Revolut - Fraudulent Transactions

You would certainly hope that SS7 attacks are very unlikely - but not impossible. The sheer number of people reporting these issues has me questioning if phishing is really the route cause, albeit I accept that it is the most plausible explanation.
I really doubt it is even in the video you link to they say it is pretty much only useful for people of interest. Plus I don't think Revolut send codes via SMS. They have it in the app. I tried adding a card to Google Pay recently and could not get it to send via SMS.
 
Gosh! Did any of the 4 people get to the route case? i.e. phished etc?



I hope they pushed back on this with Revolut even if the sum was small. Revolut is truly awful with how they handle fraud.
I know one that got the money back as it came up yesterday and he said it cost him more in time arguing with them than it was worth. But it was under €100. Not sure about the others. But none use revolut anymore except for small stuff.

Its a pity it has such issues as it is handy for passing money over without hassle for small things.

I suspect many more get caught out, but don't argue or go public.
 
Fraud is run by organised crime groups on an industrial scale on other continents. There are literally call centres with IT departments.

People should bear this in mind when thinking about their own vulnerability and likelihood of fraudsters being tracked down.
 
I came across the following passage in the EU payment services directive. It references that the maximum someone would have to pay towards being a victim of fraud is 50eur, or 0 where they had no knowledge etc. provided that they were not grossly negligent. Obviously Revolut and the likes are dissatisfactory with these events and unfortunately only a complaint to the ombudsman gets them to pay up after their systems or teams don't talk to each other and refuse, refuse, refuse to refund their customers and one should take extra precautions to avoid getting into that mess. But I was wondering if the below applies in the above case of fraudulent transactions or where a phone is pickpocketed. The ombudsman say they don't give advice and they referred me to the CCPC, however the CCPC are not even acknowledging my emails (my question to them was specifically on the latter type of fraud.) Anybody any ideas on this or who might advise?

https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32015L2366

(70)

In order to reduce the risks and consequences of unauthorised or incorrectly executed payment transactions, the payment service user should inform the payment service provider as soon as possible about any contestations concerning allegedly unauthorised or incorrectly executed payment transactions, provided that the payment service provider has fulfilled its information obligations under this Directive. If the notification deadline is met by the payment service user, the payment service user should be able to pursue those claims subject to national limitation periods. This Directive should not affect other claims between payment service users and payment service providers.

(71)

In the case of an unauthorised payment transaction, the payment service provider should immediately refund the amount of that transaction to the payer. However, where there is a high suspicion of an unauthorised transaction resulting from fraudulent behaviour by the payment service user and where that suspicion is based on objective grounds which are communicated to the relevant national authority, the payment service provider should be able to conduct, within a reasonable time, an investigation before refunding the payer. In order to protect the payer from any disadvantages, the credit value date of the refund should not be later than the date when the amount has been debited. In order to provide an incentive for the payment service user to notify, without undue delay, the payment service provider of any theft or loss of a payment instrument and thus to reduce the risk of unauthorised payment transactions, the user should be liable only for a very limited amount, unless the payment service user has acted fraudulently or with gross negligence. In that context, an amount of EUR 50 seems to be adequate in order to ensure a harmonised and high-level user protection within the Union. There should be no liability where the payer is not in a position to become aware of the loss, theft or misappropriation of the payment instrument. Moreover, once users have notified a payment service provider that their payment instrument may have been compromised, payment service users should not be required to cover any further losses stemming from unauthorised use of that instrument. This Directive should be without prejudice to payment service providers’ responsibility for technical security of their own products.

(72)

In order to assess possible negligence or gross negligence on the part of the payment service user, account should be taken of all of the circumstances. The evidence and degree of alleged negligence should generally be evaluated according to national law. However, while the concept of negligence implies a breach of a duty of care, gross negligence should mean more than mere negligence, involving conduct exhibiting a significant degree of carelessness; for example, keeping the credentials used to authorise a payment transaction beside the payment instrument in a format that is open and easily detectable by third parties. Contractual terms and conditions relating to the provision and use of a payment instrument, the effect of which would be to increase the burden of proof on the consumer or to reduce the burden of proof on the issuer should be considered to be null and void. Moreover, in specific situations and in particular where the payment instrument is not present at the point of sale, such as in the case of online payments, it is appropriate that the payment service provider be required to provide evidence of alleged negligence since the payer’s means to do so are very limited in such cases.
 
