What can you do if your bank refuses to reimburse you following a Push Payment Scam?

What can you do if your bank refuses to reimburse you following a Push Payment Scam?

A push payment scam happens when a cybercriminal tricks someone into sending them money online. And it’s more common than you might think. In fact, in 2017, UK bank customers lost more than £236m due to push-payment scams.

In most cases, the push payment scam is successful because the victim believes the fraudster to be genuine. For example, scammers often call people up claiming to be the police or the bank. They might state that someone is at risk of a security threat, and that they are calling to help stop it. In other cases, an email with an address that looks genuine could request payment (e.g. from a solicitor or tradesperson).

The money lost due to push payment scams can be devastating. For example, a mother and daughter In Kent were tricked out of their life savings after unknowingly transferring £113,665 to a criminal, rather than their solicitor.

Another woman was conned into losing her mother’s care-home fees after a criminal claiming to be from her bank’s fraud team flagged up unusual transactions on her bank account. The fraudsters ran through some security questions and extracted the information they needed to access her account and rename her current account “frozen”. When the woman went to check online, it did appear that her account had been locked. She was then asked to move her balance to a new “protected” account. However, when she called her bank to check the transfer had gone through, they knew nothing about it.

Historically, banks and other organisations have avoided paying push payment scam compensation to victims. And, because payments have been authorised by the customer, there has been little chance of redress.

So, can you get compensation for a push payment scam?

If you have been the victim of a push payment scam and need help getting your money back, there is some good news.

The industry has recently introduced stronger protections to help victims of push payment scams to secure compensation. It has also set out a new industry code designed to minimise the number of scams by encouraging consumers to remain vigilant.

What this means is that you can be confident that any claim for reimbursement will be given fairer and quicker consideration. And that your bank (or another financial provider) can only refuse to reimburse stolen funds where you have shown a very significant degree of carelessness. Crucially, banks should not automatically blame the victims of increasingly sophisticated scams and must take a fairer approach to compensation.

Where a bank still refuses compensation, you can take your case to the Financial Ombudsman Service.

If you want to claim compensation following a push payment scam, Hayes Connor can help. Our professional, friendly team will be pleased to answer any questions you might have, and advise you on whether you have a valid claim.

If you have a straightforward push payment scam case, our quick claims form will help you to start this quickly and easily. This means you receive your compensation in the shortest possible time. However, if we believe you have a large, complex case, we’ll go through your options and may be able to act for you on a NO WIN, NO FEE basis.

At Hayes Connor Solicitors we make sure you receive the maximum compensation possible in the shortest possible time. However, with strict time limits in place for making push payment fraud compensation claims, it’s essential to act now.


ticketmaster data breach claim
, ,

Ticketmaster Data Breach Worse Than Thought

Last week, Ticketmaster revealed a significant breach of user payment details after cybercriminals hacked the company’s website. The data breach affects Ticketmaster, TicketWeb and the resale website Get Me In!

Appallingly, it has since been reported that Ticketmaster knew about the data breach two months before it revealed its payment pages had been hacked, AND that some customers of the ticket sales company have had their cards used fraudulently.

To make matters worse, while Ticketmaster has declined to say how many of its customers have been affected – and is referring all press inquiries to its PR agency – early estimates predict that 40,000 people in the UK have had their payment details swiped. However, the number could be even higher.


The Ticketmaster data protection breach has compromised customer names, addresses, email addresses, phone numbers, payment details and Ticketmaster login details. Digital bank Monzo believes that some Ticketmaster customers have had their cards used on money transfer service Xendpay, Uber gift cards and Netflix (among other items).

Along with the financial info stolen, the hackers also gained access to personally identifiable information (PII). PII includes any data that can be used to identify a specific individual, and, if it gets into the wrong hands, it can be used to undertake identity fraud.  For example, with enough information, cybercriminals can apply for credit in your name, set up fraudulent bank accounts and access your existing accounts.

Signs that criminals have used your data following the Ticketmaster data breach include:

  • Bills or emails showing goods or services you haven’t ordered
  • Unfamiliar transactions from your account
  • An unexpected dip in your credit score
  • Unsolicited communications that ask for your personal data or refer you to a web page asking for personal data.

