Scam attack on Ukrainian mother exposes flaw in UK bank safeguards

When Russia invaded Ukraine, Alina Bondaranko* agreed to safeguard her brother’s savings. She had arrived in the UK before war broke out; her brother, who is of fighting age, was banned from leaving his homeland. Fearing Ukraine’s banks might collapse, he transferred his money to his sister’s bank account.

Within weeks it was stolen in an online scam, along with Bondaranko’s own funds, and a loophole in consumer protection means she was ineligible for a refund from her bank.

Bondaranko works as a cleaner to support her one-year-old child, and has a limited grasp of English. Anxious to increase her income as prices soared, she responded to a Facebook ad offering home-based work for two hours a day. She was contacted by an agent from a fake investment firm who told her she would be buying and selling stocks, and charged her £250 for an online training course.

The agent schooled her in investment strategies, and won her trust over days of phone and video calls. He persuaded her to open an account in her name with the e-money service, Revolut, and to transfer the savings that she held with Barclays.

She was then tricked into making five debit-card payments totalling £32,000 to a cryptocurrency exchange platform. The crypto account belonged to the fraudster and the siblings’ life savings vanished.

Fraud victims tricked into authorising payments by bank transfer (known as APP fraud) are protected by the contingent reimbursement model (CRM) code. It is a voluntary scheme that requires banks to refund customers who have not been unduly negligent. Vulnerable customers must be refunded in almost all circumstances.

However, the CRM does not cover payments by card, cheque or direct debit. If Bondaranko, who can be classed as vulnerable, had been ordered to transfer the funds via the faster payments system, or Chaps (the clearing house automated payment system), to a crypto exchange, she may have been compensated by Revolut, which is not signed up to the code, but claims to abide by the spirit of it. Because she paid by debit card she was not.

The CRM was launched in 2019 because electronic “push payment” transactions were inadequately protected when compared to other payment methods. Credit card users can make a claim under section 75 of the Consumer Credit Act if a trader is in breach of contract.

Visa and Mastercard operate a chargeback scheme for disputed debit card transactions, while the direct debit guarantee requires banks and building societies to refund contested payments that have not been made in accordance with direct debit rules.

However, these schemes were developed before the surge in online fraud and, unlike the CRM, they do not necessarily cover authorised payments to scammers. Revolut attempted a chargeback on behalf of Bondaranko, but, as she had sanctioned the payment to a legitimate crypto firm, albeit unwittingly into a fraudster’s wallet, it was refused.

Bondaranko’s ordeal suggests there is a gaping hole in consumer safeguards as pressure grows on financial institutions to refund all fraud victims. Scams are increasingly sophisticated and prolific, and the idea behind the CRM is that banks can, and should, use their knowledge of criminal tactics to warn customers attempting uncharacteristic transactions.

The compensation costs banks face if they fail to do so is supposed to be an incentive to step up, although last year less than 50% of APP fraud victims were refunded. The Payment Systems Regulator, which oversees electronic transfers, has launched a consultation on whether to make refunds to APP fraud victims mandatory. But there is no word on updated regulations to protect those, like Bondaranko, who authorise payments by card.


The company that defrauded Bondaranko has laid the ground thoroughly to dupe potential customers. It has the same trading name as a reputable US investment platform, a convincing website with detailed financial pages, and a Trustpilot page full of five-star reviews which, at closer inspection, appear to be fake.

Last month City of London police, which runs the Action Fraud hotline, reported an epidemic of fake investment ads on social media. More than £890,000 was lost to fraudsters operating “get-rich-quick” scams in the 2021/22 financial year, an increase of 49.5% on the previous 12 months.

Criminal gangs pay social media influencers to endorse their ads, and dupe respondents with professional-looking websites, sometimes cloned from reputable firms and with painstaking social engineering.

Victims are commonly asked to “invest” via crypto exchanges. To avoid their bank questioning the transaction, they may be told to transfer their money first to an e-money institution, like Revolut, which is not subject to the same regulations as banks, and is more accustomed to processing large sums for customers.

In Bondaranko’s case, Barclays initially blocked her payments to the new Revolut account but, primed by the scammer, she assured her bank they were genuine. Because of her vulnerable circumstances, Barclays offered to refund half the stolen sum after contact from the Observer.

Revolut, which did not question the transactions, was also contacted by the Observer but refused to refund her. However, it changed its mind when informed of Barclays’s gesture.

It says: “Since March, Revolut has helped more than 250,000 Ukrainian refugees gain access to money and payments services, giving those fleeing the conflict the ability to easily access their money. After considering Ms Bondaranko and her family’s circumstances, we have reimbursed half of the funds she lost to scammers as a gesture of goodwill.”

The cost of living crisis is likely to tempt more people to sign up to phoney schemes offering generous returns. The Payment Systems Regulator told the Observer that once the government had updated legislation, it would oblige firms to refund victims of APP fraud to incentivise greater detection and prevention.

However, there are no proposals to tighten protections for victims who paid scammers by card. The Financial Conduct Authority, which regulates banks, says: “We expect the firms we regulate to effectively guard against financial crime and to treat their customers fairly. If a customer is unhappy with how a firm has treated them, and has filed a complaint, they should refer the matter to the Financial Ombudsman Service.”

* Name has been changed

The Guardian