Subscriber OnlyPricewatch

Why are we left on our own when it comes to fraud?

Despite a new measure by ComReg, Irish consumers are set to remain vulnerable to scammers and won’t have the same protections and supports that exist elsewhere

Scam calls and texts are estimated to cost Irish consumers and businesses more than €300 million a year, according to ComReg. Photograph: iStock
Scam calls and texts are estimated to cost Irish consumers and businesses more than €300 million a year, according to ComReg. Photograph: iStock
Conor Pope's picture
Conor Pope
Mon Feb 17 2025 - 06:00

Can you imagine the outcry if armed bandits walked into Irish banks and made off with more than €5 million every single week?

Or what if robberies on that scale were routinely perpetrated against the museums, art galleries and stately homes dotted all over the country, with precious works looted and sold on the black market every day.

Do you think for a second those in authority – the politicians, the banks and the police – would simply shrug their shoulders and, after indulging perhaps in a little light hand wringing, get on with their days?

Of course they wouldn’t.

READ MORE

Garda ‘stretched’ as online fraud reaches ‘industrial’ levels, Drew Harris warns ]

There would be armed response units policing the buildings under threat, newspapers would splash stories of the latest outrageous robberies on their front pages every day, emergency legislation would be drafted and all the stops would be pulled out to ensure that those responsible for theft on such a grand scale were held to account.

But when the money is stolen from consumers by criminals and con men lurking in the shadows and targeting the electronic devices that have become so central to our everyday lives, nothing – or almost nothing – ever seems to get done.

Or if it does get done, it gets done very slowly indeed.

Earlier this month, the communications watchdog announced that it was opening a new front in the war on scammers with the introduction of a text-messaging register that will more easily flag and then block rogue SMS messages.

Announcing a SMS sender ID registry, ComReg noted that text message scams are “undermining the SMS communications channel with consumers and organisations losing trust in the mode of message delivery”.

It said the annual level of harm to Irish consumers and businesses from scam calls and texts was estimated to be more than €300 million a year, of which approximately €115 million is attributed to scam texts alone.

“Many organisations rely on SMS to communicate with their customers and clients,” ComReg said. It pointed to financial transactions, delivery updates and appointments.

So how will the new register work?

It seems pretty straightforward.

Business-to-client/customer messages are known in the industry as Application-to-Person (A2P) messaging and the messages tend to include an alphanumeric identifier, or SMS sender ID, that may be the name of the company or brand that sent the message – for example, 234BANK.

SMS aggregators and mobile service providers handling bulk SMS traffic on behalf of organisations need to preregister their business customers’ SMS sender IDs with ComReg by February 25th.

And then from early July SMS messages with unregistered sender IDs will be labelled “Likely Scam” to alert the recipient that the SMS may not be legitimate.

From October 3rd, messages with unregistered SMS sender IDs will be blocked. “Organisations using SMS sender IDs in their messages to customers should instruct their SMS provider to preregister those SMS sender IDs with ComReg now,” the watchdog said.

In response to the announcement, Nicola Sadlier, head of fraud at Bank of Ireland said the step was “very welcome” but noted that “tackling spam texts” is just “one part of Bank of Ireland’s four-point plan to enhance consumer and business protection from fraud”.

She expressed the hope that there will be further progress to examine a broader SMS spam filter to further prevent fraud attempts on Irish consumers.

The bank also pointed to the need to take clear action to ensure that online advertising for financial products and services is only permitted by entities regulated to offer them, and the introduction of a shared fraud database in Ireland.

“We all need to work together to tackle the serious problem of fraud, and these latest steps from ComReg are extremely positive,” Ms Sadler said

She is not wrong and the ComReg moves are to be welcomed but Pricewatch can’t help but marvel at the complete lack of urgency here – and not just from the communications watchdog but from absolutely every link in the chain: including the banks and telecoms operators, the Government and the Garda.

Based on ComReg’s figures, Irish consumers will lose close to €125 million to scams before the new register is deployed in July and about twice that amount before it comes into full effect in the autumn.

And even when it comes into effect Irish consumers will remain vulnerable to scammers and won’t have the same protections and supports that exist in the UK.

Authorised push payment (APP) fraud is one of the great scourges of modern times and sees consumers tricked into manually authorising payments from their accounts to accounts controlled by fraudsters.

And getting redress can be almost impossible.

Payment services in Ireland are governed by the European Union’s second payment services directive (PSD2) and although that does offer a route to refunds for victims of fraud via unauthorised transactions, there are no provisions that force financial institutions to refund victims who authorise the transactions, even when they have been conned into doing it by increasingly elaborate forms of social engineering.