Crucially, it doesn’t matter if you haven’t lost out financially as a result of the hack. A personal data breach is a 21st-century version of being burgled and being the victim of a crime can have a significant impact on you mentally and physically. So, if the data breach has caused you stress or anxiety, then the law agrees that you are entitled to compensation.


While Ticketmaster was the victim of a cyber-attack, it was responsible for protecting your personal information. So, if you have suffered damage or distress caused by this hack, you have a right to claim compensation.

According to Monzo, it warned Ticketmaster that it might be at risk as early as April, but an internal investigation failed to reveal any security issues.

Commenting on this case, Natasha Vernier, Head of Financial Crime at Monzo said:

 “On Friday 6th April, around 50 customers got in touch with us to report fraudulent transactions on their accounts and we immediately replaced their cards.

“After investigating, our Financial Crime and Security team noticed a pattern: 70% of the customers affected had used their cards with the same online merchant between December of last year and April this year. That merchant was Ticketmaster. This seemed unusual, as overall only 0.8% of all our customers had used Ticketmaster.”

As the matter intensified, between 19-20 April, Monzo sent out six thousand replacement cards to customers who had used Ticketmaster. However, on 19 April, Ticketmaster claimed that there was no evidence of a breach. It also said that no other banks were reporting similar security patterns.


Now having to defend this behaviour, Ticketmaster is blaming third-party supplier Inbenta for the security breach. And, it has been confirmed that the hack occurred due to a single piece of JavaScript code customised by Inbenta to meet Ticketmaster’s requirements. Identifying a weakness in this code, attackers used this vulnerability to extract customer information as they were paying for tickets.

However, the Inbenta CEO has said that:

 “Ticketmaster directly applied the script to its payments page, without notifying our team. Had we known that the customized script was being used this way, we would have advised against it, as it incurs greater risk for vulnerability.”

Either way, it is likely that Ticketmaster or Inbenta was negligent in safeguarding your data due to insufficient security systems. Just because they were a victim of a crime does not mean they are any less liable.

Worryingly, a senior software developer at a leading UK cybersecurity company has added:

“If the malicious actor had access to this ‘backend’ what else have they done and what dormant malicious code could still be residing ready to activate?”

 With data breaches on the rise, something has to be done to make big companies accountable for data losses, so claiming compensation isn’t just in your best interests, it could be the only way to ensure that businesses everywhere implement more secure processes.


UK customers who purchased, or attempted to buy, tickets between February and June 23 this year may be at risk, as well as international customers who purchased, or tried to purchase, tickets between September 2017 and June 23.

Ticketmaster has said that it has informed those involved. But, while it has offered customers free security software, it has not provided data breach compensation.

If you have been emailed by Ticketmaster and told that your details are at risk, make sure that by agreeing to any free offers, you are not inadvertently signing away your rights to make a data breach compensation claim.


With an ICO investigation now underway into the Ticketmaster data breach, whoever is to blame for this appalling data protection failure will no doubt have to pay a hefty fine. And, while the ICO does not award data breach compensation, our data breach solicitors can help you with that.

We have already been contacted by a high number of Ticketmaster customers who are worried that their personal data was not looked after as carefully as it should have been.

In response, at Hayes Connor, we are preparing to launch compensation claims for everyone who has had their data accessed in the Ticketmaster data breach. Depending on the numbers involved we may even start a group action against Ticketmaster.

To start your compensation claim, you will need you to register with us. We’ll let you know what is happening in this case and if and when you can make a data breach compensation claim.

Data breaches often have severe consequences for those affected so you could be entitled to around £5,000 in compensation.


hayes connor solicitors

Can you make a data breach claim against Yahoo?

Yahoo has been fined £250,000 after 515,000 UK accounts were compromised. This comes following a sophisticated and persistent attack in 2014. The data protection hack led to user’s names, email addresses, telephone numbers, passwords and security information being stolen by cybercriminals.

Following the fine by the Information Commissioner’s Office (ICO), those affected should now consider a data breach claim against Yahoo.

What happened in this case?

In 2014, a Russian state-sponsored cyber-attack resulted in personal data being stolen from over 500m Yahoo user accounts worldwide. Despite evidence that the firm knew about the hack soon after it happened, the data breach wasn’t reported until September 2016.

