In July this year, Santander contacted me about a suspicious payment from one of our business accounts. On hearing the details – £1000 to someone called Moore – I was immediately able to confirm that the payment was fraudulent and Santander said they would have to block the account for 24 hours.
It turned out that the payment had been made by somebody phoning Santander and pretending to be me. They were asked for the account number (on our website), my date of birth (available from Companies House) and the name of another signatory (guess what – my wife and co-director). Getting the answers to those questions right was enough for Santander to pay £1,000 to a third party account with which we had no previous connection.
I wasn’t even aware that it was possible to authorise a payment in this way. Santander certainly doesn’t make it as easy as this for their business customers – if we want to make an online payment we have to submit all the details and then enter a code which the bank texts to my mobile telephone. Even when I phoned them to discuss the fraud that they had allowed to happen, they insisted on my confirming the last 4 digits, expiry date and CVV from my debit card before even agreeing to talk to me. They also lied: the person I spoke to initially tried to fob me off by telling me that a fraud case “had been opened” until I pointed out that, at this point in the conversation, he didn’t know who I was.
I have some ‘form’ with Santander after a particularly fraught experience when we first opened the account, so I already had the contact details of a ‘case handler’ in the CEO’s executive team. His first response was to point out, with just a hint of complacency, that “luckily, on this occasion, the bank has managed to prevent the monies being lost to the fraudster” (a claim which was to return to haunt him – see below).
Intriguingly, my contact also revealed that “the fraudster was male and seemed to have an African or Asian accent”. Now, while one doesn’t expect bank staff to possess either the geographical knowledge of a Phileas Fogg or the phonological skills of a Professor Higgins (see what I did with the Rex Harrison link there?), this does strikes me as a little imprecise. It’s almost – perish the thought – as if what they meant was “he sounded dark-skinned”.
My contact also said “regrettably, I have found that the call handler did not follow our security procedures correctly, which has led to the breach” (no shit, Sherlock). “There are clear warnings on your account”, he assured me “to prevent this individual from accessing the account again”.
In reply, I expressed some puzzlement about the nature of the “clear warnings” which could be put in place to deal with this individual. Presumably Santander didn’t know who he was, and I couldn’t believe that, in this day and age, our account could be endorsed with a warning not to accept instructions from anyone “with an African or Asian accent”. It seemed to me that simply following normal security procedures might suffice. I made it clear that, in future, nobody – myself included – was to be allowed to authorise any payments by telephone without a call back from Santander to the registered office number. This instruction was acknowledged in writing.
And there the matter rested (other than another unexplained transaction on the account, when Santander decided to credit it with a goodwill payment of £150 but omitted to tell me about it). Until this week.
On Tuesday, my office received a call from Santander asking me to ring back as a matter of urgency. The number given was the normal call centre number and so I was immediately routed to an interactive voice response menu, which was less than helpful as I had no details of the nature of the call. Eventually – after a reasonably searching set of security questions – they divulged that a suspicious payment on the account had been attempted and asked me whether I recognised the destination account, which I did not.
I referred to the previous incident and the instructions I had given about authorisation and was assured that the payment had been stopped before being made (another lie). They tried to transfer me to the fraud department but after a ten minute wait it became evident that they were too busy to answer the phone (I wonder why).
Eventually I uncovered the fact that not one, but two fraudulent payments of just under £1,500 each had been effected. One was re-credited the same day, but the second had left our account. The fraud department seemed completely unconcerned that my instructions had been ignored, or that their colleagues had lied to me, but concentrated on asking me to consent to credit checks on our business in case they deemed it necessary to open a new account. I replied that, if a new account was to be opened, it would not be with Santander.
I again contacted my friend in the CEO’s complaints team. This time, however, I was told that “these complaint types” are now handled by a “specialised area in our Fraud department”, who would be in touch in due course.
I don’t know how specialised you need to be to deal with this kind of fraud, which lacks the technological sophistication of, say, an Al-Qaeda denial of service attack. One might think that just telling staff to read the account mandate before making payments would suffice. Anyway, with commendable speed, the next day’s post brought a letter from Santander’s crack team of boffins, expressing concern for our undoubted distress at having been a victim of fraud and reassuring us that the matter was receiving their full attention. The reassurance was slightly diluted by the fact that their ‘full attention’ did not extend even as far as getting our name right – the letter was addressed to Mr & Mrs Ridgley instead of Midgley.
We have now taken steps to move all our business banking to Barclays who, I trust, will not just give our money away to any criminal who phones up and asks for it. In my final email, I observed that our Santander “relationship director”, whom I had copied in on all the emails relating to the second debacle, had so far been strangely silent. Within minutes, I had a defensive reply, saying that he was confident that the “specialist fraud team have/ or are investigating” and that, as he was not sure what else he could have added, he had chosen to remain silent. I’m not sure what a relationship director does, but if speaking to dissatisfied customers isn’t in the job description, that might be something else for Santander to think about.