Protect yourself against fraud and scams

What is an Authorised Push Payment (APP) Fraud?

An APP fraud is when you are tricked into sending money to a fraudster, either through being deceived about who you are paying, or about the purpose of the payment.

In May 2022, the government announced that they would make new laws to allow a regulatory body, called the Payment Systems Regulator (PSR), to require banks and payment services providers to reimburse people who have been tricked into sending money to scammers, and this came into effect in June 2023.

From 7 October 2024, this regulation will offer greater protection to most victims of this type of fraud. 

Am I eligible for reimbursement?

If you are the victim of an APP fraud, you may be eligible to claim reimbursement if:

• You’re an individual, a micro-enterprise (with under 10 employees) or a small charity
• your payment was made by faster payments or CHAPS on or after 7 October 2024
• your payment was made to a UK account that can send or receive faster payments
• you have made your claim within 13 months of the last payment made to the fraudster.

Note: There is no minimum amount you can claim. The maximum amount that can be claimed for an APP fraud from 7 October is £85,000. An excess of up to £100 may apply. If eligible, you could receive a refund within five business days, unless more time is needed to investigate your claim.

When might I not be eligible for reimbursement?

You may not be able to claim reimbursement if:

• the payment was made to another account that you control, such as your nominated account
• you have acted fraudulently
• you have been significantly careless, for example, by ignoring advice from your bank not to proceed with a payment
• the payment is part of a civil dispute, for example, where you were not satisfied with the goods you paid for
• the payment was sent or received by a credit union, municipal bank or national savings bank.

What should I do if I’m a victim?

If you suspect one of the following:

• One of your accounts with us has been affected by fraud, please contact us immediately. Our contact details can be found on our contact page.
• The fraud originated from your retail bank please contact them directly.

In addition please note the following:

• You must report the scam as soon as you can, and no more than 13 months after the last fraudulent payment was made
• We may ask you for additional information about your claim, please make sure you respond to these requests
• Once you have made the claim, we may ask you to report the details of the fraud to the police or offer to do this for you, and would request your consent to do this.

Phishing refers to emails that attempt to fraudulently obtain your sensitive information. These emails will often direct you to a website requesting you to enter your personal information such as bank log in details and passwords. The information is then used to access important accounts and can result in identity theft and financial loss.

Common features of phishing emails are:

• Appear to be too good to be true (they often are)
• Have a sense of urgency
• Address you in an unusual way
• Contain multiple grammatical errors
• Contain hyperlinks or attachments which may be from an unusual sender

If you receive an email from us that you are suspicious about, simply forward the email to besecure@familybsoc.co.uk and we will investigate it.

Fraudsters can also make unsolicited telephone calls encouraging individuals to provide sensitive data such as personally identifiable information. This is known as Vishing. 

If you’re unsure about a call you receive from any financial organisation, call them back but from another phone line such as a mobile or landline. We would recommend waiting about five minutes before doing so as sometimes the fraudster on the other end doesn’t hang up so when you make another call, they’re still on the line.

When we make an outgoing call e.g. to check something on an application or letter, please be aware that we will ask for personal data to identify you. We encourage you to follow the steps above if you are at all suspicious about any aspect of the call.

Furthermore, with online accounts, sometimes scammers will try to get access to your account by using a one time code or one time password. They will fill in the website with all the information they have for you like name, email etc. They will then call you pretending that they work for the company that you have your account with. Usually, the scammer will explain that they are calling to offer you an incentive such as a bonus or an extra for free in your account.

They will sound believable and they will explain to you that you will now receive a one time code so that they can ‘proceed’ to verify your account. At that moment the scammers will still be on the website and the website will send you a 1 time password (OTP) which they will ask you to read out to them. They will then enter the one time password and gain access to your account. 

SIM swap fraud is when cybercriminals hijack your phone number by transferring it to their own SIM card.

Fraudsters can hijack your phone number by tricking your network provider into transferring it to their own SIM cards. To do this, they gather personal information, often from social media, which they can use to answer security questions. Details such as your birthday, mother’s maiden name, or places of education can make you vulnerable if shared publicly on social media. This gives them control of your phone number, allowing them to intercept your calls and text messages. Fraudsters can then use two-factor authentication (2FA) to change your passwords and gain unauthorized access to your emails and other accounts. Stay vigilant and use these essential safety tips to protect yourself:

How to spot signs of SIM Swapping

Contact your network provider immediately if you spot any of these signs:

• Unexpected and abnormal loss of service and you can’t make or receive calls or texts
• You get unexpected emails and notifications about account changes such as password resets and login attempts.
  

If you have been victim to SIM swap fraud, then report it as soon as possible to ActionFraud or call them on 0300 123 2040.

Tips to keep yourself safe from SIM Swapping

• Opt into SMS or email alerts. Most UK network providers offer text message or email alerts for SIM swap request or changes to your account.

Lock your mobile device with a PIN or Passphrase

• Set up a strong, unique passcode (not easily guessable like your birthday or address) for when you contact your mobile provider customer service team with any queries. Without it, fraudsters can perform a SIM swap with minimal verification.

Enable Porting Protection or a “Number Lock"

• Contact your mobile phone provider to activate porting protection or a number lock.  To ‘Port-out’ referrers to the process of transferring your phone number from one network provider to another. When you apply porting protection or a number lock it means that additional verification such as a PIN is needed when you want to transfer your phone number to another network provider.