What was the result of the investigation?

The investigation focused on UK accounts that were co-branded Sky and Yahoo, and which the London-based branch of Yahoo had responsibility for.

Following its inquiry, the ICO found that Yahoo had “failed to prevent” the hack. The ICO also condemned “inadequacies” that had been in place at Yahoo for some time without being “discovered or addressed”.

The investigation also found that:

  • The firm failed to ensure that its data processor complied with the appropriate data protection requirements
  • The firm failed to ensure that the credentials of employees with access to customer data were monitored
  • There was a lengthy period before the flaws which led to the breach were discovered or addressed

According to an ICO spokesperson:

“The failings our investigation identified are not what we expect from a company that had ample opportunity to implement appropriate measures, and potentially stop UK citizens’ data being compromised.”

As a result, the watchdog imposed a £250,000 fine. However, this represents less than 0.4% of Yahoo UK’s 2016 gross profit.

What can you do?

The ICO has said that cyber-attacks are a fact of life, and that companies have to make it as difficult as possible for them to get in. That it is “no good locking the door if you leave the key under the mat.”

But, while the ICO has the power to impose fines on organisations who fail to meet their data protection obligations, it does not award compensation to victims. However, once an organisation has been found guilty by the ICO – as in this case – you can use that information to support a data protection compensation claim.

What’s more, it doesn’t matter if there is no evidence that the data has been used to carry out identity theft or fraud. If the data breach has caused you stress or anxiety (in a way that could be diagnosed by a psychologist), then the law agrees that you are entitled to compensation.

According to the ICO, Yahoo has informed those affected. If you are concerned that your data was treated negligently by Yahoo, contact Hayes Connor Solicitors immediately. We can help you to claim the maximum amount of compensation in the minimum amount of time, on a no-win, no-fee basis.

Following massive data breaches, companies often set aside funds to pay compensation, so you have nothing to lose.


With strict-time limits in place for making most compensation claims, it’s essential to act now.

cybercrime solicitors

Can you get your money back after a “push” fraud?

Last week, an article revealed the sad case of a widow who was conned into losing her mother’s care-home fees. In a highly-sophisticated cybercrime attack, the woman was defrauded of £20,000 in a so-called “push” scam.

What is push fraud?

Push fraud – also called authorised push payment (APP) scams – happen when criminals deceive individuals into sending them money. Because the victim believes the fraudster to be trustworthy and genuine, they authorise the handover of cash. The money is then quickly transferred by the fraudster to different accounts, often abroad, which makes getting it back almost impossible.

Common types of push payment scams include:

  • Sending falsified invoices that look exactly like ones victims are expecting (e.g. from a child’s school or a legitimate tradesperson)
  • Convincing people to transfer money to someone official, such as a solicitor (e.g. when buying a house)
  • Conning people to transfer cash into fraudulent bank accounts
  • Sending emails pretending to be from a friend asking for money.

While in many cases, the criminals involved might call hundreds of people in the hope of tricking someone, often these cybercrime scams are highly targeted and come after hacking a victim’s emails to identify the information needed to defraud them.

In this latest case, the criminal claimed to be from the Royal Bank of Scotland fraud team flagging up unusual transactions. The fraudsters ran through some security questions to extract the information they needed to access her online banking and rename her current account “frozen”. So, when the woman went to check via the proper channels, it did appear that her account had been locked. In a following call, she was then asked to move her balance to a new “protected” account. But when she called RBS to check the transfer went through okay, they knew nothing about it.

The rising problem of push fraud

The problem of transfer fraud is increasing in the UK. Indeed, according to consumer group Which? in the first two weeks after launching an online cybercrime reporting tool, more than 650 people came forward claiming a loss of over £5.5 million.

Overall, the latest official figures show that over £100 million was unknowingly handed over to criminals through push scams between January and June last year. Over this period around 17,000 people were victims of these scams, and they lost an average of £3,000 each.

