When Toby Proctor received a call from his bank to query some suspicious transactions he immediately feared he was the victim of fraud and didn’t hesitate to follow their instructions.
He was first asked to confirm his name, address and mobile phone number — which the caller already knew.
He was then told he would be sent a code to his mobile from a NatWest number to verify it was really him. The text appeared to come from the same NatWest number as his weekly balance updates.
But after reading out the code to the man on the phone, Toby, 32, started to feel uneasy.
Close call: Toby with his wife Jodie and 18-month old son Lucas
He quickly hung up and called NatWest back using the number on the back of his debit card. But it was too late — he was told that £3,108 had already been transferred out of his account.
According to NatWest, the fraudster sent the money to a florist based in Kent. Toby was baffled. The last time he had used that florist was when he and his wife Jodie, 32, who live in Epsom, Surrey, got married two years ago.
He called the shop owner, Rebecca Franklin, as soon as the store opened the next day. Rebecca said she had already received two calls from someone claiming to be Toby Proctor.
The man had told her that he’d accidentally paid £3,108 into her account when trying to move cash to his savings. He then asked if she would transfer the money back into what he claimed was his savings account.
Fortunately for Toby, Rebecca immediately smelt a rat.
She says: ‘I was suspicious straight away. He didn’t sound like one of our customers. He sounded a bit like a “wheeler dealer”.’
When she then quizzed the bogus groom on the details of his wedding so she could match the name of the bride, the date and the venue against her database, his answers didn’t stack up.
‘He told me he’d got married somewhere I’d never heard of in London, which he said was in Surrey. He clearly had no idea.
‘I remember every groom and every venue and what he said made no sense.’
When Rebecca told him she didn’t believe his story he hung up. Had she transferred the money it would likely have been lost for good.
Experts say that this new way of scamming people means that fraudsters are able to bypass the security checks banks use when you are making payments online.
When you make a payment to someone for the first time a six-digit code — known as a one- time passcode — is typically sent to your mobile phone.
The fraudster sent the money to a florist based in Kent
You then need to enter this code before the transfer will go through.
The idea is that if someone has hacked into your online bank account, they will not be able to transfer money to a new fraudulent account very easily.
However, this code is not needed if you are transferring money to someone you have paid before and who is on your ‘payee list’.
This means that if fraudsters can convince someone on this list to accept a payment and move the money elsewhere, they can pocket your cash without you being alerted.
Richard Emery, of fraud consultancy 4Keys International, says that for some fraudsters this ruse will be easier than trying to intercept the one-time passcode needed to transfer money to a new account.
To carry out this type of scam the fraudster must already have access to the victim’s online or mobile bank account.
Money Mail understands that in Toby’s case the crook had downloaded the NatWest banking app on his mobile phone and logged in to Toby’s account.
This meant he would have known Toby’s mobile phone number and his passcode. He would also have needed another six-digit code to register the app. This is the code he tricked Toby into reading out over the phone by posing as his bank.
The fraudster was then able to make the £3,108 payment without detection because the florist, Floral Explosion, was already saved as a payee on Toby’s account.
All the crook then had to do was search for Floral Explosion’s telephone number on Google — which is easily found.
The fraudster would also have known the name of Toby’s wife — which would have helped him when trying to convince the florist he was Toby — because the reference for the payment was ‘Jodie Toby Wedding’.
Fortunately for the Proctors the scam didn’t work. And after Toby alerted his bank, NatWest, it was able to request that the florist’s bank, Barclays, return the funds to the couple, who have an 18-month-old son called Lucas.
Richard Emery says: ‘This type of scam is convoluted, but could have high levels of success. In this case the fraudster tried to be too clever by posing as an existing customer without knowing all of the information.
‘This should be a warning to everyone to be more vague with payee names and references.’
Scammed: In Toby’s case, the crook had downloaded the NatWest banking app on his mobile phone and logged in to Toby’s account
Toby, an account manager, says what is most worrying is how the fraudster already had so much information about him.
He says: ‘I don’t know whether they had hacked the systems of someone that had a lot of my details about him, such as an online retailer or employer, and then used that information. I’ve had to change all my details.’
A spokesman for NatWest says: ‘We sympathise with Mr and Mrs Proctor and appreciate that this has been a very distressing experience for them.
‘We take our responsibilities to preventing scams very seriously, and always support the victim of a scam in the recovery of their funds on a best endeavours basis.
‘On this occasion, full funds have been recovered from the beneficiary bank and have been returned to Mr and Mrs Proctor.’