What would you do if you received an email tomorrow morning, telling you that your £4,500 loan has gone through, the money would be in your account today, and that somebody from the customer care team would be in touch shortly to check that the process had been smooth and hassle free?

You might think of it as a nice customer services touch. After all, you’ve probably got plans for that money; a new car, a family holiday, home improvements, or just filling a bin-bag with Haribo and eating until you die of Insulin, whatever.

What, though, if you hadn’t applied for a loan, and this was the first you were hearing about it?

In that case you’d probably just write the email off as spam, especially if you looked at the reply-to address and noticed it was from a domain called protonmail.com, which provides secure, end-to-end encrypted, and untraceable email accounts. Into the trash, spammer!

Then, an hour later your phone rings, and it’s the customer services guy from the loan company, all preppy and cheerful, asking how the loan process went and could you answer a few questions, for their customer feedback survey. “What?”, “Who the fuck are you?”, and “I didn’t ask for a loan, why are you calling me?” might be among your first questions. The preppy loan guy is shocked by your potty mouth, but is a pro, and calmly tells you that the £4,500 was paid into your bank account in the last 24 hours. He tells you to go and verify this and gives you a number to call him back on.

You go and check your online banking and, sure enough, last night £4,500 that you weren’t expecting fell into your account, delivered there by a genuine loan company. Your phone rings again, it’s the world’s brightest customer services guy, phoning back because he’s concerned that the loan was news to you. Maybe this is some kind of scam, but he just can’t understand it. Why would someone scam you with a loan paid into your bank account? That makes no sense.

Never mind, if it’s a scam then it’s a stupid one. The loan company are very apologetic, but this is easily sorted. Just repay the loan to the bank account given in the email you received this morning and the whole thing will be cancelled and chalked up to “WTF?” What, you accidentally deleted that email? Never mind, here’s the account details. Repay the money and the loan company will do a thorough investigation into what happened. Tap, tap, tap, sorted. On with the rest of your day.

In case you’re wondering where this story came from, it happened to my wife, back in August.

Her interaction didn’t play out quite as above as, purely by chance, she’d checked her bank account on the evening of 10th August and seen the unexpected £4,500 in there, so by the time the email arrived she’d already spoken to the loan company and established that although they’d had an online application from someone using her name, address and bank account details, and that the mobile number and email address they held for her were not hers (the email was courtesy of our friends at protonmail.com again).

This meant that when the happy customer services guy rang her, and claimed to be calling from a company who she knew didn’t have her mobile number, he got told to fuck off in no uncertain terms. Likewise for the calls that followed – from the same number, from blocked numbers, from Spain, from a hotel in Biarritz (!). As the calls shifted geography they also shifted tone, from happy and helpful through to threatening legal action before reaching their final destination of just threatening.

In case you’re not following how this scam is working, it plays on three factors:

1. Getting a loan on-line is pretty easy and very low-risk. The details you need about the target aren’t exactly secret; their name, address, email, mobile number and bank account number. With a common factor, like an email address, you can pull these details together from multiple sources fairly easily, but…
2. Loan companies baulk at paying the loan into an off-shore numbered account, or depositing it as a carrier-bag full of fifties next to a bin in Hyde Park, so you need a way to get the money from the victim’s account to your own, and bank accounts are harder to hack into, but…
3. Most people, having found themselves the recipient of an expected loan, will want to do the right thing and repay the money. If you can convince them that they are doing this, while they are actually sending the money to where you want it, then you’re home and dry.

Even step 6 here is uncertain. Depending on your circumstances, and how tight a rein you keep on your finances, it might be a while before you even notice that the lender has set up a direct debit on your account, and start asking them why they’re still taking payments for a loan you repaid.

It’s a low-risk crime, with a nice long getaway time built into the back end. The police seemed uncertain what crime had been committed. They doled out a crime number, sent an email saying they’d call me wife back at time she was at work, and then never got in touch again. I think we can safely assume they’re not staking out that Biarritz hotel right now.

What we’ve learned from this is:

1. If you get an email saying your loan has been approved then do not ignore it.
2. Be sure that the people you’re talking to are who they say they are. Phone the lender yourself, using the details from their website, don’t trust that anybody claiming to be them is who they say they are.
3. Let the loan company and your bank sort out the money being reclaimed, don’t go making payments to a bunch of numbers passed to you over the phone.
4. As we’ll see when I write part 2 of this story, don’t assume that just because you get steps 1-3 right that your problems are anywhere near over.

The story continues here