I fell victim to credit card fraud - but had to wait four months for a refund

Which? researcher Matthew Jenkin explains how he had to fight for a refund after fraudsters racked up a bill on his American Express card. 
Matthew JenkinSenior writer
paying the bill with contactless credit card

It was 5.01pm on 21 October 2022 and I’d just logged off for the day, much to the delight of my four-year-old son who’d been patiently watching CBeebies. I was on his clock now, and no one was to disturb his precious ‘daddy time’. Then at 5.02pm, my mobile rang.

A well-spoken man was on the end of the line, calmly informing me he was from the ‘Amex fraud team’ and wanted to double check a few transactions made on my credit card that afternoon. He rattled off a series of large, unfamiliar payments, each worth a couple of hundred pounds, but sandwiched between them was a genuine one I’d made earlier that day at the supermarket. 

Distracted by petitions for food by my self-proclaimed ‘starving’ little boy, I panicked and confirmed these were bogus transactions.

The caller assured me my card would be cancelled immediately and a new one sent out within five working days. ‘In order to do that I need to confirm your identity’, he said, quickly adding, ‘Of course, I won’t ask for any personal information – all you need to do is tell me the six-digit verification code I’ve just sent to your phone.’ 

Keen to block the card before an even bigger bill was racked up, I quickly reeled off the numbers in the message. I breathed a sigh of relief, but within an hour and a half, I’d lost nearly £1,000. Here's what happened next.

Outsmart the scammersour free scam alert service can help you spot and avoid the latest scams

An Oxford Street spending spree

At 6.27pm, a message pinged on my phone. ‘Amex Fraud Alert: Did you just attempt a charge for 1.00 GBP at Uber Payments BV?’ Absolutely not, I said to myself, confused and wondering why my card was still being used. 

Four minutes later my phone rang again, this time from an 0800 number and a man claiming to be from the American Express fraud team. Unsure who to believe, I hung up and called back on the number on the back of my bank card. It matched the first caller ID, so I was reassured it was genuine.

My heart sank when the man on the phone started to list all the transactions: £35 for a cab, followed by a shopping spree on London’s Oxford Street that included £850 spent in Selfridges, £12 in McDonald’s and £8 at the American Candy Store. 

Because retailers are responsible for setting their own limits on contactless Apple Pay purchases, the fraudsters were able to spend a total of £905 on my card before it was finally blocked by Amex.

I’d been scammed, clearly, but by whom and how? The Amex representative offered no answers, but reassured me that I would be refunded in full for any fraudulent transactions within 24 hours. 

The waiting game

The refund process actually took four months. During this time, I was repeatedly told by Amex that it couldn’t process the refund because the fraudulent transactions were still ‘under investigation’.

Finally, in early January 2023, I was credited the total amount stolen, but because of Amex's failure to issue a prompt refund, the company's lack of support and poor communication, plus the feeling that I myself was somehow at fault, I felt compelled to lodge a formal complaint. 

On 14 February, I received an email from a representative at the customer research and solutions department of American Express. She explained that although the fraud case was submitted back in October 2022, due to an internal error it was voided before the credits were applied. She apologised and gave me a £75 credit.

I was grateful that the matter had finally been put to bed, but sadly my experience is not unique and Amex isn’t alone in failing to refund card fraud victims promptly. Which? research in 2021 found that 61% of credit card fraud victims were refunded within a week (compared with 79% of debit card fraud victims). However, 12% waited at least four weeks for a refund, with 6% of these victims left out of pocket for between three and six months. 

Refund rules if you fall victim to fraud

Financial Conduct Authority (FCA) guidance states that refunds should be made ‘without unnecessary delay’ and by the end of the next business day. Banks can’t refuse to refund unauthorised payments on a debit card unless, for example, it has evidence that you acted fraudulently or with ‘gross negligence’. 

But ‘gross negligence’ can’t be used by credit card providers as a reason to refuse you a refund. It needs to demonstrate that you authorised the payment or gave someone else consent to use the card.

If you’re unhappy with the way your provider has dealt with an unauthorised transaction on your account, the first step is to lodge a formal complaint. Ask it to reconsider its decision and remind the provider of its legal obligations. Always try to do this in writing (ideally email), so you have a record of correspondence, although in my case I had success over the phone. 

Amex complied with FCA rules for handling complaints by providing a full response within 35 working days. If a firm can’t provide a final response, it must explain why. If the provider still doesn’t change its decision after you’ve complained, you can escalate your case to the Financial Ombudsman Service (FOS).

When I asked Amex for more information on its fraud protocol and its policy on handling refunds, I wasn’t given an answer. Instead, it said ‘all fraud claims are thoroughly investigated by our specialist fraud team.’

The red flags I missed 

1. Caller ID

Phone numbers can be ‘spoofed’ to look like they are from a legitimate caller. In my case, the fraudsters used a private number to hide behind, but they can also mimic your bank's genuine number. If you’re at all unsure about who is calling, it’s best to hang up and ring the number shown on the back of your bank card.

2. Identity check

The fraudster claimed they needed to confirm my identity before blocking my card. If your bank alerts you to potentially fraudulent transactions, all it needs is confirmation that the card’s been used without your approval and you wish to block it, not your personal details.

3. Code request

Your bank or credit card company will never contact you asking for your Pin, full password or any other type of code to confirm your identity. It already knows who you are and contacted you directly – why would it need to check your details?

4. Text details

If I’d looked more carefully at the SMS which included the code the fraudsters had asked for, I’d have seen that it was to set my card up on an Apple Pay account – something I don’t have. An email from Amex followed, also confirming this. When I did notice, it was too late.

More on this

Related articles