Revolut customers say e-money firm failed them after being scammed

A man who had £165,000 stolen from his Revolut business account by fraudsters has told BBC Panorama he believes the company’s security measures failed to prevent the theft.

He says criminals managed to bypass the ID verification process to gain access to his account.

So far, Revolut has refused to refund this money.

The BBC has found that Revolut was named in more reports of fraud in the last financial year than any of the major High Street banks.

The e-money firm – which has not yet been granted full status as a bank – says it takes fraud incredibly seriously and that it has “robust controls” to meet its legal and regulatory obligations.

Revolut is among a number of new digital-only financial institutions that offer all their services online or through an app – there are no branches to go to.

The firm has grown rapidly and amassed more than 45 million customers worldwide, of which nine million are in the UK. It almost tripled its revenue to £1.8bn in 2023. Its accounts are quick to open and offer competitive foreign exchange rates in an easy-to-use app.

These were the features that attracted Jack – who runs an international business and needs to hold multiple different currencies – to Revolut.

Jack, who asked us not to use his surname, told us he was also reassured by the security features Revolut promote in their advertising.

In February, Jack was in a co-working space when he received a phone call from a scammer pretending to be from Revolut. He was told he was being called because his account might have been compromised through being on shared Wi-Fi.

Jack was tricked into handing over enough information to allow the scammers to put his Revolut account onto their device. This meant they could see all his previous transactions, including a purchase at the online retailer Etsy that morning.

While Jack was still on the phone to the scammers, a text message from Revolut arrived, asking him to confirm the exact same amount he had spent – £21.98 – by typing in a six-digit security code.

He said, “Yes, that was me,” and read out the code to the scammers.

What Jack didn’t realise was that they had set up their own account – also called Etsy – and by sharing the code Revolut had sent him, he was authorising a new payment to their fake account instead.

Two similar texts followed to authorise payments of small amounts to two further fake accounts, called “Revolut fees” and “Revolut fees care”. Jack also approved these – which meant he had been tricked into setting up three new payees.

This opened the floodgates and thousands of pounds began to fly out.

As soon as Jack realised he was being scammed, he contacted Revolut – but there was no dedicated helpline, just a chat function deep within the app.

“I messaged them saying, ‘I’ve been scammed, please freeze my account,’” he told the BBC.

It took 23 minutes to reach the right department that could freeze the account, during which time another £67,000 had been taken.

Jack is now out of pocket by £165,000. He thinks Revolut’s systems failed him in several ways.

He believes criminals managed to bypass facial-recognition software to gain access to his account on their device. If an account is set up on a new device, Revolut asks for a selfie, which Jack says he did not provide.

Jack says he asked Revolut to show him the image used to authorised the new device. They eventually told him that it wasn’t stored in their system, so there was no way of proving what the fraudsters had done, or what photo was used.

Panorama investigated this apparent vulnerability and found that it appeared to have been fixed.

Jack also believes the fact that 137 individual payments were being made to three new payees in the space of an hour, should have raised concerns with Revolut.

Most banks and financial institutions monitor customers’ accounts for unusual activity.

“If somebody is suddenly processing a vast amount of transactions and a ton of payments to a new account, it is something that is a red flag – and banks should typically start to investigate some of that behaviour,” says Nina Kerkez, a fraud specialist at data analytics company LexisNexis Risk Solutions.

“[They should] call their customer, send them a text message, engage in some way to ensure those transactions are legitimate.”

Last year, the UK’s national reporting centre for fraud and cyber-crime Action Fraud, received almost 10,000 reports of fraud in which Revolut was named, according to a Freedom of Information (FOI) request submitted by Panorama.

That is 2,000 more than Barclays, one of the biggest banks in the UK, and double that of Monzo, a competitor of similar size to Revolut.

Panorama spoke to eight former employees to try to understand Revolut’s work culture, and two issues came up again and again – Revolut’s insatiable appetite for growth, and a high-pressure environment.

“Protecting Revolut from being used for financial crime always played second fiddle to the desire to launch new products and to get existing customers to use products more,” an insider, who wished to remain anonymous, told us.

Fraud is a problem for all banks and scams continue to net hundreds of millions even while the technology to defeat them improves.

