anything asked of them
-set up MFA
-separate work and home social media and limit public access
-if in doubt, STOP, hang up and ring the number you know, don't be embarrassed and ask friends and family for advice

Thanks (13)
Replying to JustAnotherUser:
avatar
By petestar1969
21st Mar 2024 11:10

Agreed. I stopped reading after the bit about the victim responding to a WhatsApp message supposedly from the bank.

I mean, really?

Thanks (4)
Replying to petestar1969:
By Duggimon
21st Mar 2024 11:29

petestar1969 wrote:

Agreed. I stopped reading after the bit about the victim responding to a WhatsApp message supposedly from the bank.

I mean, really?

I think you stopped reading before then, she didn't respond to the WhatsApp message, they called her.

Thanks (0)
Replying to JustAnotherUser:
avatar
By alan.falcondale
21st Mar 2024 11:33

and be sure to clear cache so as not to leave any tokens in your browser history - case in point:
reputable training company got hacked and account details stolen/changed
https://www.youtube.com/watch?v=TU9tSY9SsZ4

Thanks (1)
David Winch
By David Winch
20th Mar 2024 18:02

Very sorry to see this. Well done for publicising how easy it is to get scammed!
David

Thanks (5)
Replying to davidwinch:
avatar
By Postingcomments
20th Mar 2024 21:17

Don't worry, David. I have a load of AML documents for my practice that I totally didn't download of the internet and change a few words. I'm totally covered.

Or maybe it is my actual professional scepticism that keeps me out of trouble, as opposed to the various government rules and regs that you champion, toady to and make a living out of.

Thanks (3)
Replying to Postingcomments:
avatar
By paulwakefield1
20th Mar 2024 22:33

My God, you're a ball of fun, aren't you.

Thanks (3)
avatar
By paulwakefield1
20th Mar 2024 18:36

I was targeted recently by a very convincing well spoken man who knew a lot about me. The telephone numbers stacked up and he sent a verification code to my other phone. Fortunately my antennae were working and I said I would call back to a known number. Having tried unsuccessfully to convince me that there was no need, he rang off.

I did check with the bank and it was indeed a scam.

The above is to indicate I was lucky. There was practically nothing to alert me that the call was not genuine. It was very very convincing. I am still not entirely sure why I was suspicious.

Be careful out there. There is always a risk you can get taken in. They are getting very good at their job.

PS Just had an email from a client. Properly addressed, narrative that made sense apart from a missing full stop. And a very dodgy attachment.

Thanks (5)
avatar
By Postingcomments
20th Mar 2024 21:35

I think part of the problems people have is the way they have been conditioned to act, in general.

- If you say "no", you are labelled as stubborn, objectionable, unhelpful. People are encouraged to say "yes" and comply with whatever diktats are imposed by the state or that companies think that can insist on. A lot of the time, I think people don't want to feel uncomfortable.

- We have been given this idea that everything is up for discussion and the "middle ground" is probably best. No. Some things are off the table. On some things, there is no middle ground, I am simply not agreeing to it. I am not doing it. I'll live my life, you live yours.

Try saying "no" a few times. It really does take people by surprise as they are used to people being cowed and doing what they are told, regardless of the rights or wrongs or the power the other party often doesn't have.

If they want to have a debate. Again, you can just say "no". That is also ok at times. If someone calls you, you are under no obligation to discuss or to "be nice". If you don't want to talk, then don't. If people send you messages and you don't want to respond, then don't. Might be wise, especially if they are talking about your banking.....

Thanks (4)
Replying to Postingcomments:
avatar
By FactChecker
21st Mar 2024 00:57

What I honestly don't understand is why Alex (or indeed anyone else who does what's asked of them) is so compliant: (a) when contacted out of the blue by someone unknown, and (b) when the topic relates to money.

That's not intended to be unfeeling, but it staggers me.
I'm not naturally suspicious, let alone paranoid, but EVERY contact I have with an institution on financially-related matters is initiated by me - not by them.
On those very rare occasions (a handful in the last 20-30 years) that, say, Barclays or Standard Life or whatever has called me (or nowadays texted me) on an unsolicited basis - I do the following:
* If a phone-call - tell them I'm not interested in whatever they're selling and that the call is being re-directed to the Police ... before immediately ending the call.
* If a text message - simply delete it.
Only if the call/text/email makes reference to security or a transaction will I make a *separate* call to that organisation's fraud dept (who will welcome a copy of what you received and confirm, in nearly every case, that it is fraudulent).