Update:

I reported it to the Guards, they took a Statement, but i don't think anything can be done from their end. I just wanted to report it. I had a call booked for 10.50 this morning with Revolut, but it never happened! Just wondering what next steps to take, i have tried again and again on the app today to see if someone can take my case seriously but to no avail. I might try the CCPC as mentioned. I read somewhere to follow up with Revolut in writing with all of my information, not sure if that will help, it's just shocking how they deal with customers. I might just contact The irish Independent as my sister-in-law sent me an article from the Irish independent this evening about a cyber security expert who had €5000 taken from Revolut all while he slept! same situation!
 
Update:

I reported it to the Guards, they took a Statement, but i don't think anything can be done from their end. I just wanted to report it. I had a call booked for 10.50 this morning with Revolut, but it never happened! Just wondering what next steps to take, i have tried again and again on the app today to see if someone can take my case seriously but to no avail. I might try the CCPC as mentioned. I read somewhere to follow up with Revolut in writing with all of my information, not sure if that will help, it's just shocking how they deal with customers. I might just contact The irish Independent as my sister-in-law sent me an article from the Irish independent this evening about a cyber security expert who had €5000 taken from Revolut all while he slept! same situation!
Get a final letter from Revolut, then submit complaint to the financial ombudsman. Revolut refunded me (a much smaller amount) months after the fraud only when the ombudsman contacted them, so not sure that will work, but you can try.
 
It would be great if someone (like Conor Pope) would write a proper article about these scenarios. What we currently get is half the story, a bit of innuendo, and moaning about having to deal with a chatbot.

The biggest issue is finding out how the fraudsters obtained the card details. There is something that all of these victims have in common and that’s what needs to be ascertained. The fraudsters did not guess their card details.

- Have all of these victims fallen for an An Post or eFlow text scam?
- Have all of these victims ignored iPhone/Android software updates meaning that their devices aren’t secure?
- Have all of these people purchased goods or services from the same rogue business and provided their card details over the phone?
- In the UK, organised crime gangs put people working in the banks to facilitate crime; are there fraudsters working in Revolut or somewhere else that’s relevant in the transaction chain?

Someone needs to investigate this issue properly. These people’s Revolut card details have been added to Apple or Google Pay. The tooth fairy didn’t fly in their bedroom window and get the numbers and dates, which must be Revolut’s argument. Something has happened, some interim step that Conor Pope etc seem to routinely ignore in articles.
 
Last edited:
Update:

I reported it to the Guards, they took a Statement, but i don't think anything can be done from their end. I just wanted to report it. I had a call booked for 10.50 this morning with Revolut, but it never happened! Just wondering what next steps to take, i have tried again and again on the app today to see if someone can take my case seriously but to no avail. I might try the CCPC as mentioned. I read somewhere to follow up with Revolut in writing with all of my information, not sure if that will help, it's just shocking how they deal with customers. I might just contact The irish Independent as my sister-in-law sent me an article from the Irish independent this evening about a cyber security expert who had €5000 taken from Revolut all while he slept! same situation!

Good idea to contact The Irish Independent. There needs to be more publicity for these cases. Charlie Weston is the best contact. His email address (which is available online publicly) is cweston@independent.ie

As others have said the best action is to get a final response letter from Revolut in writing and then to go to the Ombudsman.

I an ideal world, if you could afford it, it would be good to get an IT security expert to look at your phone and see if they can decipher a cause.
 
Update:

The irish Independent as my sister-in-law sent me an article from the Irish independent this evening about a cyber security expert who had €5000 taken from Revolut all while he slept! same situation!

It's just scary this can happen to a cyber security expert, not much hope for rest of us mere mortals so.
 
It's just scary this can happen to a cyber security expert, not much hope for rest of us mere mortals so.

Regarding the prior case of the 5k that the so called "cyber security expert" lost - he almost certainly had his entire phone compromised - he admitted that this phone was doing other random things like constant reboots - cause was likely phishing or crypto wallet related. The Reddit thread on that persons issue has some interesting perspectives:
 
Instead of relying on, perhaps questionable, anecdotal reports maybe some systematic analysis of actual or potential security vulnerabilities with Revolut exists? I found this (from 2021 so maybe not completely up to date?) in case it's of any use? However, at a glance I'm not sure how independent it is ("Our focus is to analyze the security behind the magic of Revolut and face the challenges that come along." sounds like marketing BS):

 
Instead of relying on, perhaps questionable, anecdotal reports maybe some systematic analysis of actual or potential security vulnerabilities with Revolut exists
It is not just anecdotal:

"Revolut had more fraud complaints in the second half of last year than any other U.K. bank, according to data seen by Bloomberg. . .
In nearly half of the cases against Revolut last year reviewed by the FOS, the ombudsman ordered the fintech to reimburse customer losses, according to data seen by Bloomberg"



Someone needs to investigate this issue properly.

