Fraud and scams
The information on this page explains what to do if your business has lost money to a fraud or scam. You’ll find guidance on the types of cases we see and the complaints process, as well as case studies and links to further resources.
As with individual consumers, sometimes businesses experience fraud and scams. If this happens and you can't settle the matter directly with your bank or service provider, we can take an independent look.
Every year we look at thousands of complaints about fraud and scams. We consider the facts and circumstances of each individual complaint and listen impartially to you and the financial business. We’ll take into account the terms and conditions of any contract, relevant laws and regulations, and industry best practice.
If your complaint is one we can look at, we’ll let you know whether we think the financial business treated you fairly. If we find that they didn't, we’ll say how we think the situation should be put right.
Types of complaint we see
Small to medium enterprises (SMEs) typically bring complaints to us when their bank – or other payment services provider – refuses to reimburse money that’s been lost to fraud or a scam.
Most of these complaints involve ‘authorised push payment’ (APP) fraud.
This is when the small business or micro-enterprise intends to pay a genuine person or organisation but is duped into transferring the money to a scammer. Common examples of this include:
- Invoice intercept scams: a scammer intercepts an invoice from a genuine supplier and alters the bank details.
- Fake goods: your business pays a scammer for goods that never arrive or services they never get. These goods or services didn’t exist in the first place.
- Impersonation fraud: an employee receives an email, that appears to be from their director asking them to make an urgent payment which turns out to be from a scammer.
In addition, we see complaints that involve other types of fraud or scams, such as:
- Insider fraud: where someone who’s authorised to make payments on behalf of the business fraudulently transfers business funds for their personal use.
- Unauthorised transactions: where the director or authorised signatory for the business is tricked into handing over their bank details or has their details stolen. This allows the fraudster to take money from their account without their consent.
How to complain
Our service is free and easy to use.
Find out more about how to contact us and complain.
What we look at
There are rules about who we can help. So, when you bring a complaint to us, we’ll start by checking whether we can assist and, if so, we’ll investigate.
We’ll ask you about the circumstances and disputed transactions and to share any documents and other information you may have. We’ll use this – along with evidence from the bank and any relevant third parties – to reach our decision.
We’ll also consider:
- the relevant law
- any regulations that applied at the time – for example where applicable, the Lending Standards Board’s Contingent Reimbursement Code for 'authorised push payment' (APP) scams.
- any industry codes of conduct in force at the time
- good industry practice and/or relevant regulatory guidance
- the terms and conditions of the account that the disputed transaction was made from
Read more about how we make decisions and what to expect when we are handling your case.
The Contingent Reimbursement Model (CRM) Code
The CRM Code is a voluntary scheme, which most financial providers have signed up to in response to the rise of APP fraud. If the CRM Code covers a payment that you, or your business, made to a fraudster, the bank involved will reimburse you if it's a signatory to the Code.
But the CRM Code doesn’t apply to every type of bank transfer. It doesn’t cover payments between the UK and another country, for example. And it only covers individuals and micro-enterprises, not larger businesses.
You can still bring your complaint to us, whether the CRM Code applies to your case or not. If you're unsure whether you can bring a complaint to us, please check the rules that set out who we can help.
If you're not sure whether the CRM Code applies, we can check and let you know. And we’ll still investigate whether the financial business involved is responsible for allowing the scam payments to leave your account.
Find out more about CRM code on the Lending Standard Board’s website.
Putting things right
If we find that your business has been treated unfairly, we’ll ask your bank or the financial provider to put things right. This usually involves putting your business back into the position it would have been in if things hadn’t gone wrong.
How we do this will depend on the nature and type of complaint. It might include, for example, asking your bank or financial provider to refund the money you’ve lost, including interest and charges.
Case studies
These case studies will give you an idea of how we resolve complaints about fraud and scams.
-
When a small business lost money in an invoice intercept scam, we questioned whether the bank involved could have done more to warn their customer and stop the payment.
What happened
A small business got an invoice from one of its regular suppliers by email. The email said that the supplier’s bank details had changed and that the small business should send money to a new bank account.
As they were expecting an invoice from that supplier, and the email was written in the supplier’s usual style, the small business made the payment to the new account.
At the time, the small business’s bank wasn’t offering the ‘confirmation of payee’ service, which checks names and bank details for certain UK-based payments. So, when they made the payment, the small business didn’t receive any warnings about the bank details.
However, the bank did call the small business, but only to ask whether they had intended to make the payment.