I said at the start that I was staggered ... because these institutions, if a valid call, only contact you to sell you something (unwanted), or of course are not who they say they are (same difference just less legal). So there's no incentive to engage.

Final point ... whether suspicious or not of the contact that you've just ended, I would always go to a different device and change your password immediately.

Thanks (6)
Replying to FactChecker:
avatar
By paulwakefield1
21st Mar 2024 11:26

"because these institutions, if a valid call, only contact you to sell you something (unwanted)"

Not the case. Having just had a bit of a "challenging" time with what I was convinced was a scam and turned out to be a major high street bank in respect of an organisation that I am treasurer for. They actually made the scammers look very professional. And they weren't selling anything - a long and rather boring story related to KYC and other stuff (all problems of the bank's own making).

At one point, the only way I could prove a telephone number that I received unsolicited from them was genuine was to ring at 5.05pm to discover the offices were shut - clearly not a scammer then.

Thanks (1)
Replying to FactChecker:
avatar
By cereus77
21st Mar 2024 13:15

All very well but a routine action in case of suspected fraud by a bank or credit card company is to send you an SMS asking you to call their fraud department. Usually they put your card on hold until you do.

Thanks (0)
Replying to Postingcomments:
avatar
By Open all hours
21st Mar 2024 06:59

Maybe it’s cynicism developed over too many years but through practise I’ve learned that it is easy to say ‘no’.
HMRC have never passed my security when they have rung me.
Software ( and any other) marketing callers get a negative response to their cold calls.
The 4 banks I use never ring me and if they did I would not believe it was them.
How anyone ever persuades themselves to hand over bank details to any clipboard warrior for a £3/month charitable donation or whatever is beyond me.
It may not be completely foolproof but it has worked so far.
Accept nothing.
Believe no one.
Check everything.
Double Check.

Thanks (3)
avatar
By Paul Crowley
21st Mar 2024 10:17

A good few years ago I went on a ACCA practice society Saturday conference. One of the four topics was Cyber security.
The expert that gave the seminar was asked about his banking. The expert did not bank on line.

Thanks (3)
Replying to Paul Crowley:
avatar
By graemep
21st Mar 2024 11:13

People who work in technology are far less trusting of it than everyone else, because we know just how bad a lot of this stuff is. The quality of most things are far closer to something like the Post Office's Fujistsu system than one would like to think.

I did not even get a smartphone until two years ago.

The problem is that it has become more and more difficult not to do things online. Fewer branches, long waits on the phone, app authorisation for card payments, and a lot more.

Banks also often encourage bad practice. I once got an automated call from a bank that asked me to provide details to authorise a (genuine) large card payment.

I also far prefer to use web banking to mobile apps. The level of security is far more visible (most of the code can be examined, so its "auditable"), and I can do many things to guard myself. With an app you are blindly trusting that whoever wrote it did their job well. However, this is no longer an option for one credit card (its app only).

Thanks (1)
avatar
By paulwakefield1
21st Mar 2024 11:00

The " I would never fall for it" responses always entertain me on these sort of threads. I have met enough people who were equally confident until it was too late to know that anybody can be caught out.

99.5% of the time you will spot the scam; it's the other 0.5% (other invented statistics are available) where you get a very good scam and you are distracted by other important matters that the risk happens.

Thanks (8)
Replying to paulwakefield1:
avatar
By FactChecker
21st Mar 2024 13:53

Think you're painting with too broad a brush there ... not all the responses (certainly mine) said "I would never fall for it" - but a more nuanced "there are warning flags which should be heeded" (and that by the sound of it Alec didn't).
That is neither smug nor accusatory - but simply, in the spirit requested by Tom, proffering points that may assist others.

FWIW at the more doomy end of the spectrum, just wait 'til the human scammers are replaced by AI.

