It was a devastating blow for Sarah Ellis to discover that nearly £5,000 had been stolen from her NatWest internet account in a bank fraud, writes Louise Ellis

This type of fraud, known as 'phishing', has increased dramatically in the past year, causing stress and financial misery for thousands of unsuspecting internet customers.

CIFAS Head of Communications, Kate Beddington-Brown, said, "We have seen fraudsters using this method increasingly during 2008, but the sheer scale of the increase is truly alarming. Fraudsters are clearly adapting to current conditions. They know that lending criteria have become more stringent as a result of the credit crunch, and that application fraud is likely to be unsuccessful. They are turning their attempts elsewhere with no thought for the profoundly damaging effect this has on victims.  With this type of fraud, the impact goes far deeper than any financial losses, as the feeling of uncertainty inflicted upon victims often undermines their sense of security and well-being."

Banks have been criticised by security experts for failing to give adequate support to online customers, educating them about the issues of fraud. Thousands of customers are not being made fully aware of how fraudsters operate, by sending “phishing” emails masquerading as messages from banks and building societies to obtain private account details and passwords.

Sarah, who has four children and lives in Bristol, was worried when she received an email with the NatWest bank logo, asking her to confirm her security details as a matter of urgency. It warned her that if she didn’t, her bank account would be closed down. So she followed the email’s instructions, and a few days later discovered that nearly £5,000 had been taken out of her account in a “phishing” fraud.

“I felt that I was pressurised into doing internet banking, as I prefer to go into my branch where I have been a customer since I was seventeen.  However, I was assured that it was easy. But when I made a mistake because I didn’t understand this new online language, such as ‘phishing’, they told me I had been irresponsible. I trusted the bank, but in the end there was no protection for me as a customer. I feel that I have been totally disrespected. It has been a total disaster for me and I have lost a lot of my money. It’s knocked the whole foundation of my life, affecting my confidence and actually making me ill.”

Sarah runs a fashion business and opened an internet facility for her NatWest account at the end of 2007. She only ever used it for checking her balance, and transferring money between her Nat West accounts, as she continued to visit her local branch in Clifton, Bristol, to do her banking.  In early 2008, she returned from a business trip abroad and went online to check her emails.

“It didn’t enter my head that there was anything suspicious about the email, because it had the NatWest logo. They asked me for my security password. This didn’t seem unusual to me because every time I talk to the bank or a credit card company over the phone, they ask me for certain password details. The email also said that if I didn’t confirm my password, I would no longer be able to access my account. Obviously, I was concerned about this, so I provided the details requested.”

Two days later, while on a visit to her daughter and grandson in Brighton, she was denied money at a cashpoint. When she went into the branch to find out why, she was told that there had been a suspicious online withdrawal of over £4,000 from her account. She explained how she had updated her security details, and was told that she had been the victim of internet fraud. The bank staff told her that they could put a stop on this money, so she thought the matter had been dealt with.

However, a few weeks later, Sarah realised that her account had been debited with another sum of over £4,520, which she had kept in there to pay business and household bills. She found out that the bank had allowed this transaction. They only told her about the one they had stopped, because that would have made her overdrawn.

“It’s extremely upsetting that they took no trouble to protect my own money from fraud, but only bothered to stop a transaction when my account would have gone into overdraft and so it was their money. My money apparently was transferred into another NatWest account, which is why it cleared immediately, but they say they cannot trace it. This would have been a very unusual transaction on my account, for a lot of money, and they did not bother to call me to check that I had authorised it,” said Sarah.

When Sarah contacted the bank for help, she received a letter stating that she had acted in breach of the terms and conditions of NatWest Online Banking. The letter said that because she had failed to keep her security details secret, and had not taken all reasonable precautions to prevent unauthorised or fraudulent use of them, the bank would not refund the loss of money.

On NatWest Bank’s website section on fraud, called How NatWest Protects You, it assures online customers that it takes security very seriously and has invested in a host of measures to protect customers’ money. One such device, it states, is a fraud detection system which can spot suspicious transactions, by monitioring for unusual patterns, such as a high money transfer.

Another security measure is a plug in device called a card reader, however Sarah, and thousands of other customers have not yet been issued with these. NatWest Bank explained that they are being sent out in batches.

In the past, security experts have accused high street banks of shirking their responsibility to make internet banking more secure. In a report in The Times in 2004, Paul Docherty, technical director of Portcullis Security Systems, the security consultancy, said a consumer awareness campaign launched by the banks to warn consumers of the risks of internet banking was an attempt to shift the responsibility for stopping fraud on to the consumer. Mr Docherty said that banks had refused to upgrade their security systems on the grounds that informing all 14 million customers about security changes would be time-consuming and costly. (The Times, 2nd Oct 2004)

Fortunately, Sarah has had the perseverance to continue fighting her case. She explained how her Buddhist practise has given her the courage to keep fighting for justice. “If it hadn’t been for my Buddhist practise, I think I would have gone mad. It has been so stressful. I’ve felt so let down by an institution that I thought I could trust. I have been with NatWest since I was seventeen. The more I talk to other people about what has happened, I realise that most people aren’t fully aware of how 'phishing' works, and are shocked at how easily you can be caught out by bank fraud. It is so easy to feel safe and secure in your own home, working at your computer, and this type of theft can totally catch you off guard. And it’s not just about the money, the way the bank has treated me has made me look a fool.”

She has made these words from SGI President Ikeda her guide, 'What can the individual accomplish in the face of the huge institutions that run our world? This feeling of powerlessness fuels a vicious cycle that only worsens the situation and increases people’s sense of futility. At the opposite extreme of this sense of powerlessness lies the Lotus Sutra’s philosophy of three thousand realms in a single moment of life and the application of this teaching to our daily lives. This principle teaches us that the inner determination of an individual can transform everything; it gives ultimate expression to the infinite potential and dignity inherent in each human life.' (Buddhism Day by Day, Daisaku Ikeda, p.158, Middleway Press, 2006))

Sarah has now contacted the Financial Ombudsman, who is currently  reviewing her case and has decided to investigate it. For many others who have not decided to take up the fight against the bank’s position on fraud, the overall loss of personal money to 'phishing' fraud has caused heartache and misery.

MPs are calling for information from victims of 'phishing' attacks. Consumers and businesses who want to contact the All-Party Parliamentary Group on Identity Fraud should write to Nigel Evans at the House of Commons or email This email address is being protected from spambots. You need JavaScript enabled to view it.">This email address is being protected from spambots. You need JavaScript enabled to view it..