Banking Scam Guide: Protect Your Account in 2026

Banking fraud cost UK consumers £1.2 billion in 2023. Here's your complete defence guide — from fake bank calls to OTP theft.

12 min read Updated: July 2026 ScamSense Security Team

Your bank account is the ultimate target for fraudsters. Every scam type — phishing, romance fraud, fake job offers, investment schemes — ultimately aims to get money out of your account. Banking fraud itself is also a direct threat: fake bank alerts, fraudulent calls from "your bank," OTP interception, and app fraud drain billions from consumers every year. This guide covers every major banking scam and how to defend against each one.

£1.2B Lost to banking fraud in the UK in 2023
$10.9B Global banking fraud losses annually
40% Of victims received a fake bank phone call

How Banking Scammers Target You

Banking fraud success depends on one of three approaches: tricking you into revealing your credentials (phishing), tricking you into authorising a transfer yourself (APP fraud), or accessing your account through technical means (credential theft, SIM swap). Of these, social engineering — where you are manipulated into taking the harmful action yourself — accounts for the vast majority of successful attacks.

Modern banking scammers are highly sophisticated. They can spoof your bank's exact phone number so it appears identical on caller ID. They know your name, partial account details (sometimes obtained from previous data breaches), and can describe recent transactions that they accessed from other compromised sources. This detail creates convincing authority that bypasses scepticism.

Types of Banking Scams

01

Fake Bank Alert (SMS & Email Phishing)

The most common banking scam is the fake bank alert: an SMS or email that appears to be from your bank claiming suspicious activity, a security alert, or an urgent account action. A link in the message leads to a cloned banking login page that captures your username, password, and sometimes OTP. These pages are visually identical to real banking websites and are increasingly hosted on HTTPS domains to appear secure.

Typical Fake Bank SMS

"BARCLAYS FRAUD ALERT: A new payee has been added to your account. If this wasn't you, verify immediately: [link] or call 0800 XXX XXXX"

Defence: Never click links in banking SMS messages. Go directly to your bank's app or website.

02

Vishing — Voice Phishing Calls

Vishing (voice phishing) involves a phone call from someone claiming to be your bank's fraud team, the police, or HMRC. They present a convincing scenario — your account is under attack, there's a fraudster inside the bank, you must move your money for protection — and guide you through increasingly serious actions: providing card details, reading OTPs aloud, or making bank transfers.

These calls can be alarmingly convincing because criminals can spoof your bank's actual telephone number, and may know enough personal details (from data breaches) to seem legitimate. They create urgency: "We need to act in the next few minutes before the fraudster completes the transfer."

Defence: Hang up and call your bank back on the number on the back of your card. Always. No matter how urgent it seems.

03

OTP Interception & SIM Swap

One-time passwords (OTPs) sent by SMS are a security layer between fraudsters and your money. Criminals circumvent this in two ways. In social engineering OTP theft, the fraudster who already has your username and password calls you, claims to be from the bank verifying suspicious activity, and asks you to "confirm" the OTP that just arrived on your phone — actually logging into your account using the code you just provided.

In SIM swap attacks, the criminal contacts your mobile network, impersonates you, and convinces them to transfer your phone number to a new SIM they control. They then receive your OTPs directly. Protect against this by switching from SMS-based 2FA to an authenticator app, and adding a security PIN to your mobile account.

04

Authorised Push Payment (APP) Fraud

APP fraud is the fastest-growing banking fraud type in the UK. It involves tricking the victim into willingly authorising a bank transfer to an account controlled by fraudsters. Common scenarios include: an invoice payment to a supplier that has been intercepted and bank details changed (invoice fraud), a deposit for a rental property or car that doesn't exist, a courier fee or administration charge for a prize, or moving money to a "safe account" on police or bank instructions.

Because the victim authorises the payment, banks historically argued they weren't liable. New UK rules from October 2024 now require banks to reimburse APP fraud victims up to £85,000 in most cases — a significant consumer protection improvement.

05

ATM Skimming

ATM skimming involves attaching devices to cash machines that covertly capture card details and PIN numbers. The skimmer reads the magnetic stripe on your card while a hidden camera or overlay keypad records your PIN. Fraudsters then clone your card and withdraw cash. To protect yourself: inspect the card slot for loose or unusual attachments, cover the PIN pad when typing your number, use ATMs inside bank branches when possible, and check your statements frequently for unexplained withdrawals.

06

Fake Banking Apps

Fraudulent banking apps appear in third-party app stores or are promoted via phishing messages and social media ads. They look like your real banking app but are designed to capture your login credentials. In 2026, some fake apps use legitimate bank branding obtained through clone websites. Always download banking apps directly from the official app stores (Google Play or Apple App Store) and verify the developer matches your bank's official name.