There was the terrifying story on here a few weeks back of the mouth-watering sum 'mis-directed' (in Singapore IIRC) via a complete suite of AI that including deepfake simulations of the board members in a virtual meeting ... apparently discussing and then authorising the transaction (which not surprisingly fooled the button-pusher).

And you may recall a news item more locally last month ... the Willy's Chocolate Experience in Glasgow (which turned out to be a fairly empty warehouse with minimal decoration and a few disheartened actors). Apparently the whole 'scam' was created by AI ... the concept, the marketing / advertising, the actors' scripts, etc ... and basically nothing (other than the punters' money) was real!

My moral? It's gonna get a lot harder to detect when someone's trying to scam you.

Thanks (2)
Replying to FactChecker:
avatar
By paulwakefield1
21st Mar 2024 14:08

Fair comment. I wasn't directing at any one in particular but there certainly seemed to be a flavour coming through. And I was as surprised as many when I read the article. But it did reinforce my impression, borne of experience, that anyone can be caught. And, as you say, it is going to get worse.

There, but for the grace of God,............

Thanks (2)
avatar
By Beancounter55
21st Mar 2024 11:09

Approximately 12 years ago my office was called late on a Friday afternoon by someone claiming to be from our bank’s fraud department. He told the credit controller, who took the call, that someone was taking money out of our account in Singapore; he then said that there was no need to check online as the system wouldn’t show the transaction as taking place.

The credit controller said that she would pass the call onto the FD which she did, plus telling me that she hadn’t told the caller the name of the FD. I answered the call without giving my name so, after the introduction, was asked whether I was one of two directors on the mandate. He got my name correct but didn’t use the normal name for my colleague. He wanted me to do something but I refused and told him I would call the bank’s fraud department and terminated the call.

Not surprisingly it was a scam. We have been told about these scams for so long it still surprises me when I read of people being suckered in and giving the scammers access to their accounts. Maybe I am just too old and hence too sceptical - after all, there is no such thing as a free lunch, and banks don’t normally ring you up to ask for you to change logon details.

Thanks (2)
Pile of Stones
By Beach Accountancy
21st Mar 2024 11:21

Would this be the same Revolut that still hasn't got a UK banking licence?

Thanks (5)
avatar
By Self-Employed and Happy
21st Mar 2024 11:22

I'm sorry, right from the start there were so many red flags.

Without being completely rude I feel that the younger generation are more automatically cottoned onto this type of thing as they obviously use technology and have that type of "scam" be aware of mentality ingrained.

The exact point where I would have just stopped the call is when I'm being called and being asked personal details etc, I've had this situation before and I've simply said I will call you back on the banks helpline and they can put me through if needed.

Thanks (0)
By Duggimon
21st Mar 2024 11:28

If you:

- Read and follow your bank's instructions on security, passwords, account details and security codes.

- Don't talk to the fraud department on the phone unless you call them.

- Don't use WhatsApp for 'secure' communications

then you're impervious to virtually every single one of these scams.

I do have sympathy for people caught out like this though, in saying it's not hard to avoid you could as easily say if you bulk up and carry a truncheon you're way less likely to get mugged, the actual fault clearly is entirely with the criminals committing the theft though. I don't want to switch blame to the victim, it's just it really is not that hard to avoid being caught by this, education is so important.

Good on Ms Falcon Huerta for speaking up on what happened to her, it could very much be painted as her own fault it happened because it was entirely avoidable but it's only avoidable if you first know the key things to do and to not do and the more these stories are spread the more people know.

Thanks (5)
avatar
By mhkay
21st Mar 2024 11:30

Does anyone know why the security codes sent to someone's phone under two-factor-authentication are available to anyone glancing at the phone, without them needing to log in to the phone first? Very handy when my security code for a shared credit card is sent to my wife's phone while she's in the bath, but terribly insecure.

Thanks (0)
Replying to mhkay:
By Duggimon
21st Mar 2024 11:44

It's a setting on your phone, you should look up how to turn it off. My lock screen shows if I receive a text but I need to unlock it to see who it's from and the first line of the message.

Thanks (2)
Replying to mhkay:
avatar
By paulwakefield1
21st Mar 2024 11:47

You need to change the settings on your phone so that they can only be viewed post log in.

