In the first half of 2016, criminals managed to steal £400m from UK bank accounts – a 25% increase in just a year.
Largely that was driven by fraudulent use of debit and credit cards, and phishing scams, where criminals persuade customers to give away their passwords or banking details.
In some of these cases, account-holders play a part in giving away such information.
However, the Tesco case is very different. It appears that the criminals may have been able to get into the bank’s systems without any input, or leak of information, from individual customers.
So, while anti-fraud campaigners habitually tell us to take five minutes to assess the veracity of a call from someone claiming to be the bank, in this case there may be few obvious precautions that customers can take.
At this stage, it is also unclear who, or what, alerted Tesco to the breach of security. Was it the bank’s own computer systems, or was it a number of customers who noted dubious transactions on their accounts?
“In an ideal world, the bank would notice,” says Piers Wilson, head of product management at Huntsman Security, which monitors cyber-security across industry.
However, if it was the customers, there would seem to be a heavy onus on vigilance by individuals.
“There is a need for us all to be vigilant,” says Mr Wilson.
“While we expect banks to do this, there is a responsibility on the individual to check their account.”
In some cases, relatively small amounts of money were taken from Tesco account holders, making detection even harder.
However that could strengthen the need to check statements on a regular basis.
“It is a good idea to regularly check your bank statements for any unusual activity, as criminals often make small but regular thefts which are harder to spot than larger one-off purchases,” said Jody Baker, head of money at Comparethemarket.com.
But since Tesco has insisted it will refund anyone who has been a victim of this attack, there is currently no obvious incentive for account holders to do so.
Last month, consumer body Which? carried out some research on banks’ online security, and declared that some of the High Street banks could do more to protect customers’ personal details.
Lloyds, Santander and TSB scored poorly in their tests, although they each disputed the findings. However, Tesco was not part of the Which? investigation.
The key factor, said Which?, was for banks to have two layers of security:
- A password or PIN
- A single-use password, generated by a card-reader or mobile phone
However, in the case of Tesco, it is not known what security was breached, or how it was carried out.
In any case, says Mr Wilson, “It is difficult to say whether one bank is better than another.”
In the meantime tens of thousands of Tesco account holders are left with uncertainty over whether online payments will be honoured.
“Customers who have had their online payments frozen and are due to make one today should contact the company or person they’re paying, and let them know there may be a delay,” says Tashema Jackson, money expert at Uswitch.com.
“This is especially important for those making credit card, loan, or mortgage repayments, as failure to make that payment could impact your credit file.”