EXCLUSIVE Loophole exposes Revolut customers to scammers: How fraudster went on £62K Selfridges spending spree with victim’s card… but e-money giant can refuse refunds because it is NOT a bank
- A business lost £62,000 after scammer tricked them into handing over details
- Have you been affected by fraud? Email: [email protected]
When Thomas Crooks opened his small business’ Revolut account one Tuesday in January, he got a very nasty surprise.
Unbeknownst to him, a fraudster had stolen his card details, walked into Cartier in Selfridges, and spent £62,000.
A second payment, of a similar amount, was blocked by the online payment platform, which is not a licenced bank in the UK.
Panicking, Mr Crooks and his wife Jenny frantically tried to get in touch with Revolut.
Thinking back, the couple remembered a phone call from the previous day, when a man, seemingly calling from the Revolut number, asked to re-authenticate their Apple Pay.
Revolut was founded in 2015 and is registered in the UK as an e-money institution but does not have a banking licence (file image)
Co-Founder Nikolay Storonsky has previously blasted the Financial Conduct Authority for being slow with Revolut’s UK banking licence (pictured in 2018)
Trusting that the call had in fact come from the banking platform because the scam artist had Mr Crooks’s name, address and card number, they had told him the pass code which the scammer said he’d sent to them.
That was all the fraudster needed to download their card on to his phone.
How to keep your money where you want it – in YOUR bank account
Cybersecurity expert James Bore explained the simple rules he follows to stop scammers.
- Keep a small amount of money in Revolut and similar platforms
Use the app like a cash wallet, James advises, to minimise the risk of large losses.
- Use one-off cards for online payment and subscriptions to protect your data from leaks
Revolut allows users to generate one-off cards with new numbers for transactions. The platform
- Do not trust that the number on your phone is the bank calling
If you are called out of the blue, ask the agent for a reference number, hang up and then call the bank on the number that is listed on their website or on your card.
If it is your bank calling, the person on the phone will be perfectly happy to assist you.
If it is a fraudster, they will try to keep you on the phone. Hang up immediately and report the incident to your bank or e-money platform.
The couple say that Revolut has been difficult to contact and has tried to fob them off with generic emails and denials.
Revolut, which was founded in 2015, had 15.1million users in 2021 and more than a million people used their account daily.
Its founder and CEO, Nikolay Storonsky, created the platform to provide cheaper currency transfers and the fintech is backed by the Bank of Lithuania, which granted it a European banking licence in 2018.
Following a bombshell report into the disabling a sanctioned transaction procedure in 2019, the UK government indefinitely
Revolut reapplied for a UK banking licence in 2021 but the Financial Conduct Authority have not yet approved the e-money institution.
Mrs Crooks told MailOnline that the family’s startup business had been using the Revolut account to manage its expenses.
‘We’ve found that these online banking platforms are seemingly an easy way of managing business expenses online.
‘High street banks don’t have the same infrastructure that these online banks, if you can call them that, do. In terms of expenses and stuff like that, it’s quite a lot easier because their apps are quite advanced.
‘We went for ease, basically. What would work for a startup company, something that would allow us to expense easily and it seemed to tick a lot of boxes.’
She said before the fraud they had assumed that the platform – which does not have a banking licence in the UK – was the same as other banks.
‘It’s not obvious, it’s not glaringly obvious that they’re not a registered bank. I think if people were aware of that, they would think twice about it.
‘Obviously now there’s things that have come out that kind of ring alarm bells and perhaps if we’d known at the time we’d have been a bit more cautious.’
Mrs Crooks said there hadn’t been any notifications about the transaction, which was made using Apple Pay.
When she asked Revolut why they hadn’t received a notification and why the payment hadn’t been blocked, an agent replied that because the transaction was made using Apple Pay, it hadn’t been through some security protocols.
‘In fact, our team was able to verify that the above-mentioned payment was authorised through Apple Pay.
‘Using Apple Pay means you don’t have to go through 3DS authentication as that security is built-in. Hence, the reason you were not contacted before such a large transaction.’
Apple Pay is not responsible for authorising cards used by customers and it was Revolut’s responsibility to pick up on the irregular spend.
Mr Crooks had £62,000 stolen from his Revolut account after a scammer, who called pretending to be the online money platform, spent the money in Selfridges using Apple Pay (file image)
The couple have reported Revolut to the financial services’ complaint body, the Financial Ombudsman Service, but don’t think they will get any of their money back.
‘I don’t know how else to get somewhere with it because they’ve just basically wiped their hands of it with one really generic c****y email,’ Mrs Crooks said.
Crypto concerns about Revolut
Ministers are preparing to impose stricter rules on the crypto trading offered by online platform Revolut.
‘Staking’, which sees investors deposit their holdings of crypto in hope of double-digit returns might face new controls.
Revolut, which offers the chance for its users to invest in more than 100 crypto currencies, started a staking service last week.