Edit: Duggimon beat me to it.

Thanks (0)
avatar
By G-BIZ
21st Mar 2024 11:58

Always good for people to share instances like this to warn people of the ease of it happening to a financial professional but as others have said, if you follow all the protocols the bank has in place and the advice they constantly give any time you log into apps or websites and by email it is much less likely to happen to you, never ever provide full log in details as the bank will never ask for them and always have 2 layer authentication in place where possible for added security and never share codes. Online fraud is easy work for criminals if they catch people at the time and off guard and I am frequently being contacted my clients who receive phishing texts or emails ask claiming to be hmrc asking them to call a number or follow a link to apply for a tax refund or update contact details due to returned post asking if its legit.

Thanks (1)
avatar
By Newbie In Town
21st Mar 2024 13:47

Let me start by saying that I am empathetic to the fact that a sum of money has been stolen.

However, it is more than a little concerning to me that a digital nomad who owns multiple digital businesses and regularly gives talks and writes articles on the digital accounting (and associated) world was caught out in this manner! Giving the two-factor authentication code to the caller is a massive no-no, all financial organisations tell you NEVER to do this, and that they will never ask for it.

And forwarding the login emails, why would you do that? You are only asked to forward emails when you have received one you believe to be fraudulent and are pro-actively reporting suspicious activity to the financial institution concerned.

This is pretty basic, common-knowledge stuff - or at least it should be for someone operating in the digital playground.

This begs the question of just how qualified Ms Falcon Huerta is to be profiting from providing digital services and writing and speaking as though she is some kind of oracle on such when she is so naive to be caught out this easily in such a basic manner?!

Thanks (5)
Replying to Newbie In Town:
Gary Turner
By garyturner
21st Mar 2024 14:45

I think the real lesson for you here should have been that if someone as capable as Alex can fall foul of something like this, then anyone can.

These kinds of scams precisely rely on the fact that people often live hectic lives, answering and dealing with multiple streams of communication daily and often overlapping each other.

Which is precisely when our guards are down, and it's all too easy (and human) to unwittingly forget all the sensible advice and guidance we've all learnt about looking out for scams.

I'd consider myself tech-aware and savvy, but even I've caught myself clicking on a link inside a seemingly plausible phishing email whilst on a telephone call at the same time in the middle of a manic afternoon.

And these scams are only going to become much, much more authentic and plausible with AI.

Alex could have remained silent about her experience but chose to hold herself up as an example of how easy it is to fall into these for the benefit of us all. She should be applauded for doing this, not ridiculed.

Gary Turner

Thanks (6)
Replying to garyturner:
avatar
By FactChecker
21st Mar 2024 15:57

I agree entirely with your opening paragraph and most of your concluding one, but not much in between.
Or more precisely, I also agree with the factual side of your middle paras - but not the "it's all too easy (and human) to unwittingly forget all the sensible advice and guidance we've all learnt about looking out for scams" and it's follow-ons, if that is meant to suggest 'no fault'. Just ask the financial institution!

Easy yes, but so are most things that anyone knows are unwise but still does (such as crossing the road without looking properly, having just one drink before that important meeting, mouthing off at the person who's just annoyed you despite them being twice your size, and so on) - that's why they happen.
Humans who lose control (if only momentarily) default to the option that is easy ... but that doesn't provide an excuse, just an explanation.

Which is why I'm torn by your final sentence: "She should be applauded for doing this, not ridiculed."
There's no excuse to ridicule anyone (almost anytime, anywhere), but 'applauded'?
I'm happy to applaud anyone who owns up to their shall we say 'mis-steps' (Alex's story is littered with examples of "Falcon Huerta assumed" and the like) ... but I don't applaud the need for what feels like public breast-beating, especially since it doesn't really uncover or promote helpful actions that aren't blindingly obvious to most people already.

As it stands, and as you allude to in your own admission that "I've caught myself clicking on a link inside a seemingly plausible phishing email whilst on a telephone call at the same time in the middle of a manic afternoon" ... we all make mistakes / cut corners / fall foul of misplaced confidence. But that's not to be praised, just acknowledged and hopefully learned from as part of life.