How Your Bank Will Never Contact You

Your Bank Will NEVER Do These Things

Print this list. Share it with family. These are absolute rules — any communication instructing you to do these things is fraud, without exception:

  • Ask for your full PIN or online banking password over the phone
  • Ask you to transfer money to a "safe account" — even one in your own name
  • Ask you to read out an OTP sent to your phone to confirm anything
  • Send a courier to collect your bank card
  • Ask you to install any software or app on your device
  • Tell you there's a corrupt employee and you must keep the call secret
  • Ask you to withdraw cash and hand it to anyone for safekeeping
  • Demand action within minutes or your account will be compromised

10 Red Flags of Banking Fraud

🚩Unexpected contact claiming to be from your bank — especially by phone
🚩Request for your full PIN, password, or security word over phone or message
🚩Being asked to read out an OTP sent to your phone
🚩Instruction to transfer money to a "safe account" or "holding account"
🚩Request to install remote access software (AnyDesk, TeamViewer, etc.)
🚩Extreme urgency — "you have 10 minutes or your account will be cleared"
🚩Instruction not to tell family members what is happening
🚩Request to visit a branch and withdraw cash for a courier
🚩Unexpected OTP arriving without you having initiated any action
🚩Banking link in an SMS that doesn't match your bank's real domain

Real-World Banking Scam Examples

The Safe Account Scam

"This is HSBC fraud prevention. We've detected a fraudster accessing your account. For your protection we need to move your money to a temporary safe account while we investigate. I'll guide you through the transfer now. Please don't use your banking app or call us back as the fraudster may be monitoring those channels."

The OTP Social Engineering Script

"To verify your identity and cancel the fraudulent transaction I can see, I need to send you a code by text. Once you receive it, please read it back to me immediately — this is to confirm you are the genuine account holder."

Invoice Fraud Email

"Please note our bank details have changed due to a recent account audit. Please update your records and use the following account for all future payments: [fraudulent account]. We apologise for any inconvenience."

What To Do If Your Account Is Compromised

1

Call your bank immediately using the number on your card

Do not use any number provided by the suspicious caller. Ask your bank to freeze your account, reverse any recent transactions if possible, and flag your account for fraud investigation.

2

Change your online banking password and PIN

Do this from a device that is not the one used in the suspected fraud, and on a network you trust. If you use the same password elsewhere, change those too.

3

Report to Action Fraud

File a report at actionfraud.police.uk (UK) or reportfraud.ftc.gov (US). A crime reference number from this report is needed for insurance claims and bank reimbursement requests.

4

Check for remote access software

If you were persuaded to install any software during the fraud, run a security scan and remove any remote access applications (AnyDesk, TeamViewer, etc.) from your devices immediately.

5

Monitor your credit file

If your identity details were compromised, place a credit alert or protective registration on your credit file. This makes it harder for fraudsters to open new accounts in your name.

Key Takeaways
  • Your bank will never ask you to transfer money to a "safe account" — this is always fraud
  • Never share an OTP with anyone over the phone — not even someone claiming to be your bank
  • Hang up any suspicious call and call back using the number on the back of your card
  • Caller ID can be spoofed — a number matching your bank does not guarantee a genuine call
  • UK banks must now reimburse most APP fraud victims up to £85,000 under new 2024 rules
  • Enable transaction alerts on your banking app to catch fraud early

Frequently Asked Questions

What is authorised push payment (APP) fraud?
APP fraud occurs when a victim is tricked into willingly authorising a bank transfer to a fraudster's account. In the UK, new rules from October 2024 require banks to reimburse APP fraud victims up to £85,000 in most cases.
How do I know if a bank call is genuine?
You cannot reliably verify an incoming call is genuinely from your bank based on caller ID alone — fraudsters routinely spoof bank telephone numbers. Hang up and call back using the number on the back of your card or the bank's official website.
What is a SIM swap scam?
SIM swap fraud occurs when a criminal convinces your mobile network to transfer your phone number to a SIM card they control. They then receive your banking one-time passwords. Protect against this by using an authenticator app instead of SMS for 2FA.
Will my bank ever ask me to transfer money to a safe account?
Never. No legitimate bank will ever ask you to transfer money to a "safe account" to protect it from fraud. This is the defining hallmark of banking fraud — hang up immediately and call your bank on their official number.
What should I do immediately if I've been the victim of banking fraud?
Contact your bank immediately using the number on the back of your card. Ask them to freeze your account and attempt to recall any fraudulent transfers. Then report to Action Fraud (UK) at actionfraud.police.uk. Change your online banking password and PIN. Speed is critical for fund recovery.
What is vishing?
Vishing (voice phishing) is a fraud technique where criminals call victims pretending to be from a bank, HMRC, or the police. They manipulate victims into revealing account credentials, OTPs, or making fraudulent transfers — often by claiming there's urgent fraudulent activity on the victim's account.
How does OTP interception work?
OTP interception typically works through social engineering: a fraudster who already has your username and password calls you claiming to be from your bank and asks you to "confirm" an OTP sent to your phone — actually authenticating their fraudulent login while you unknowingly provide the code.
What is ATM skimming?
ATM skimming involves criminals attaching devices to cash machines that secretly copy card details and record PIN entries. The copied information is then used to create counterfeit cards. Always inspect ATMs and cover the PIN pad when typing.
Are contactless and online banking safe?
Yes — contactless and online banking have robust built-in security. The risk lies in social engineering attacks that trick users into bypassing security themselves. Never share your OTPs, PINs, or passwords with anyone, and monitor your account for unexpected transactions.
Can banks be held responsible for fraud losses?
In the UK, banks must reimburse victims of APP fraud up to £85,000 under rules in force from October 2024. For unauthorised transactions (where the fraudster accessed the account without your knowledge), banks are generally liable unless they can prove gross negligence by the customer.

Check Suspicious Bank Messages Instantly

Received an unexpected alert from your "bank"? Paste the message into ScamSense for an immediate AI fraud check before you click or call.

Download ScamSense Free

Related Guides