Scams can be complex, so let’s stop playing the blame game

As long as there has been the exchange of money, there has always been fraud. From Hegestratos, the first recorded fraudster in 350 BC Ancient Greece, to Charles Ponzi’s infamous scheme of redistributing investments, to the present day, criminals have always tried to find new and more sophisticated ways to dupe people out of their money.

Authorized Push Payments are the new big thing

For a long time, the blame has fallen on those defrauded. But the Financial Ombudsman Service has been making noise of late that this could be about to change, especially concerning APPS. Authorized Push Payments (APPs) are a type of scam that encourages someone, either an individual or business, to transfer money from their own account to a seemingly legitimate account. Once this is done, the money is usually quickly transferred to other accounts and out of the country, making it hard to recover.

In 2018, news broke of an APPS scam hitting a cancer patient and her elderly mother. They lost over £20,000 and their ability to pay for her care home. Wrongly or rightly, the bank claimed it was not liable. At that time, it was at the discretion of the bank to decide whether or not to reimburse the defrauded account. Should banks decide that the account owner was careless and grossly negligent for falling for the scam, they could refuse to reimburse the tricked customer.

The Financial Ombudsman Service later said, however, that this was unfair, hence banks now have to provide evidence that the consumers scammed were in fact grossly negligent. But before we start playing the blame game, let’s look at the bigger picture.

In 2017, 56% of fraud in the UK was cyber-related

These scams aren’t just a promise for fortune from a questionable ‘Nigerian Prince’, but rather, increasingly elaborate and realistic schemes. The reason for the growing complexity of user-targeted fraud is that criminals always pick on the weakest link. Where once this may have been the banks themselves, today banks and building societies have many security protocols in place to help prevent crime. According to UK Finance, they stopped £2 for every £3 in attempted fraud in 2017.

As it’s become more difficult and expensive to target the tech itself, it’s no wonder that fraudsters are going after customers with renewed vigour, in a manner that would make Hegestratos proud. By manipulating the insecure behavior of people, they manage to bypass what are otherwise secure systems. That’s why the FOS has also warned that people must adopt simple behaviors, such as not writing your PIN on the front of your credit card or automatically taking unsolicited email communications purporting to be from your bank at face value.

There should never be a single point of vulnerability, layering up is key

We don’t know how much the burden of responsibility will shift from customer to bank in the future, but what’s apparent is that further user education must be combined with a layered approach to cybersecurity across all business/consumer relationships – i.e. there’s never a single point of vulnerability for criminals to exploit. This of course will mean there’s no single point of culpability either.

Whether it’s a combination of two-factor authentication, biometrics, adoption of email protocols such as DMARC, security awareness training, advanced threat protection, the creation and enforcement of tighter policies and procedures etc., the specifics may differ from organisation to organisation, but the rationale should remain consistent. Namely, we need to make the tech better to deal with these attacks, and humans less vulnerable. Ultimately, we need to adopt an attitude of shared responsibility for improving our defences, rather than just assigning blame when those defences are breached.

Find out more about Red Sift

Keen to find out more about Red Sift, what we do, and how our products help businesses keep their email infrastructure, employees, and domains secure? Get in touch with us below!

Get in touch


Clare Holmes

6 Sep. 2018



Recent Posts


Introducing DNS Guardian: Stop impersonation and spam caused by domain takeovers 

Rahul Powar

tl;dr: We’re thrilled to announce DNS Guardian — a new feature in Red Sift OnDMARC that can swiftly identify and stop domain takeovers that lead to malicious mail. Back in February, we shared updates with the community about SubdoMailing – an attack discovered by Guardio Labs. The attack was a form of subdomain takeover,…

Read more

Navigating the Information Security Landscape: ISO 27001 vs. SOC 2

Red Sift

As cyber threats evolve, so do the standards and frameworks designed to combat them. Two of the most recognized standards in information security are ISO 27001 and SOC 2. What sets them apart, and which one is right for your organization? Let’s delve into the key differences. Purpose and Scope: Global Framework vs. Client-Centric…

Read more

G2 Summer 2024 Report: Red Sift OnDMARC’s Winning Streak Continues

Francesca Rünger-Field

We’re delighted to announce that Red Sift OnDMARC has again been named a Leader in G2’s DMARC category for Summer 2024. This recognition is based on our high Customer Satisfaction scores and strong market presence. Red Sift appeared in 11 reports – 5 new ones since Spring 2024! – earning 5 badges: A few…

Read more

Google will no longer trust Entrust certificates from October 2024

Red Sift

Tl;dr: Google has announced that as of October 31, 2024, Chrome will no longer trust certificates signed by Entrust root certificates. While there is no immediate impact on existing certificates or those issued before 31st October 2024, organizations should start reviewing their estate now. On Thursday 27th June 2024, Google announced that it had…

Read more

Understanding the domain attack

Francesca Rünger-Field

tl;dr: The recent compromise of the domain has triggered a broad-reaching web supply chain attack, impacting over 100,000 websites across various sectors including finance, healthcare, non-profits, academia, and more. To ensure the security of your website, we strongly advise you immediately remove any reference to Latest update: 27th June 2024 Sansec, a…

Read more