'Direct debit fraud cost my mum £1,000'
"Really quite angry and frustrated. I wanted to find out why an 82-year-old lady was being defrauded in this way."
Phil Lind is describing the moment he realised criminals had used multiple direct debits to steal nearly £1,000 from his mother, Ursula.
It's thought the thieves got access to her account by tricking her into handing over her bank details on the phone.
But they were able to steal from her again and again after getting round security at direct debit payment provider GoCardless, which collects payments on behalf of other businesses.
In an email to Money Box, it apologised to Mrs Lind and said she was protected by the Direct Debit Guarantee and so would be refunded.
But that's not good enough for her son Phil: "The fact that they [the frauds] just sailed through the direct debit system and affected the bank account - the financial impact is almost limitless."
'Regulation needed'
He added: "It's frightening to know that people have access to people's bank accounts without their knowledge. And that they can affect someone's bank account on multiple occasions, purely because something has happened lower down the chain once.
"It's shocking and there needs to be investigation and regulation."
GoCardless is based in the UK, has about 400 staff and was founded in 2011 by Tom Blomfield, who went on to found the Monzo challenger bank.
In an email to Phil, it said: "We have located five payment transactions that have been processed through GoCardless and funds have been taken from your mother's bank account fraudulently."
It told Money Box that criminals got round its internal security system and were able to steal the money because the payments, which were all slightly less than £200 and taken over the course of several months, were not "identified as requiring immediate termination".
It added: "After he [Phil Lind] brought this to our attention, we worked quickly to block Mrs Lind's account so that no further payments could be taken, and advised Mr Lind to request a refund under the Direct Debit Guarantee."
'Not surprised'
Lisa Forte, a partner at Red Goat cyber security in Bristol, told Money Box: "I'm must say I'm not surprised.
"This is something that I've seen happen an awful lot and it has increased during the pandemic, in fact.
"What you've got to understand is that every element of that chain [the direct debit system] is relying on the element before it to authenticate, to prove that this is a legitimate direct debit.
"If you insert poison into the start of the chain, ie through fraudulent companies, then it will poison the entire chain."
Ms Forte also says the amounts, all slightly less than £200, are key to the criminals getting round security; "They [the criminals] have used relatively small amounts with the hope that no bank will question it or require further authentication for it.
"That's why they use the small amounts, it's a deliberate tactic."
Pay.UK, which runs the direct debit system, says that while it sets the security standards that companies wishing to use it must adhere to, individual companies such as GoCardless are responsible for making sure those standards are met.
Both Pay.UK and GoCardless said consumers are protected by the Direct Debit Guarantee which refunds any fraudulent payments, which has now, finally, happened in Ursula's case.
You can hear more on BBC Radio 4's Money Box programme by listening again here.