A week later, the genuine supplier contacted the small business for payment and the scam came to light. Unknown to the supplier, their email server had been infiltrated by scammers who’d intercepted the invoice and altered the bank details.
What we said
The small business was not a micro-enterprise so the transaction wasn’t covered by the CRM code. But we wanted to find out whether the bank could have spotted the scam and done more to prevent it.
Alerted by the size of the payment, the bank had called and spoken to the managing director. She confirmed she was making a payment to a regular supplier and mentioned that the instruction to change the bank details had come by email.
Even so, the bank didn’t warn her about the possibility of invoice intercept scams or suggest she phone the supplier using a reliable phone number. This was a missed opportunity to prevent the scam.
We said that the bank could have explained how invoice intercept scams work and what steps the small business could take to avoid them. That might have encouraged the managing director to call the supplier and verify the bank account change.
We also considered whether the small business could have done anything to prevent the fraud but we didn’t think so. The invoice came as expected and from the supplier’s genuine email address. There was nothing else that might have alerted the small business to the scam. So, we didn’t think that the small business acted unreasonably by making the payment.
We concluded that the bank should reimburse the small business with interest.
-
A company that fell victim to an impersonation scam felt their bank could have done more to protect them.
What happened
A company’s accounts manager got an email from his director asking for a payment to be made to someone named in the email. The director was away but it wasn’t unusual for him to request payments this way and the email came from his genuine email address. The accounts manager thought nothing of it, went ahead and made the payment.
The next week, when the director returned from his trip, the scam came to light. The company called its bank, which contacted the recipient bank. The recipient’s account was empty.
The company felt their bank could have done more to help prevent the loss, so brought their complaint to us.
What we said
The company was not a micro-enterprise so the transaction wasn’t covered by the CRM Code. Even so, we wanted to check whether the bank could have done more to spot the scam and prevent it from happening.
When we investigated the complaint, we saw the payment wasn’t unusual. Many similar payments were made quite regularly from the account. Also, although there was a ‘confirmation of payee’ check, the fraudster had given the correct payee’s name. So, the result was a ‘match’.
Overall, we felt the bank hadn’t made any errors or omitted anything. Therefore, we concluded it wouldn’t be fair to ask the bank to reimburse the company.
-
After falling victim to an invoice intercept scam, a business felt let down by both the sending and receiving banks.
What happened
A business received an invoice which appeared to be from one of their suppliers. However, a scammer had intercepted the invoice and changed the bank details.
As part of a prevention strategy to protect it from fraud and scams, the business had put a procedure in place. When an email came from suppliers notifying a change in bank details, it was standard practice to phone that supplier on a reliable number.
However, this didn’t happen and the business went ahead and made the payment.
The scam was only revealed when the genuine supplier contacted the company. Unfortunately by that time the money was lost.
The business believed their bank – the sending bank – could have done more to prevent the scam. They also thought the receiving bank had failed to carry out due diligence by allowing a fraudster to open an account and receive the payment.
What we said
First, we looked at the complaint against the business’s own bank.
The payment was large, but we could see that the business often made large payments to new payees. There wasn’t anything else which we thought the bank ought to have noticed or any other error or omission on their part. Therefore we said it wouldn’t be fair to ask the bank to reimburse the amount.
When we investigated the complaint against the receiving bank, we started by looking at when the account had been opened. We didn’t find anything suspicious that might have alerted the bank that the account-holder intended to use it for fraud.
However, the payment that the business had made was highly unusual compared with normal activity in the account. What’s more, the scammer tried to transfer the money straight out of the account as soon as it arrived. That was also very unusual.
This raised the alarm and the receiving bank intervened and questioned its customer. But, even though the scammer’s response was inconsistent and suspicious, the receiving bank didn’t investigate any further.
Had it done so, we believed the scam would have come to light. The bank missed an opportunity to prevent the business losing money to the scammer.
However, we also felt the business had been negligent by not following their own anti-fraud procedures . If they had, they would have discovered the scam.
Because of this, we said the loss should be shared equally between the business and the receiving bank. That meant the bank reimbursing 50% of the loss to the business, with interest.
Staying safe from fraud and scams
Scams are constantly evolving. So, it’s a good idea to follow the news and updates from trusted organisations.
You may also want to consider putting in place some procedures to protect your business and staff from falling victim to a scam. For example, you might make it standard practice to phone suppliers on a known number if you receive an instruction by email notifying a change in bank details.
Find out more about staying safe from scams and what to do if you’re caught out.
Information for financial businesses
If you’re a financial business looking for information to help you resolve complaints, read our detailed guidance on fraud and scams complaints.
