Which? issues Revolut bank account takeover fraud warning

Which? is issuing a warning about bank account takeover attacks after hearing from two Revolut customers who had their business accounts drained by scammers who passed the e-money firm’s ‘selfie’ security checks just two days apart.

Both victims approached Which? last week, sharing eerily similar details after being scammed by fraudsters who stole colossal sums from their Revolut business accounts in early February. 

One victim is now out of pocket to the tune of £165,000, rendering his business on the brink of bankruptcy, while the other lost over £40,000 in 10 minutes. In each case, vast sums were sent to various HSBC accounts that were either opened by, or in the control of, criminals. 

Revolut has told both customers that they won’t be reimbursed for any losses, though it confirmed to Which? that it is aware of a recent increase in advanced account takeover scam attempts by criminals across the industry and says it is continuously strengthening its fraud controls to stay one step ahead of this trend.

Revolut account takeover fraud  

These fraudsters pretended to be calling from the Revolut fraud team about suspicious activity and managed to pass a series of security checks to hack into their accounts.

Revolut investigated both cases and emailed each customer to confirm that it will not refund their losses, because its multi-factor authentication checks were completed in each case, including:

• an email to their registered address asking them to confirm login on a new device (Revolut told both victims this was either clicked or shared with a third party).
• an SMS to their registered phone number with a security code (Revolut said these were successfully entered).
• a ‘selfie’ photo which allowed access to the account (Revolut said its records show the 'selfie' check was passed in both cases).

Following the successful authentication, Revolut said it completes 'transaction monitoring reviews for subsequent transactional activity'; yet once their apps had been breached, the scammers made multiple transactions per minute, draining both accounts with ease.

‘£180k was transferred out of our business account in an hour’ 

Tom (not his real name), age 29, told us he received two calls in quick succession from a private number and only decided to pick up because he was expecting a call from a contractor. 

He told us: 'The caller says they are from the Revolut fraud protection team and explains that there have been suspicious transactions on my account. They think my account has been compromised. Initially, they ask quite a lot of questions, about anyone having access to the account. No one else did have access. Throughout the call they applied pressure and kept passing me to different "departments" in the company.'

While on the phone, Tom received an email from Revolut to confirm login from an unknown device. He was instructed to reply to this request with the words 'block request', then remove and reinstall the app. This triggered a security code sent by text, which he shared to reset his security details. In reality, this enabled the fraudster to pass one of Revolut's security checks, though it remains entirely unclear how they were also able to provide the 'selfie' photo that enabled them to take over the account.

*Cleverly, they sent money to HSBC accounts that appeared to be named 'Revolut fees', 'Revolut fees care' and 'Etsy'. Confirmation of Payee checks flag when a name doesn't match the account details entered, but as the scammers had control over the app, they were ignored. 

When they triggered security codes for these new payees (starting with small payments of around £20), Tom assumed they were legitimate and confirmed the checks. Once unleashed, the criminals made 140 transactions in little more than an hour, including various card payments made in AED (a currency the account has never used). In total, they stole £180,000, but they weren't finished yet.

Next, they told Tom to visit a website called ‘revolutchatwithus.web.app’ to secure his laptop. This appeared to connect him to Revolut via a screen-sharing and remote access tool called AnyDesk, as you can see from the images below. His screen went blank giving the scammers the opportunity to get into his Wise account (as he was already logged into this account on his laptop) and move £82,000 to his Revolut account.

A notification from Wise appeared on his phone and broke the spell. He hung up, exited the AnyDesk sharing session and contacted Revolut about the fraud. Revolut only offers a chat feature to report fraud which meant Tom had an agonising wait for his account to be secured. He told us his card was frozen at one point but the fraudsters were able to unfreeze the card via the app and complete more transactions until every penny had been taken.

Only one Wise payment was recovered and Revolut cancelled around £15,000 worth of transactions, leaving Tom's total loss at £165,000.

