Fraud accounts for 41 per cent of all reported crime in the UK and as much as £1.17 billion was stolen by scammers last year, according to the trade body UK Finance.
This makes it the most common type of crime — and I am one of the world’s leading experts on it. Why? Because I used to be a prolific fraudster and spent more than 25 years stealing money and services worth many millions of pounds.
Some of my frauds were theatrically audacious. I once spent seven months living free of charge in five-star hotels in central London, posing as the 13th Duke of Marlborough and demanding that invoices were sent to Blenheim Palace. Other frauds were immensely cruel and damaging, fleecing some of my victims of their life savings and causing them to become seriously unwell. The harm I caused still haunts me.
• Fake duke jailed for fooling five star hotels with Fawlty Towers con trick
I was in prison three times over 17 years — for a total of eight years, each spell longer than the last. When I was finally released in January 2022, I knew I had to change. I started sharing my insights with law enforcement, banks, the government and, perhaps most importantly, with members of the public. I have just started working with BBC Radio 4 on a podcast called Scam Secrets.
Here’s what I know
One of the most highly damaging types of fraud is an authorised push payment (APP) scam. This involves a fraudster contacting a victim, usually by telephone, pretending to be a bank employee or a police officer, convincing the victim that their money is at risk and instructing them to transfer it out of their account into a “safe” account.
This method can net a vast amount of money very quickly and doesn’t leave much evidence. Between 2017 and 2018 the police estimate that I stole as much as £50 million by committing APP fraud. I didn’t know or care at the time, but I was leaving a trail of absolute chaos in my wake.
Once, during the course of a 40-minute phone call, I stole £1.2 million from a family-run construction company. It caused utter devastation. I took all the money they had, leading to scores of redundancies.
My gang targeted small-to-medium-sized family-run construction companies because we figured that they could have several million pounds in the bank but wouldn’t have sophisticated accounting procedures. And, unlike a law firm, for example, they would not require multiple signatories to authorise online bank transfers. I would be able to focus all my energy on one person and not have to worry that somebody else might smell a rat. The isolation of a victim is key to a successful fraud.
I called the company’s switchboard and asked the receptionist to put me through to the accounts manager. The number that the receptionist saw on her phone was the correct number for their bank’s fraud department — I had “spoofed” the phone number using a free app which, unbelievably, is still available to download, despite it having no legitimate use.
Wood spent a total of eight years in prison
REFORM COURSES
When the accounts manager (let’s call her Sally) answered her extension, I explained that I was calling from the bank’s fraud team and that we had noticed an unusual transaction which we needed to verify. I gave my name as somebody who genuinely worked for the bank (I had found his name and job title on LinkedIn) and invited Sally to Google the number she could see on her phone display to satisfy herself that I was genuine.
Sally tapped away on her computer and, after a few seconds, sounded reassured. “Phew, you’re genuine,” she said, “you can never be too sure these days”.
I asked Sally whether she had attempted to transfer £45,000 to a Mercedes garage in Dundee (several hundred miles away from their office). Naturally, she replied that such a payment was unauthorised so I reassured her I would block the transaction. Her nervousness gave way to relief as I was able to help her. She thanked me over and over again.
• Read more money advice and tips on investing from our experts
“Sally,” I said, “we need to understand why this suspicious transaction has appeared out of the blue. It is possible you have a virus on your system which is causing this to happen. Have you had any suspicious emails recently, or have you noticed your system running slow or buffering from time to time?”
This is an example of the Barnum-Forer effect, a psychological phenomenon whereby people are given scenarios that are supposedly tailored to them, but could equally apply to many other people. We all get junk mail in our inboxes, and whose computer doesn’t run slow or buffer? I knew that Sally would say yes and panic that there could indeed be dangerous malware on her system.
‘Sally didn’t stand a chance’
I then told her that we would need to make some test payments to check whether a virus was interfering with the transactions. If we found a virus we would be able to create a patch to keep the company safe.
Sally, by now baffled with technical jargon, asked me how long all of this would take because she needed to pick her children up from school. I reassured her that I would be as quick as possible but the priority had to be keeping our valuable customers safe from fraudsters.
• The rise of fraud in the UK
What I said next is an example of the cruel and sophisticated social engineering that fraudsters use.
“Sally, I am shortly going to ask you to log into your online banking platform and make a series of test payments. Your account will be in a test environment while we make these dummy transactions, but they will look just like genuine payments. This requires you to trust me. So, if you are in any way worried that I might not genuinely be calling from the bank, we can end this call now and I can arrange an appointment for you to visit the branch with your usual desktop computer so we can carry out the tests in person.”
Sally paused.
“OK I’m happy to continue with this and I trust you. I’ve verified the number you’re calling from, I’ve checked your name online … and you can’t possibly be a fraudster because what scammer in his right mind would give me the opportunity to end the call. We’re always told that fraudsters will rush us and you haven’t done that either. So yeah, let’s get these tests done but please hurry up as otherwise I’ll have to put the kids in after-school club and that’s so bloody expensive.”
Over the next 20 minutes I instructed Sally to make transfers to what I told her were “randomly generated test accounts”. Over and over again, until every single penny had left the company bank account. At the end of the call, I told her we had identified and successfully patched the virus. Everything was back under control and she could go and collect the kids while I restored the balances to their pre-test values. Sally thanked me profusely and we ended the call.
When I telephoned Sally that day, she did not stand a chance. She was hopelessly duped by an expert career fraudster, despite carrying out reasonable checks as to my identity.
My co-conspirator, an expert money launderer, went to work withdrawing the cash from the accounts that Sally had inadvertently funded and we drove to Harrods and blew the lot. I remember the spree with a deep sense of disgust.
In court, Sally said that during those 40 minutes she had transferred more from the company account than she was likely to earn through her entire working life. She told the court that every time her phone rings she panics and feels sick to the pit of her stomach. She finds it hard to trust anybody and has lost all her confidence.
I have never forgotten her words. I am ashamed, more than words can possibly express, of the man I used to be and I now use all of my energy to help stop people like that man, running fraud awareness courses and advising banks and governments on how to prevent scams.
• Fraudsters stole £260k from Colin before he died. We called them up
Here’s how to stop people like me
Given the sophistication and ruthlessness of such gangs, it is entirely right that the banks are now obliged to refund customers under the APP reimbursement scheme, up to a limit of £85,000. The scheme is mandatory for all banks and financial institutions in the UK. They must pay back victims, with the liability shared equally with the sending and receiving banks of fraudulent payments.
The scheme has incentivised banks to develop far better transaction monitoring technology — for example, banks can tell how we are holding our phones when we are making payments in case it is at a different angle to usual. They can tell if a transaction is taking longer than normal, or if a phone call is taking place at the same time, which would indicate that the customer was being instructed by a third party to make the payment.
But despite this, fraudulent payments continue to be made, and victims continue to report staggering losses.
Fraudsters won’t give up, they will keep coming up with new ways to get their hands on your money. Perhaps it is time to abandon the faster payment systems altogether and revert to a four-day clearance cycle — banks are at a serious time disadvantage when payments clear within seconds.