Here's the one surprising lesson I learned as a victim of debit card fraud

There's a good reason why the bank didn't tell me it was happening...
Written by Charlie Osborne, Contributing Writer

It was bound to happen eventually. I became the latest in a long list of people who have had their bank account compromised and cash stolen.

Just as any other typical morning. I sat with a cup of tea in one hand, cat on lap, and gazed at the daunting prospect of going through my emails. By curiosity, I decided to check out my online banking to see if a deposit I was expecting had landed.

That's when the fun began.

Not only was the deposit still missing, but in black and white was evidence that my debit card was being used without my knowledge or consent -- as well as a reason why the bank hadn't caught on and told me.

Work on hold, gut-wrenching panic, copious swearing, and an abandoned cup of tea later, I grabbed my phone. The moment I mentioned "fraud" to the operator I was whisked away to a team where, as a small mercy, I was not subjected to crackling, horrendous classical music tracks which are meant to soothe but actually enrage you -- and instead I was only on hold for seconds.

Before going any further than listing my banking details and the answers to security questions, the advisor barked the same standard legal advice that I, myself, have ironically spouted in how-to guides in staying safe online. (Just in case you'd forgotten, the advice is rather standard: you shouldn't make any purchases from suspicious websites, you should keep your PCs free from malware, you shouldn't be daft enough to post pictures of your credit cards online and, of course, phishing emails are always a bad, bad thing.)

That part of the checklist over, the operator transformed from a machine into a sympathetic human ear.

But one question remained unanswered. Why was it chance, rather than a fraud alert, which led me to this stage?

There are countless ways these days that someone can take your hard-earned cash or damage your credit. The use of malware and keyloggers designed to steal your credentials, skimmers which pinch the information on your card at an otherwise trustworthy retailer's point-of-sale (PoS) system or the old-fashioned but still noteworthy ATM card cloner are just a few of the tools currently used in fraud today.

I've listened to the cases of my nearest and dearest, friends and colleagues who have gone through this nightmare experience. Some know the perpetrators as vengeful ex-wives and husbands, rogue friends with sticky fingers and addictions to online shopping, and some simply don't know how it happened or who was helping themselves to their cash.

I can point a finger to how, in my case, although it isn't too steady at this time. I have a few "connections" who would revel in delight at causing me such trouble but I don't believe any of them have the skill set or knowledge to do so -- and so when my bank card details suddenly were being used without my consent and money began to flow away from the safe confines of my bank account, I had to place it at the blame at a petrol station ATM I used a few weeks ago.

However, in truth, I don't know.

The other options, which may also be valid, don't bear thinking about; at least until I have evidence pointing beyond stolen cash and towards the possibility of a far more damaging prospect: identity theft.

Top 5 security practices in staying safe online: From the experts

I was always under the impression everything was in hand. I have a subscription to a credit monitoring service which keeps an eye on my credit score for me and alerts me if anything changes -- which is one of the first indicators that you have someone who admires your identity so much they decided to wear it for the purposes of credit card and loan applications.

Aside from that, my bank, Lloyds, has a fraud team which monitors accounts for any dodgy dealings which may suggest fraud (as I learned at 2am one dark morning when paying for a New York hotel stay).

I'm in the middle of renovating my property and so there are more transactions than usual -- and many for small, daft things like sink sponges and wallpaper paste. Hidden among these transactions was one, labelled as from a telecoms service which I have no connection to.

However, the amount was so small I simply thought: "It's me being stupid. The name is probably from some other company and I've just forgotten what it was that I bought."

I ignored this sign, but the devil is in the details.

This "authorized" payment became one of many suddenly flooding my account. A few pounds here, twenty pounds there -- all of which are small enough amounts that not everyone would notice immediately, but together, can cause utter chaos.

The operator who looked into my account found it peculiar, as did I, that the transactions which had already been authorized all came from telecommunications operators that I have nothing to do with, including EE and Three.

Upon examining the account further, it seemed like these were not the only strange things taking place. Over the course of just a few days, a high number of "test transactions" had been made to the account.

These "tests" do not appear on your statement, and instead, are used by companies to make sure money is in your account before pushing through transactions of higher amounts.

We don't usually see them or know they are there, but banks do.

According to the operator, over 40 had been recorded -- which was unusual in itself -- and indicated that unless the card was frozen and destroyed now, my account could very well be hit with a fresh barrage of money requests which would beggar the account entirely.

In other words, this was the fraud before the storm.

Lloyds, and many other banks, rely on automated systems to detect fraud. While the bank refused to go into any details concerning my case or fraud detection as a whole, the bank did say it "takes fraud prevention seriously" and "invests heavily in detection systems to ensure robust controls are in place to safeguard our customers."

So why wasn't this fraud stopped?

To me, although I have little proof, it was simply too soon in the process for anything but the customer's own eyes to detect. The preliminary amounts of £10 to £20 appear to be top-ups which can be used by cloned cards -- and are also within the payment limit of contactless payment systems which do not require a PIN number for use.

I spoke to one of the telecoms firms, Three, who after a debate among themselves came to the general consensus someone in Glasgow is currently enjoying a phone topped up thanks to my paycheck, and it was likely either a contactless payment through a manufactured card or internet transaction.

A perfect test-bed, certainly, to see if an account could support larger fraudulent payments without a problem.

This was the lesson. Small transactions can herald bigger problems. The reason why the bank didn't catch on before I did is that the fraud had not reached a level which triggered algorithms and detectors.

When it comes to the test payments, I cannot say why problems were not picked up. It may have been that there is no backend monitoring system for these particular processes, or that the volume of my recent transactions because of the house turned Lloyds away from the scent.

In my case, there not only is an unknown amount of transactions which were, no doubt, just about to batter my account -- but ones that have already reached the "pending" stage will have to clear before I can be refunded. So, despite catching it early, having a card cancelled and money flitting in and out has still caused a host of problems.

I learned a lesson thanks to this experience. If there is even one small, strange transaction on your account, ring your bank. For the sake of a phone call, whether you think it may just be you being stupid or forgetful, you could stop fraud snowballing into empty accounts, missed mortgage payments and bounced direct debits which can cause you more stress and anguish down the line.

We can no longer ignore even the tiniest indicator that something is wrong as I've learned -- but a quick check is all it took to stop matters becoming much, much worse.

Editorial standards