It is Revolut who should investigate these issues properly.
And it is the Regulators who should force them to do so.
 
It is not just anecdotal:

"Revolut had more fraud complaints in the second half of last year than any other U.K. bank, according to data seen by Bloomberg. . .
In nearly half of the cases against Revolut last year reviewed by the FOS, the ombudsman ordered the fintech to reimburse customer losses, according to data seen by Bloomberg"


I was referring to anecdotes about the technicalities of such incidents and how better to get a handle on those in order to understand why they're happening. I suspect that many are due to negligence on the part of users but maybe some are due to systemic security flaws with Revolut's tech?
 
It is not just anecdotal:

"Revolut had more fraud complaints in the second half of last year than any other U.K. bank, according to data seen by Bloomberg. . .
In nearly half of the cases against Revolut last year reviewed by the FOS, the ombudsman ordered the fintech to reimburse customer losses, according to data seen by Bloomberg"





It is Revolut who should investigate these issues properly.
And it is the Regulators who should force them to do so.
Part of that is just because of how widely used it is. Most people I know use Revolut in some capacity regularly even if it is only for transferring money to friends/family. If you run a phising attempt trying to catch people out by saying their Revolut card/account has been compromised then you will catch more people than if you used another bank like BOI, AIB, PTSB, EBS, N26 etc. I imagine it is the same in the UK.
 
It’s easy to compare apples and oranges here and we shouldn’t.

The customer profile and user habits of a legacy bank and a fintech are just really different.

Types and patterns of fraud will vary massively too even when carried out by the very same organised crime groups.
 
I contacted the CCPC,

They said to make a formal letter of complaint to Revolut either in writing or by email, (their address is Lithuania) they then have 5 days in which to acknowledgement the letter with a final response letter and give me the name of a person working there that I can contact, I can then take to the FFPO,

Then they suggested to contact Econsumer . org to report the issue to them - Econsumer.gov, a project of the International Consumer Protection and Enforcement Network (ICPEN), is a partnership of more than 65 consumer protection agencies around the world. Report international scams and take more steps to resolve your complaint.

They said i should make myself aware of Revolut code of practice that i signed to up.

They also told me Revolut is regulated by the European Central Bank - Consumer protection code 2.1 code, it requires them to act honestly, fairly and professionally in the best interests of their customers...

Revolut have 5 days in which to respond to my Letter of Complaint, if they don't they then have 20 days to let me know how its progressing
and finally 40 days for them to issue me with a Final decision.
 
It would be great if someone (like Conor Pope) would write a proper article about these scenarios. What we currently get is half the story, a bit of innuendo, and moaning about having to deal with a chatbot.

The biggest issue is finding out how the fraudsters obtained the card details. There is something that all of these victims have in common and that’s what needs to be ascertained. The fraudsters did not guess their card details.

- Have all of these victims fallen for an An Post or eFlow text scam?
- Have all of these victims ignored iPhone/Android software updates meaning that their devices aren’t secure?
- Have all of these people purchased goods or services from the same rogue business and provided their card details over the phone?
- In the UK, organised crime gangs put people working in the banks to facilitate crime; are there fraudsters working in Revolut or somewhere else that’s relevant in the transaction chain?

Someone needs to investigate this issue properly. These people’s Revolut card details have been added to Apple or Google Pay. The tooth fairy didn’t fly in their bedroom window and get the numbers and dates, which must be Revolut’s argument. Something has happened, some interim step that Conor Pope etc seem to routinely ignore in articles.
In one case I heard on the radio, the person who was defrauded received a call from the scammers, purporting to be their bank (Revolut). They said they trusted the caller because they were able to list their last few transactions. They then went on to describe how they were scammed out of the money in their account. Not one person on the radio segment referred to the fraudsters knowing the transactions. To me it appears that the account was already compromised, and all the fraudsters needed to do was to scam the user into approving a fake transaction.
It appears to me that the only ways they could have known the transactions are :

(1) User's account was already compromised via phishing (or device hack)
(2) Family or friend had access to the account
(3) Fraud within Revolut
(4) Technical "hack" of Revolut

(IMO - listed in order of likelihood)
 
Back
Top