How to protect yourself against push fraud

To keep you safe, UK Finance offers the following advice:

  • Never disclose security details such as your PIN or full banking password
  • Don’t assume an email, text or phone call is authentic
  • Just because someone knows some personal information about you (i.e. your mother’s maiden name), that doesn’t mean they are genuine
  • Banks or other trusted organisations will never contact you and ask for your PIN or full password, or ask you to transfer money to a safe account
  • Don’t be rushed into handing over sensitive information, take the time to contact the company directly using a trusted email or phone number to check the request is genuine
  • Listen to your instincts. If something doesn’t feel right don’t be pressured into making a decision there and then
  • Never automatically click on a link in an unexpected email or text.

Are the banks liable?

According to the banks, they make it very clear that customers should never make a payment at the request of someone over the phone or email. So, while millions have been lost by unwitting victims, because the transfers were authorised, until now banks have been unable (or unwilling) to return nearly 74% of the money.

Don’t be fobbed off by the banks!

If you have been the victim of a push fraud and need help getting your money back, there is some good news. Under new plans, the regulator is coming down on the side of consumers and people tricked into transferring money directly to a fraudster can expect stronger protections.

A new industry code will be in place from September, helping victims of such scams to secure compensation. What this means in practice is that victims of push scams can be confident that any claim for reimbursement will be given fairer consideration.

If you want to claim compensation following a push payment scam or another type of cybercrime, Hayes Connor can help. Our professional, friendly team will be pleased to answer any questions you might have, and advise you on whether you have a valid claim.

 We can help you to claim compensation from the fraudster, your bank, and any organisation that may have put your data at risk (where this data was then used to facilitate a push scam).

Start your claim

data breach compensation
, ,

Data security incidents are on the rise

There has been a 9% increase in reported data security incidents over the last quarter. What’s more, there has been a 41% rise year-on-year. That’s according to the Information Commissioner’s Office[1]  (ICO) – an independent authority, set up to uphold information rights in the public interest, and to promote openness by public bodies and data privacy for individuals.

However, this isn’t necessarily bad news. In fact, the ICO suggests that the surge could be down to more people reporting security breaches due to growing awareness of the GDPR, and the launch of its new Personal Data Breach helpline. Regardless, information shared in error is the single highest contributor to data breaches year-on-year, and when this data contains sensitive information, the potential damage and distress are huge.

Delving into key sectors, it seems that general business, education and local government are once again the areas with the most reported data security incidents.

Central government

Government bodies must do more to improve cybersecurity. This is particularly important as cybercrime is now acknowledged by the UK government as the foremost threat to national security. Despite this, reported incidents in central government increased by a whopping 178%. And, the ICO highlights a particular issue with failing to redact data in this sector.


Schools handle a lot of sensitive personal data, and it’s vital that this is kept safe. Especially where children are involved. However, all too often, educational organisations either aren’t are aware of their obligations, or haven’t done enough to ensure that they meet them.

In fact, reported incidents in the education sector have risen by 68%, with breaches involving data sent by email to an incorrect recipient increasing substantially.


Healthcare is rapidly going digital. So, it is vital that there are adequate and robust protections in place to secure the data and information held within it. And that healthcare staff have the knowledge and ability to handle such data securely. According to the ICO, the UK health sector continues to have the highest number of reports. Primarily because breach reporting is mandatory in this sector.

Over the last quarter, there has been a 22% increase in reported health incidents with the most common causes being:

  • Data posted or faxed to the incorrect person
  • Data sent by email to the incorrect recipient
  • Loss or theft of paperwork.

The report also reveals that cybersecurity incidents have decreased by 19%. However, this continues to be a priority for the ICO. Of cyber incidents, unauthorised access and malware are the biggest reported problems.

At Hayes Connor, we can help you make claims against a wide range of organisations already fined by the ICO. Of course, you may not know that your data has been breached until you read about it or see it in the news. But if you are in any doubt, it’s worth finding out whether your data was put at risk, because, if so, you may have a claim for compensation. We can also keep you updated on upcoming and current data breach claim investigations.

Find out more about the latest ICO findings here.

With strict-time limits in place for making most compensation claims, if you want to achieve maximum recompense in the minimum amount of time, it’s essential to act now.

[1] https://infogram.com/1ppl7drqj6wrwdarw7zrrwepdquz6z9rrxq