Your bank account is the ultimate target for fraudsters. Every scam type — phishing, romance fraud, fake job offers, investment schemes — ultimately aims to get money out of your account. Banking fraud itself is also a direct threat: fake bank alerts, fraudulent calls from "your bank," OTP interception, and app fraud drain billions from consumers every year. This guide covers every major banking scam and how to defend against each one.
How Banking Scammers Target You
Banking fraud success depends on one of three approaches: tricking you into revealing your credentials (phishing), tricking you into authorising a transfer yourself (APP fraud), or accessing your account through technical means (credential theft, SIM swap). Of these, social engineering — where you are manipulated into taking the harmful action yourself — accounts for the vast majority of successful attacks.
Modern banking scammers are highly sophisticated. They can spoof your bank's exact phone number so it appears identical on caller ID. They know your name, partial account details (sometimes obtained from previous data breaches), and can describe recent transactions that they accessed from other compromised sources. This detail creates convincing authority that bypasses scepticism.
Types of Banking Scams
Fake Bank Alert (SMS & Email Phishing)
The most common banking scam is the fake bank alert: an SMS or email that appears to be from your bank claiming suspicious activity, a security alert, or an urgent account action. A link in the message leads to a cloned banking login page that captures your username, password, and sometimes OTP. These pages are visually identical to real banking websites and are increasingly hosted on HTTPS domains to appear secure.
Typical Fake Bank SMS
"BARCLAYS FRAUD ALERT: A new payee has been added to your account. If this wasn't you, verify immediately: [link] or call 0800 XXX XXXX"
Defence: Never click links in banking SMS messages. Go directly to your bank's app or website.
Vishing — Voice Phishing Calls
Vishing (voice phishing) involves a phone call from someone claiming to be your bank's fraud team, the police, or HMRC. They present a convincing scenario — your account is under attack, there's a fraudster inside the bank, you must move your money for protection — and guide you through increasingly serious actions: providing card details, reading OTPs aloud, or making bank transfers.
These calls can be alarmingly convincing because criminals can spoof your bank's actual telephone number, and may know enough personal details (from data breaches) to seem legitimate. They create urgency: "We need to act in the next few minutes before the fraudster completes the transfer."
Defence: Hang up and call your bank back on the number on the back of your card. Always. No matter how urgent it seems.
OTP Interception & SIM Swap
One-time passwords (OTPs) sent by SMS are a security layer between fraudsters and your money. Criminals circumvent this in two ways. In social engineering OTP theft, the fraudster who already has your username and password calls you, claims to be from the bank verifying suspicious activity, and asks you to "confirm" the OTP that just arrived on your phone — actually logging into your account using the code you just provided.
In SIM swap attacks, the criminal contacts your mobile network, impersonates you, and convinces them to transfer your phone number to a new SIM they control. They then receive your OTPs directly. Protect against this by switching from SMS-based 2FA to an authenticator app, and adding a security PIN to your mobile account.
Authorised Push Payment (APP) Fraud
APP fraud is the fastest-growing banking fraud type in the UK. It involves tricking the victim into willingly authorising a bank transfer to an account controlled by fraudsters. Common scenarios include: an invoice payment to a supplier that has been intercepted and bank details changed (invoice fraud), a deposit for a rental property or car that doesn't exist, a courier fee or administration charge for a prize, or moving money to a "safe account" on police or bank instructions.
Because the victim authorises the payment, banks historically argued they weren't liable. New UK rules from October 2024 now require banks to reimburse APP fraud victims up to £85,000 in most cases — a significant consumer protection improvement.
ATM Skimming
ATM skimming involves attaching devices to cash machines that covertly capture card details and PIN numbers. The skimmer reads the magnetic stripe on your card while a hidden camera or overlay keypad records your PIN. Fraudsters then clone your card and withdraw cash. To protect yourself: inspect the card slot for loose or unusual attachments, cover the PIN pad when typing your number, use ATMs inside bank branches when possible, and check your statements frequently for unexplained withdrawals.
Fake Banking Apps
Fraudulent banking apps appear in third-party app stores or are promoted via phishing messages and social media ads. They look like your real banking app but are designed to capture your login credentials. In 2026, some fake apps use legitimate bank branding obtained through clone websites. Always download banking apps directly from the official app stores (Google Play or Apple App Store) and verify the developer matches your bank's official name.
How Your Bank Will Never Contact You
Print this list. Share it with family. These are absolute rules — any communication instructing you to do these things is fraud, without exception:
- Ask for your full PIN or online banking password over the phone
- Ask you to transfer money to a "safe account" — even one in your own name
- Ask you to read out an OTP sent to your phone to confirm anything
- Send a courier to collect your bank card
- Ask you to install any software or app on your device
- Tell you there's a corrupt employee and you must keep the call secret
- Ask you to withdraw cash and hand it to anyone for safekeeping
- Demand action within minutes or your account will be compromised
10 Red Flags of Banking Fraud
Real-World Banking Scam Examples
The Safe Account Scam
"This is HSBC fraud prevention. We've detected a fraudster accessing your account. For your protection we need to move your money to a temporary safe account while we investigate. I'll guide you through the transfer now. Please don't use your banking app or call us back as the fraudster may be monitoring those channels."
The OTP Social Engineering Script
"To verify your identity and cancel the fraudulent transaction I can see, I need to send you a code by text. Once you receive it, please read it back to me immediately — this is to confirm you are the genuine account holder."
Invoice Fraud Email
"Please note our bank details have changed due to a recent account audit. Please update your records and use the following account for all future payments: [fraudulent account]. We apologise for any inconvenience."
What To Do If Your Account Is Compromised
Call your bank immediately using the number on your card
Do not use any number provided by the suspicious caller. Ask your bank to freeze your account, reverse any recent transactions if possible, and flag your account for fraud investigation.
Change your online banking password and PIN
Do this from a device that is not the one used in the suspected fraud, and on a network you trust. If you use the same password elsewhere, change those too.
Report to Action Fraud
File a report at actionfraud.police.uk (UK) or reportfraud.ftc.gov (US). A crime reference number from this report is needed for insurance claims and bank reimbursement requests.
Check for remote access software
If you were persuaded to install any software during the fraud, run a security scan and remove any remote access applications (AnyDesk, TeamViewer, etc.) from your devices immediately.
Monitor your credit file
If your identity details were compromised, place a credit alert or protective registration on your credit file. This makes it harder for fraudsters to open new accounts in your name.
- Your bank will never ask you to transfer money to a "safe account" — this is always fraud
- Never share an OTP with anyone over the phone — not even someone claiming to be your bank
- Hang up any suspicious call and call back using the number on the back of your card
- Caller ID can be spoofed — a number matching your bank does not guarantee a genuine call
- UK banks must now reimburse most APP fraud victims up to £85,000 under new 2024 rules
- Enable transaction alerts on your banking app to catch fraud early
Frequently Asked Questions
What is authorised push payment (APP) fraud?
How do I know if a bank call is genuine?
What is a SIM swap scam?
Will my bank ever ask me to transfer money to a safe account?
What should I do immediately if I've been the victim of banking fraud?
What is vishing?
How does OTP interception work?
What is ATM skimming?
Are contactless and online banking safe?
Can banks be held responsible for fraud losses?
Check Suspicious Bank Messages Instantly
Received an unexpected alert from your "bank"? Paste the message into ScamSense for an immediate AI fraud check before you click or call.
Download ScamSense Free