It is a different story in the UK where, since October of last year, payment service providers must reimburse victims of APP fraud up to a ceiling of just over €100,000, with only some limited exceptions allowed.

Even before last October the UK was far ahead of Ireland. In 2019 many of the key banks there signed up to a voluntary code for reimbursement of losses caused to customers by APP fraud.

The UK code implemented the “contingent repayment model”, which applies to personal customers, charities and microenterprises with an annual income of less than £1 million (€1.2 million).

It comes with a set of standards that financial institutions must meet regarding the detection, prevention and response to APP fraud. It also imposes an obligation to reimburse customers’ losses caused by APP fraud, in certain conditions.

And what are those conditions?

The payments must be made within the jurisdiction, for starters. Financial institutions can also refuse reimbursement if the victim ignored warnings given under the code, made a payment without a reasonable basis for believing the transaction to be genuine, or guilty of gross negligence in connection with the payment.

The code also allows for the cost of reimbursement to be shared by a bank that sends the money and the one that receives it; if the consumer is also found to be a fault the burden of the cost can be split three ways.

If banks are not at fault, then compensation is paid from a pooling fund to which all financial institutions contribute.

But what about Ireland?

As Sinn Féin’s finance spokesman Pearse Doherty pointed out last week, we are “way behind the curve’ in protecting people.

Mr Doherty said: ‘We are way behind the curve, both in terms of regulation for the banks and for social media".

Speaking in the Dáil he pointed out that “at the moment, anyone involved in credit card fraud is guaranteed to get their money back. Everything is set up for the banks to do that. But for APP, which is romance fraud, investment scams, holiday scams and catfishing, there is nothing in place. In my view, there should be statutory protections there, as there are in the UK”.

We contacted the Banking and Payments Federation of Ireland to find out why we were so far behind the curve?

A spokeswoman said: “The fraud landscape in Ireland has evolved significantly in recent years as fraudsters increasingly target consumers and businesses directly through APP scams.

Irish payment fraud rates relatively low by EU standards, says Central Bank ]

“Financial institutions have a clear role to play in preventing fraud, a commitment which the industry takes very seriously through a range of measures both at industry level and within each individual institution including rigorous and real time transaction monitoring and fraud analysis. Every reported case of fraud is fully investigated and best efforts are made to recover funds where possible.”

She said it was “important to note, however, the first sight a financial provider will have of an APP scam is when a transaction has already taken place. The payment occurs at the end of what can often be a long engagement between the criminal and the victim. And with the vast majority of frauds now initiated online, banks cannot combat this crime alone.

“To effectively combat APP fraud Ireland needs a centrally led, ‘whole-of-system’ response where social media companies, telecoms, financial services, the State and An Garda Síochána can collaborate to devise appropriate strategies to better share intelligence, implement protections for consumers and develop barriers to criminals. To this end, BPFI and its members have continued to highlight the need for the development of a national financial crime strategy.”

She suggested that “ultimately, focusing only on the reimbursement of payments will fail to reverse the increasing incidents of fraud, will fail to protect consumers and businesses and will only reward criminals and enable them to fund more serious and lucrative crime. Money stolen through APP scams is used to fund drug trafficking, human trafficking, sexual exploitation and terrorism. In this way, tackling fraud helps protect society as a whole, disrupting a cycle where illicit gains are reinvested in further criminal activity.”

The Central Bank told Pricewatch it would support the introduction of a voluntary reimbursement arrangement among Irish banks for victims of APP fraud, but it sounded cautionary notes.

“The firms we regulate must have effective systems in place to identify and prevent fraud and they must support consumers who fall victim to it,” the bank said. “This includes APP fraud, where we expect firms (among other things) to take steps to trace and recover money lost where this is possible. We also expect firms to take responsibility for compensating consumers where their loss has resulted from a failure of the firm’s systems and controls.”

The statement stressed it is “also essential that all relevant actors – including in areas not directly regulated by the bank – place equal focus on preventing fraud in the first instance. This can include, for example, robust verification processes to ensure advertisers of financial services in Ireland hold the requisite authorisation. "

The statement concluded by saying the regulator would “support any voluntary reimbursement arrangement by industry, while recognising that it must be properly calibrated and careful consideration must be given to cost allocation. It is important that a ‘whole-of-system’ approach is taken to any initiative, as it will be most effective if all relevant actors are involved, including those outside the banking and payments sector such as social media firms.”