When Denise George* received a notification on her phone that a replacement credit card she’d ordered had been used, she was surprised … as she was still waiting for it to be delivered. Fearing it had been stolen, she attempted to log in to her online banking – only to find she had been signed out of the app and had to reregister.
Things got even worse as George found her Isa had been emptied by criminals, after her bank, Barclays, failed to recognise signs of suspicious activity on her account.
Now George believes that the fraudsters used her credit card and personal details that they found online to trick the bank, and is worried that it could happen again.
“The people who intercepted my post, and stole my card, had my long card number, name and address,” she says. “If anyone Googles my full name, they will only find me on one website – Companies House. I am registered as a trustee for a charity.
Companies House has the month and year of birth on each person listed, hence it is easy-ish for someone to start eliminating days of the month until they hit bingo on telephone banking.”
Industry data shows that more than £570m was stolen by criminals through payment fraud in the first half of this year, of which £358m was taken through unauthorised transactions on payment cards, remote banking and cheques, as happened to George.
The figures from the banking trade body, UK Finance, showed there were 1.5m payment card cases recorded – an increase of 19% on the same period in 2023. Within that, “card not received” fraud – where cards are intercepted before they arrive and used for spending – remained rare, with 3,244 cases, but losses had gone up by an eye-catching 39%, to £1.9m.
Criminals often target properties with communal letterboxes, such as flats. People who do not get their mail redirected when they move are also vulnerable, says UK Finance.
George, who lives in north London, fell victim in May, and found her Barclaycard credit card had been used to attempt £1,500 of transactions with £500 succeeding, while another £1,500 had been taken from her online Isa.
After receiving the alert that her card had been used, she attempted to check the app and, after reregistering, saw the fraudsters had been busy.
“My Isa was emptied and there were transactions on my credit card. I called Barclays instantly to notify them. They said they had several calls for my account on that day, many of which failed to pass security. I asked why my account was not flagged and why I was not notified,” she says.
Barclays has now admitted that it failed to recognise signs of suspicious activity and did not put a block on the account when it should have.
George believes the criminals used her details to get through the security procedures on telephone banking, and then added their telephone number and email address to her account. They were then able to access her accounts online and move money from her Isa.
People who are appointed as directors since October 2015 only have the month and year of their birth displayed publicly by Companies House. The exact date of birth is only disclosed if required by law to the police or credit reference agencies. Companies House did not respond to questions about incidents where the details were used for fraud.
Steven Murdoch, professor of security engineering at UCL, says that if criminals are able to intercept post, then it is possible they can apply for details, such as a membership number, to be changed.
“They just need to ask for a reset of the personal number, which actually sounds fairly likely. If you reset your personal number, then the original person can’t log in,” he says.
after newsletter promotion
Companies House offers some advice to directors who want to keep their personal details safe from misuse, but it mostly applies to addresses.
It suggests using a different address to your home one, by using a registered office service.
George has criticised Barclays over the lapse in security. She has been refunded for her loss, but thinks the criminals still retain key information about her which make her vulnerable to another attack.
“They know my mobile number, they know my date of birth, they know where I live, they know my email address,” she says. “They’ve got every single individual identifier for me.”
Barclays says it is not aware how the theft of the card happened and “monitoring” is in place to identify cards that have been intercepted. It did not respond to queries about which carrier was used to deliver it.
It says that it would not have been possible to access the account with just the credit card details and the information from Company’s House. It refused to provide the questions used for accessing an account due to “security reasons”.
“Keeping our customers safe from fraud and scams remains our topmost priority,” the bank says in a statement. “This is an isolated case where, due to human error, a temporary block was not correctly applied to the customer’s account as it should have been at the first sign of suspicious activity.
“The customer has been reimbursed in full and accepted a redress, and we have apologised for the inconvenience caused.”
“We can see how fraudsters have attempted to commit this crime. We are always monitoring how fraudulent behaviour changes, and, alongside our advanced fraud analytical systems, we are developing further features for customers to get more assurance and control over where their card can be used.”
* Name has been changed