Avoid SMS-Based two-factor authentication (2FA)

• Use multi-factor authenticator apps like Google Authenticator or Microsoft Authenticator instead of SMS-based two-factor authentication which is when you receive a text message with a code to prove you are the account holder.  Using authenticator apps provides various codes for your different accounts which change every 30 seconds and removes the need for SMS two-factor authentication entirely.

• Use strong passwords or PINs
• Turn on auto-lock and enable your device to lock after a short period of inactivity
• Consider using biometrics (Face ID) for convenience, while still relying on passwords for stronger security
• Turn off Bluetooth and Near Field Communication (NFC) which is a short-range wireless technology that enables devices to interact when placed close together, usually within a few centimetres. It allows functions like contactless payments, secure access, and quick data sharing. Turn these off when not in use to block any unauthorized connections.

• Avoid connecting to public Wi-Fi. If necessary, use a Virtual Private Network (VPN) for encryption or use your mobile data instead.  A VPN helps to protect your internet connection and privacy online by encrypting your connection thus also hiding your Internet Protocol (IP) address. You can download various VPN software such as Surfshark, ExpressVPN or NordVPN on either your mobile devices, tablets or computers. For transactions or sensitive activities, consider using a mobile data hotspot instead
• Turn off automatic Wi-Fi and Bluetooth connections to unknown networks and devices. Prevent your device from automatically reconnecting to untrusted or previously used public networks
• Delete previously connected public Wi-Fi networks to prevent unauthorised auto-connections.

• Keep your device and apps updated. Enable automatic updates to install security and software updates when they become available
• Only download apps from official app stores (Google Play Store, Apple App Store), but be aware that even apps from trusted stores can be malicious. Always check app reviews, developer details, and required permissions before you install them.

• Disable location services when not needed
• Do not leave your mobile device unattended in public spaces
• Avoid using untrusted accessories such as unknown chargers, USB drives, or power banks as they may contain malware
• Close unused apps to reduce background data activity.

• Enable "Find My Device" (Android) or "Find My iPhone" (iOS) to lock or erase data remotely if your device is stolen
• Keep your International Mobile Equipment Identity (IMEI) number safe. This unique identifier can help in tracking a lost or stolen device
• The quickest method to find your IMEI number is dialling *#06# on your phone, which will instantly display the IMEI on your screen
• Alternatively on Android, you can find it in Settings > About phone > Status and iPhone users can find it under Settings > General > About.

• Use strong, unique passwords for each of your accounts such as bank accounts, application accounts and social media accounts
• Enable multi-factor authentication (MFA) for important accounts
• Consider using a password manager for secure password storage
• Change any pre-set usernames and/or passwords on your devices and accounts.

• Be cautious of unsolicited calls and emails. Verify links, senders, and unexpected calls or messages to avoid scams
• Avoid scanning unknown QR codes to prevent spreading harmful software (Malware).
  

• Check website security has “HTTPS” encryption before entering sensitive information for example 'https://familybuildingsociety.co.uk'. HTTPS is a secure version of the HTTP protocol, meaning it encrypts the communication between a web browser and a website, making it safer for transferring sensitive data. You can check a website has this by looking in the website address field
• Ensure your device does not automatically connect to Wi-Fi or Bluetooth networks without your consent. This reduces risks from malicious networks or rogue devices
• Public Wi-Fi can be a hotspot for cyber threats. Always use a Virtual Private Network (VPN) when accessing public networks to protect your data from potential hackers. A VPN helps to protect your internet connection and privacy online by encrypting your connection thus also hiding your Internet Protocol (IP) address. You can download various VPN software such as Surfshark, ExpressVPN or NordVPN on either your mobile devices, tablets or computers. For transactions or sensitive activities, consider using a mobile data hotspot instead
• Even when using a secure home network, a VPN can provide an extra layer of privacy. It encrypts your internet traffic, making it difficult for hackers, internet service providers, or other third parties to monitor your online activities.

• Hacking requires advanced skills: Not all hackers are tech wizards. Many attacks exploit simple human errors, like weak passwords or phishing scams, using readily available tools
• Phone hacking is always high-tech: Most phone hacks aren’t as sophisticated as you might think. Simple tactics like social engineering or phishing are widely used
• Only high-profile targets get hacked: Cybercriminals don’t discriminate. Individuals, small businesses, and even children are frequently targeted due to weaker security measures
• Hacking is always illegal: Not all hacking is bad! Ethical hackers, also known as penetration testers, help organizations strengthen cybersecurity by identifying vulnerabilities.

• A phone number alone can hack a device: A phone number isn’t enough to compromise a device. Hackers need additional vulnerabilities, such as malware or unsecured applications
• Antivirus provides complete protection: Antivirus software is useful but not foolproof. Multi-factor authentication (MFA), frequent updates, and good security habits are essential for comprehensive protection
• Hacked phones are always obvious: Many breaches happen quietly, stealing data over time without any noticeable signs
• Public Wi-Fi with a password is safe: Even password-protected public Wi-Fi can be vulnerable to cyberattacks. Always use a trusted Virtual Private Network (VPN) when connecting to public networks.