‘They drained my business account in less than 10 minutes’

A similar web of deceit has horrified Anna (not her real name), age 36, after scammers stole over £40,000 in just 10 minutes, only two days after targeting Tom.

Disturbingly, her accountant was targeted by the same scammers first - he later lost over £80,000 - which meant he called her to confirm there was a security breach and she should expect a call from Revolut, making the scam far more plausible.

Anna was abroad with family and had patchy access to the internet so she is certain that she did not authorise any digital security checks required to log in to her account from a new device.

Matching the tactics used against Tom, they had set up two HSBC accounts with names that appeared to be associated with genuine retailers: 'Google Workspace' and 'Uber Uber'. 

'It all happened so fast. They used verification codes associated with past transactions I did myself to transfer the money. They drained my business account in less than 10 minutes. After nine days of chat communications with Revolut, they sent me a dismissive email telling me I wouldnt be refunded,' says Anna.

'The lack of support and accountability of Revolut has been outrageous. Why didn't they restrict my account after a new device logged in that I didn't confirm, or stop 38 transfers for a total amount of over £40,000 in 10 minutes, which significantly exceeds my usual transactions? They have limited themselves to a few repetitive messages on the app chat and dismissed my case without seeking my input to collate a comprehensive report and investigation.'

The response from the banks

Which? has advised both victims to escalate their fraud complaints to the Financial Ombudsman Service (FOS).

Banks have a duty to detect money laundering and prevent criminals from opening accounts, so we were concerned that six of the accounts used in these frauds belong to HSBC.

Though banks are unable to comment on accounts where there is a live investigation, we shared details of these accounts with HSBC and a spokesperson said: 'We take our responsibilities as a sending bank and receiving bank extremely seriously, and have teams working around the clock to identify suspicious transactions among the many millions that are processed each day, taking timely and appropriate action should there be a concern.'

Revolut tells customers they will not be reimbursed

Which? contacted Revolut for comment. It provided a statement for publication but did not explain why it did not react to the highly unusual volume of transfers in both cases and intervene by freezing the accounts. It also did not explain how scammers were able to pass its various security checks, including its ‘selfie’ ID request.  

Both customers have requested copies of the 'selfie' photos that passed Revolut's security checks but were told this isn't possible under data protection laws. 

Payment firms should refund disputed transactions unless they can demonstrate that customers: authorised the payments; acted fraudulently; or with 'gross negligence' failed to protect their accounts. Revolut did not explain the basis under which it considers both customers to have been unusually careless.

We asked Revolut why it hasn’t at least refunded disputed transactions completed after Tom reported the fraud as per the Payment Services Regulations (PSRs). It declined to answer this question.

A Revolut spokesperson said: ‘We are sorry to hear of (these) cases and any instance where our customers have been targeted by ruthless and sophisticated criminals. Each potential fraud case concerning a Revolut customer is carefully investigated and assessed independently of other cases. We are aware of a recent increase in advanced Account Takeover (ATO) scam attempts by criminals across the industry.

'We are continuously strengthening our fraud controls to stay one step ahead of this trend, introducing further direct interventions and sharing educational materials with our customers so they are able to spot the social engineering tactics of criminals.'

It added that it encourages customers to be vigilant and to look out for the following:

• Never share your password, passcode, PIN, selfie or one-time passcode (OTP) with anyone else, even if they claim to be from Revolut or another financial institution.
• If you receive an email asking you to confirm your device, when you haven't added one or don't recognise it, please ignore it and flag it as spam.
• Don't click on any links or buttons in an email like this, or forward it to anyone else.
• Never download remote access software to your device.
• Scammers will send fake emails asking for these things, or use your email address to fail a login attempt, so they can contact you pretending to help secure your account.
• If you think you have fallen victim to a scam, freeze your cards immediately and contact Revolut customer support via our secure in-app chat.

*This article was updated on 7/03/2024 to make it clearer that the fraudsters had changed the 'names' of the HSBC accounts as they appeared within the Revolut app.