Financial Scams, the law and ways to avoid becoming a victim

IT Security Norwich

This month Ben Dures (Scott Moncrieff & Associates) and I discuss the law and how to protect yourself against financial scams and the steps you should take to recover lost funds.

According to the Financial Services Compensation Scheme, financial scams are becoming more sophisticated, and as more people move to online banking, extra vigilance is needed.  Although in most cases your bank or building society will reimburse money taken from your account without permission, this is not guaranteed.  Below we look at the law in this area, and what practical measures can be taken to avoid falling prey to the scammers.

Getting Your Money Back

The good news is that under the Payment Services Regulations 2017 (PSR’s) you should get your money back, unless the bank can show that you have consented to a transaction. This may sound obvious but in practice it can be difficult for the bank to establish, as it involves several factors.

First, the bank must show the payment was authenticated. Authentication is the procedure which allows the bank to verify the identity of its customer, or the validity of the use of a specific payment instrument, including the use of the customer’s personalised security credentials. This can be done in a number of ways (e.g. chip and PIN, card number, CVV and expiry date etc.).  In many cases involving scammers, the payment was authenticated, because the scammers obtained your details.  So, to the bank, it looked legitimate.

Second, the PSR’s require consent to each and every transaction. So because you gave permission for one transaction, does not automatically mean you gave permission for any that followed.

In most cases, if you can show prove that on balance of probabilities, you neither carried out the transaction yourself, nor gave consent to it, that should be sufficient for you to get your money back.

However there is a potential sting in the tail.

Safeguarding your details 

Under most banking terms, if the bank can show that you’ve failed to take reasonable care of your security details and this has allowed the scam to take place, then may refuse to reimburse you.   They must show that you were grossly negligent, which is quite a high threshold.   However, it is also often a matter of interpretation, which can give rise to disputes.  So for example, if you are tricked into giving this information to someone who sounded very plausible, is that gross negligence?  Often the test will be what the hypothetical reasonable person might have done in the circumstances, but arguably this doesn’t take into account individual vulnerability. What about sharing details with family members or carers, who then remove money without consent?  On a strict interpretation you should not share your details with anyone, but in many situations this is a necessity.

The bank should also take reasonable care, so should be alert to suspicious looking transactions, and have methods for flagging these and verifying they are genuine.  For instance there may be unusual activity on the account.  If the bank has failed to notice something that it ought reasonably to have picked up on, and a suspicious transaction has gone through without anyone checking it with you, then on the face of it the bank has been negligent and this has caused you loss.  In these circumstances, it ought to refund you.

The Financial Ombudsman Service (FOS) deals with disputes between banks and their customers and if you cannot resolve your issue direct with the bank, a complaint to the FOS is usually the best place to start, rather than taking the matter to court. The best advice however is to take steps to avoid being scammed in the first place.

Security tips to avoid a financial scam  


A phisher is clever in their techniques and will try and gain your trust through psychology and perceptions, be aware of the latest scams as your first line of defence.


Passwords are used every day and they are the first line of defence against malicious attacks. Choose unique passwords for your online accounts and if you have too many to remember use a password manager to help you store them safely.


Only make online payments on secure websites, the URL must have a padlock and https. When making payments use secure connections and avoid using public WiFi.


Credible companies, such as banks and Microsoft, will never ask for personal information (usernames, passwords, account numbers) through an email.  Beware of poorly written emails, overuse of jargon or emails without contact details. If in doubt end the call and then call them back to make sure it is a legitimate request.

Check Links

Understand the risks involved in opening links from an untrustworthy source. Don’t click on a link unless you have checked it is from a reliable source.  If necessary, check with the recipient before opening.

Email sender address

The display name on an email can be set to appear to be someone you know, but the email address itself is often a giveaway so don’t forget to check before you respond.

Check accounts

Get into a habit of regularly checking your online accounts so you can respond quickly to any suspicious activity.


Beware of threats, blackmails and warning emails.  A genuine threat will usually be replaced or used in conjunction with a phone call.

Avoid traps

Ignore emails that look too good to be true, emails offering prizes or easy money are often a trap. Be suspicious of appeals and requests for money and always check the veracity of a charity and only donate directly through a website with a secure domain.

Personal information

Be very careful about how much personal information you share on social network sites. Fraudsters can use your information and pictures to create a fake identity or to target you with a scam. Review your privacy settings on all social media, don’t publish your date of birth and make sure only friends can view your posts and pictures.


Ensure all your computers are using the latest version of all software, including internet browsers. Many phishing attacks exploit systems that are not updated.


There are many good reasons to use antivirus software. Install an enterprise level AV solution, regularly monitor the status and ensure that it is kept up to date.

Web and spam filter

Use a web filter that blocks malicious websites and install a spam filter that can prevent emails from reaching the inbox of employees.


By using a desktop as well as a network firewall you will drastically reduce hackers infiltrating your systems.

Email authentication

Email authentication is a technical solution where your mail server checks that emails are not forged and flags the emails accordingly or even rejects the messages.

As financial scams become more prevalent it pays to be cautious, vigilant and use common sense.

If you have suffered a financial scam and need legal advice contact Ben Dures on 07940 887494 |, for a no obligation chat. If you would like more information about IT security and how to safeguard yourself against cyber attacks please contact Lucy Blake on 01603 451810 |

12 tips on how to spot scam emails

A heavy reliance on carrying out business online has resulted in an explosion of cyber crime. In 2020 email phishing will continue to be a major form of online attack increasing the need for businesses to be aware of current threats.  Many cyber criminals use AI systems that can automate processes making the attacks prolific, sophisticated and hard to spot.

Your business may have put good IT security in place but cyber criminals will target your weakest link, which is often your employees.  Human error remains the primary cause of data breaches and can result in a major loss of sensitive information.  Keeping your staff trained and up to date with the latest threats should be a key part of your IT security strategy.

We frequently have clients asking if an email is genuine, whilst there are no hard and fast rules double check the details and take head of the following:

  1. Unknown sources – pay close attention to emails from unexpected and unknown sources
  2. Company address – check the company name and email address with an independent online search, is the link a well-known website spelled incorrectly?
  3. Sender address – the display name can be set to appear to be someone you know, but the email address itself is often a giveaway
  4. Generic salutation – what greeting have they used in the main body of the email? Fake emails often use generic terms such as ‘Dear Customer’
  5. Poor grammar – are there grammar and spelling mistakes? Often phishing emails are carried out by non-native speakers
  6. Sign-in requests – is the email asking you to go to a website which then asks you to sign in?
  7. Check the links by hovering the mouse over it – if the address has spelling errors, or the domain doesn’t match the email domain, or a verified sharing device (i.e. or it is likely to be fake
  8. Registered email – Is the email they have used for you the one you used to register with the company?
  9. Beware of attachments from unknown people or businesses, if necessary, check with the recipient before opening
  10. Ignore threats, blackmails and warning emails. A genuine urgent threat will be replaced or used in conjunction with a phone call
  11. Be suspicious of appeals and requests for money. Check the veracity of a charity and only donate directly through a website with a secure domain https://
  12. Ignore emails that look too good to be true – emails offering prize winnings or easy money are often a trap

It is crucial that businesses take steps to ensure they are doing all they can to educate employees on current cyber threats. Training staff how to recognise phishing emails is one step towards helping mitigate the risk of a data breach and its devastating effects.

Our cyber security awareness training is computer-based and delivered monthly in engaging bite-sized modules.  It costs £2 per month per user so is affordable for every size of business. For more information please contact us.