A few months ago, a family member of mine was defrauded out of almost £20,000. Thankfully, the money was eventually recovered, but the damage went far beyond the financial loss. Their trust in online banking and technology was shattered. Every login, every “security” text, and every email now feels like a potential trap.
The worst part is that it could have been prevented, both through better personal security habits and stronger authentication by the bank.
How It Happened
It started with password reuse, the silent killer of digital security. The credentials were stolen from some long-forgotten online service, one of those pointless accounts that had not been used in months, but the password was the same one used elsewhere.
Those details ended up for sale on the dark web. Attackers used them to access the victim’s mobile provider account and carry out a SIM swap, moving the phone number to a new device.
Once they controlled the number, everything else fell apart. The attackers intercepted text messages, reset online banking credentials, and authorised a £20,000 transfer, all through SMS verification.
No step-up authentication.
No confirmation call.
No “this looks suspicious” flag.
Just one recycled password and one text message.
For a five-figure transaction, that is beyond negligent!
Convenience Over Security
Banks love to talk about balancing convenience and security, but that balance has tipped too far. SMS-based authentication has not been fit for purpose in years, yet it remains the default method for major transactions.
At my bank, a transfer of that size would have triggered secondary verification, an app confirmation, biometric approval, or at least a voice check. The bank in this case did none of that. It is not that they could not, it is that they did not.
When fraud prevention becomes a tick-box exercise instead of a real control, customers end up paying the price, both financially and emotionally.
The Aftermath: Weeks of Fallout
Even after the refund, the cleanup has been brutal. Weeks spent combing through credit reports, checking for new accounts or applications, and manually changing credentials across every major account, from banking to utilities, retail, and entertainment.
It has been a complete ballache.
Fraud does not end when the money comes back. The admin and anxiety drag on long after. For someone who is not in IT, the psychological damage is huge. My family member went from confident and capable to hesitant and suspicious of everything online.
They have now decided to move back to a bank they can walk into, somewhere they can see a face, talk to a person, and feel a bit more secure. Honestly, I cannot blame them.
Lessons Learned
-
SMS is not security. It is the weakest form of multi-factor authentication and should be retired, not relied upon.
-
Risk-based authentication matters. A £20,000 transfer needs more than a text message.
-
Stop reusing passwords. A password manager is far safer and simpler than remembering multiple variations of the same one.
-
Lock down your mobile account. Add a porting PIN or passphrase, every UK carrier supports this.
-
Monitor your credit file. Fraud rarely stops at one account.
-
Never assume your bank has your back. Some still operate as if it is 2008.
The Bigger Problem
Banks continue to invest millions in “AI-driven fraud detection” while still relying on 1980s telecom infrastructure to secure customer savings. They will happily refund fraud cases but rarely address the systemic weaknesses that make them possible in the first place.
They do not measure the emotional impact, the time lost, or the erosion of trust. They simply mark the case as resolved.
Fraud prevention should not end with a refund. It should begin with authentication that actually works.
The Takeaway
This was not a sophisticated cyberattack. It was a familiar story that happens daily: password reuse, outdated SMS verification, and complacency disguised as convenience.
The money came back, but the confidence did not.
The lesson is simple. Never let your phone number be your last line of defence, and never assume your bank’s idea of “secure” matches yours.