Why Online Banking Safety Matters More Than You Think in the UK

UK Authorised Push Payment fraud — where a customer is tricked into willingly transferring money to a criminal — accounts for the largest share of bank-fraud losses today. The technology to prevent it is partly in place; the behaviours that defend against it are not yet widespread.

UK Finance, the trade body that publishes the most authoritative figures on banking fraud, reports that Authorised Push Payment (APP) fraud now causes more financial loss to UK consumers than card fraud and remote banking fraud combined. The mechanism is straightforward: the customer is persuaded to make a payment they intended to make. The customer's bank acts on a legitimate-looking instruction. The money goes to a criminal account. By the time the customer realises, the funds have been moved on through a chain of further accounts and are usually unrecoverable.

The technical defences are improving — the Confirmation of Payee system that checks whether the recipient name matches the account number has been broadly rolled out — but the most effective defences remain behavioural.

How modern UK bank fraud actually works

The most common patterns:

• Impersonation of the bank itself. A phone call, text message, or email purporting to be from your bank, claiming suspicious activity and asking you to "move your money to a safe account". Real banks never ask you to do this.
• Impersonation of HMRC or another government body. Demands for immediate payment of fictitious tax debts, often with threats of police action.
• Impersonation of a known business. A genuine builder, solicitor, or contractor's email account is compromised, and a fraudulent change-of-bank-details email is sent immediately before a scheduled payment.
• Romance and investment fraud. Slower-acting, often involving someone who has built a relationship with the victim over weeks or months and then introduces a "investment opportunity" or a "personal emergency".
• Purchase fraud. Buying something on a marketplace that doesn't exist, or selling something and being paid by a fraudulent transfer that is later reversed.

In every category, the fraudster's goal is to get the victim to authorise a payment voluntarily.

The behaviours that genuinely help

A short list of habits that defends against most APP fraud:

1. Never transfer money on the basis of an unsolicited contact. Not from your bank, not from HMRC, not from the police. Always end the call, look up the number independently, and call back.
2. Pause before paying anyone you've only spoken to online. A 24-hour rule for any first payment to a new payee under £1,000 reduces fraud loss substantially.
3. Verify changes to bank details by a separate channel. If your builder emails new bank details, phone the builder on the number you already have for them and confirm.
4. Use Confirmation of Payee. When making a transfer, the receiving bank's customer name should match the name you expect. If it doesn't, stop.
5. Treat investment opportunities communicated through messaging apps with suspicion. The Financial Conduct Authority maintains a register of authorised firms. Anyone soliciting investment outside that register is essentially always a fraud.

What the banks are obliged to do

Since October 2024, UK banks have been required to refund victims of most APP fraud, with the cost shared between the sending and receiving banks under rules from the Payment Systems Regulator. There are exclusions — most notably for "gross negligence" by the customer — but the default is that the customer is reimbursed up to a substantial cap.

This has changed bank behaviour. Banks now have a stronger commercial interest in preventing the fraud in the first place, and they have introduced friction (warnings, delays, in-app prompts) on transfers that match high-risk patterns. These warnings should be read, not clicked through.

Two-factor authentication and biometric checks

Most UK banks now require some form of two-factor authentication for first-time payments, and many require biometric confirmation through their mobile apps for higher-value transfers. These defences are effective against account takeover (where a fraudster gains access to your banking credentials) but largely ineffective against APP fraud (where the customer authorises the payment themselves).

If your bank app has the option to set a transaction-amount alert, set it. The earliest indicator that something has gone wrong is usually a notification of a payment you don't recognise.

Action Fraud and reporting

If you have been the victim of fraud or attempted fraud, the official channel is Action Fraud for England, Wales, and Northern Ireland, or Police Scotland's reporting service for Scotland. In urgent cases — particularly those happening in real time — call the police on 999.

Even if no money has been lost, reporting attempted fraud helps the agencies identify patterns and warn others.

Modern UK bank fraud is mostly social engineering. Better technology has shifted the attacker from technical exploits to convincing the victim to do the work themselves. The defences are mostly behavioural — and they are worth becoming habits before you need them.

A quick check for this week

Two practical actions worth taking this week if you haven't already:

• Set up a transaction alert in your banking app for any payment above £100.
• Save the genuine fraud-line number for your bank as a contact in your phone, and check it against the number printed on the back of your physical card. If a "bank" calls you in future, ignore the displayed number and call your saved number instead.

These two habits substantially raise the difficulty for any fraudster targeting you.