In order to protect customers, financial companies do extra checks but sometimes these security steps can get in the way of a smooth customer experience.

Revolut says it has a “high performance culture” with an “expectation to deliver good customer outcomes” and that all new product launches involve comprehensive risk assessment and governance approval processes.

It also says it has “invested heavily” in its financial crime prevention team, which now makes up more than a third of its total global workforce.

Britain’s Newest Bank: How Safe Is Your Money?

Reporter Catrin Nye investigates the stories of Revolut customers who say scammers took tens of thousands of pounds from their accounts, and that Revolut failed to protect them.

Watch on BBC iPlayer or on BBC One on Monday 14 October at 20:00 (20:30 in Wales and Northern Ireland)

Revolut says it cannot comment on Jack’s case as it is being looked at by the Financial Ombudsman Service.

In 2023 the ombudsman received about 3,500 complaints about Revolut, more than any other bank or e-money firm.

“[This] shows that actually Revolut aren’t doing enough to act in this area,” says Rob Lilley-Jones, from consumer group Which?

He says that Which? does not recommend banking large sums of money with the firm.

“They have a track record of not reimbursing people who fall victim to fraud or find themselves in this incredibly difficult situation, [and] of money being taken from accounts even after scam activity has been reported.”

Revolut says that each potential fraud case is carefully investigated so it can evaluate the full circumstances and make the most informed decision.

Earlier this month new rules came in to make all banks and electronic money institutions reimburse victims of fraud.

The majority of scam victims will now be reimbursed their money automatically up to the value of £85,000, with refunds split 50-50 between sending and receiving firms.

This could prove costly for Revolut.

“We hear from customers consistently that they’re told to set up Revolut accounts when they are becoming the victim of a scam,” says Will Ayles from Refundee, a company specialising in fraud recovery.

“It might be safe to draw the conclusion from that, that fraud victims are told to set up Revolut accounts because fraudsters find it easier to move money through Revolut than any other bank.”

When someone is tricked into transferring money to a fraudster it is known as an authorised push payment (APP) fraud. It’s the most common type of financial scam in the UK.

Last year, figures from the Payment Systems Regulator show that for every million pounds paid into Revolut accounts, £756 was from APP fraud.

That is more than 10 times the amount for Barclays and four times more than Monzo.

Revolut says it takes fraud incredibly seriously, and has approaches to tackle it, including delaying payments, “to allow customers to stop, think and complete additional checks”.

It also says it has recently announced “a new biometric identification feature” and “an advanced AI-scam detection feature that protects customers against card scams”.

In July this year, the UK banking regulator granted Revolut a provisional banking licence, and it is now on its way to becoming a fully-fledged bank.

This means that if Revolut were to go bust, customers’ deposits would be guaranteed up to £85,000 per person.

Until then, it will continue to operate as an electronic money institution or e-money firm.

However, becoming a bank means it will be able to extend credit to customers via credit cards, overdrafts and mortgages.

“This means the stakes are higher for their customers if they’re targeted by a scammer,” says Rob Lilley-Jones.

“I think there might be a political element to Revolut’s licensing, because it’s becoming of a size to challenge High Street banks,” says Frances Coppola, a financial journalist and expert on banking risks and regulations.

“I think no government would want to have something of that size playing fast and loose with the rules.” However, she adds: “I suppose you could question, given there are so many complaints, whether Revolut should have a licence.”

The Treasury says the decision on whether to grant Revolut a banking license lies with the independent regulators. They declined to comment to Panorama.

Revolut says that it abides by the same regulatory standards as any High Street bank, and it is sorry to hear of any instance where customers have been targeted by criminals.

It says it cut fraud by 20% last year but acknowledges “there is always more to do”.

• Customers can complain about any regulated firm to the Financial Ombudsman Service, which can settle disputes and order firms to pay compensation
• Mandatory Reimbursement Requirement regulations were brought in on 7 October 2024
• They will cover the vast majority of UK money transfers up to £85,000, with the exception of international transfers or those involving cryptocurrencies
• The new measures protect individuals, microenterprises – with fewer than 10 employees – and charities with an annual income of less than £1m
• BBC Action Line has more resources