Phishers force UK banks to delay payments

Four of the UK's largest banks have started delaying the time it takes to make an online bank transfer in an attempt to clamp down on phishing fraud.

At the weekend, The Times named four banks - Barclays, NatWest, HBOS, and the Royal Bank of Scotland - as having introduced new procedures for transfers between bank accounts at the same bank. There are already natural delays for transfers between different banks, so it is believed phishers had started using local accounts to speed the theft of funds before fraud could be detected.

Emma Keens, a spokesperson for Barclays, confirmed to Techworld that the bank had adopted the new transfer system, reversing its previous facility of instant intrabank transfers. From now on, making such a payment would take a full working day, but would only affect customers the first time they set up a new beneficiary, leaving subsequent transfers to that account to go through as normal, she said.

"We've put more checks into it. It's about putting safeguards in place," she added. She could not confirm the precise nature of the new checks carried out, but one can assume that it involves an analysis of the linked account to see by whom it was set up, and which external beneficiaries are configured on that account.

As far as Keens was aware, Barclays had introduced this check last week on a unilateral basis, but the fact that several big names have gone on the record about the new system suggests a degree of coordination in making the information public.

What is less clear, is the response of other banks. If one group of banks make life harder for phishers then there is every chance that they will simply migrate to those institutions that still allow instant intra-bank transfers. This raises the question of introducing consistent standards across the industry, but there does not yet appear to be any industry-wide appreciation of this.

"There is no way we can mandate industry-wide on this because each bank will have its own systems," said Sandra Quinn of the Association for Payment Clearing Services (APACS), the UK body with the responsibility to monitor issues such as card fraud. As far as the organization was concerned, the issue of account and payments checking was an issue for each individual bank, and did not come under the body's remit.

She welcomed the move, however, and suggested that it would make the use of "mule" accounts (where legitimate account holders are bribed to act as intermediaries for stolen funds) much harder. Banks would now have the time to check on beneficiary accounts tied to innocent-seeming accounts.

APACS figures for 2004 showed UK phishing fraud to be running at £12 million.