US regulators recently shut down staking platform Kraken and have said that the process is similar to lending and should be regulated.
Revolut told The Telegraph: ‘Revolut welcomes clear crypto regulation and our products are always offered in compliance with all applicable regulations.’
‘That’s just not good enough, we’re not talking about £100 here. We’re talking about a life-changing amount of money.
‘It’s all just really, really fluffy and no one’s really getting answers. So on the surface of it, it looks like they’re helping their customers, but they’re really not.’
The mother-of-two said the scam had wiped out the family’s savings and they’d had to cut back on their children’s nursery hours.
‘It’s so shocking that I can’t even get my head around it. Obviously we haven’t been sleeping properly.
‘We’ve got two young children and we both work. I’ve had to make changes to my children’s nursery care because we can’t afford it because that money is gone.
‘It’s the amount of stress and thinking about it every day and having to write these emails and constantly be trying to contact people and find other avenues.
‘It shouldn’t be like that.’
While the Crooks suffered a fraud known as card fraud, other popular scams include Authorised Push Payment (APP) scams, where fraudsters trick people into sending money to accounts controlled by scam artists.
In 2022, 900 complaints about APP scams were made to the Financial Ombudsman about Revolut, of which 594 were upheld.
This is nearly three times the number of complaints made in 2021 and more than five times the number Revolut received in 2020.
Other challenger financial institutions have seen an increase in the number of APP scams reported to the ombudsman.
It received a total of 9,844 complaints about APP scams in 2022 across all banks.
Challenger banks are relatively small retail banks set up to compete with larger more traditional financial institutions.
In 2018, many high street banks committed to repaying victims of APP scams after the Payment Systems Regulator designed a voluntary code.
Cyber security expert James Bore said the new challenger banks and e-money institutions have not been properly investing in anti-fraud measures
There are currently ten signatories to the Contingent Reimbursement Model (CRM) but because Revolut is not a bank, it is not signed up to repay victims.
Cyber security expert James Bore said the new challenger banks and e-money institutions have not been taking fraud and customer safety seriously.
‘I worked for a challenger bank for a short period of time. The reason I left is because I felt that they were not taking security and fraud seriously.
‘They don’t seem to be investing in tools to detect fraud and prevent it. They’re putting the minimal effort in to adhere to the FCA demands but just doing the surface work, not actually putting any real effort in.
‘They aren’t really putting anything into the security tools. They’re not thinking about users’ security when they design their apps and provide them. It’s a very casual attitude.’
He added that most e-money platforms are getting most of the benefits of being a traditional bank but without having to take some regulations as seriously.
Other victims of fraud who use Revolut have said they felt the platform wasn’t taking their concerns seriously or had rejected their cases with generic messages.
Chartered accountant and financial adviser Polly Arrowsmith told MailOnline that Revolut was consistently letting customers down with its service.
‘The consistent theme is while they’ve got quite a high score on TrustAdvisor, but the one thing that they kept falling down on is customer service, not keeping people up to date, people feeling that their complaint or their query is not being taken seriously.
‘Accounts can just be locked down at any point, which, I mean all banks will lock down accounts if they think there’s fraud, that’s pretty standard.
‘What’s happening here is that these complaints are just going on and on so people can’t access the cash. And that’s obviously an issue.’
Polly Arrowsmith said Revolut was letting its customers down with poor customer service on fraud cases
Ms Arrowsmith said while money can often go missing in the financial system but it was unusual that people were unable to speak to a person about it at Revolut.
An FCA spokesman said: ‘The impact a scam can have on someone is unlikely to be purely financial, so firms must treat their customers fairly and provide them with effective support.
‘If a customer is unhappy with how a firm has treated them and has filed a complaint, they should contact the Financial Ombudsman Service.’
FCA guidance states that customers at banks and payment service providers should expect to be repayed in the event of unauthorised fraud if it cannot be shown that a customer has acted negligently.
Revolut responded to a number of questions from MailOnline.
They said in the case of Mr and Mrs Crooks, the first transaction was not considered to be high risk as Apple Pay traditionally sees low rates of fraud.
The card details have been terminated and the account is now secure but Revolut will not pay compensation as they say they gave a clear warning not to share the one time pass code.
The e-money platform said while it was not signed up to the Contingent Reimbursement Model, it applied similar standards when deciding whether to offer compensation.
‘Our model for detecting APP fraud is 98% effective and has helped reduce overall APP fraud experienced by our customers by two thirds in the last six months of 2022.
‘We will never stop working hard and innovating to further strengthen the protection and support of our customers from criminal activity.’
Revolut added: ‘More than 25million customers trust Revolut with their money. We are an authorised financial institution in the UK and around the world.
‘Our authorisation status offers no less protection or support to our customers who have been a victim of fraud when compared to a bank.’
Source: Read Full Article