Thanks (1)
Replying to garyturner:
avatar
By crofte
24th Mar 2024 19:51

Totally agree with you! Distraction is one of the biggest issues even for tech-savvy people - it doesn't matter how convinced you are that you would NEVER fall for a scam, we really all are susceptible and being over-confident about knowing all the things to do to avoid it doesn't help when you are being socially-engineered, by a skillfully AI created email/call. I did a thesis for my degree about Authorised Push Payments and I can assure you, even people who are aware of the risks can be scammed! Like you, I have the highest admiration for Alex for highlighting how it can happen to anyone, and for also pointing out how Revolut have really not yet put in place those irritating, time-consuming, dumbed-down checks which are there to protect us all.

Thanks (0)
avatar
By Francesmp
21st Mar 2024 16:37

Alex, I am sorry to hear of your misfortune. Thank you for being so honest and sharing what happened. It's not easy to do that but it really does serve as a reminder to the rest of us to be wary.

Thanks (0)
avatar
By Caber Feidh
22nd Mar 2024 00:09

The AccountingWEB newsletter with this article from Tom Herbert on how poor Falcon Huerta fell victim to a cunning scam also carried an article from him on ten ways accountants can use ChatGPT. So I did the obvious, and asked ChatGPT 4 (the paid-for version) two questions:
(a) You are an expert in the security of online banking. Tell me what I must do - or not do - to avoid being scammed.
(b) What should I do if I am called by someone who claims to be from my online bank, who notifies me that there has been suspicious activity on one of my accounts and who then says that they will guide me through what I must do to defend myself?
The very helpful responses on secure online banking practices are too long to include in this discussion thread but can be found via the link https://chat.openai.com/share/11f986d9-3c67-4757-9d5c-7ba7dd79cad7. Bearing in mind the advice in Tom’s article, readers may wish to ask themselves if they feel lucky.

Thanks (0)
avatar
By philrob
22nd Mar 2024 19:44

Agree a challenge phrase.

Most banks will let you do this. Even if only an entry in the notes.

If they ring you. Ask them for the challenge phrase. No phrase then end the call.

Thanks (1)
Sarah Douglas - HouseTree Business Ltd
By sarah douglas
25th Mar 2024 10:22

I always think it takes a lot of bravery to tell someone you have been scammed.

I believe anyone can be scammed, and I have seen it happen.

I also understand people saying, how could you fall for that?

However, looking back, hindsight is always great. I am sure of one thing, though reading their stories will help many not fall for a scam.

I remember the one about your child losing their phone or how fraud was caused by stolen phones in a gym.

I learnt to change quite a few settings on my phone from radio 4 after.

Yes I am pretty convinced I will never be scammed, but I could be because scam artists are very good at what they do.

Thanks (2)
avatar
By SuperAccountingSteve
25th Mar 2024 15:30

Ive dodged a couple of bullets, some personally and some at work. The scammers hit the jackpot when by chance someone they choose can relate to what they've said, e.g. "have you tried to make a business payment today?" as it was in my case when being called by someone supposedly from Barclays Bank, also a hit as it was Barclays with whom our business banked. You can feel your mind/thought processes trying to make it fit, and I guess the scammers are aware of the biological/psychological responses and how to maximise them in their favour with their words. In my case the scammer was well spoken and plausible.

Im now thinking to be resolute, no matter what you think, you dont talk to a financial institution representative that has called you; you have to ring them. You cannot wholly trust yourself.

We should build more prisons, and start investing and bringing these people to justice, they are causing a lot of pain in the world.

Thanks (0)
avatar
By paulwakefield1
26th Mar 2024 14:47

Had a couple of dodgy texts earlier purportedly from my bank. The first came up with the bank's number saying there was an unusual transaction they would text me about. The second came apparently from a mobile number detailing a foreign currency transaction asking me to text back confirmation of whether or not it was genuine.

Naturally I just ignored them.

Thanks (0)
Replying to paulwakefield1:
avatar
By paulwakefield1
26th Mar 2024 14:49

In an idle moment over lunch, I rang the bank.

Turns out they were genuine texts and there was an iffy transaction on my card. :-) :-)

Thanks (0)