A Royal Bank of Scotland customer had more than £4,300 stolen from her account by a fraudulent caller who answered one of her security questions wrongly, BBC Watchdog Live has found.
For more than a year, the bank insisted Charlotte Higman had been aware of the transaction and refused to refund her.
The Financial Ombudsman Service (FOS) backed RBS after the initial complaint.
But earlier this month, RBS apologised and issued Charlotte a full refund, after Watchdog Live's investigation.
'I feel really angry'
Charlotte, from Totnes in Devon, believes that RBS repeatedly failed to pick up on evidence, including warnings raised in its own security processes.
In a recording of the fraudulent phone call obtained by Watchdog Live, a woman can be heard incorrectly answering a security question relating to Charlotte's occupation.
Despite this, a transaction of £4,318 is approved by the bank and it is only after the caller requests a second transaction, and is unable to answer additional security questions, that a warning is raised on Charlotte's account.
The bank's own records show that the phone call, in January 2017, was marked as a "potential account takeover" and the caller failed the bank's voice recognition checks. Despite this, the initial transaction was not reversed.
After reporting the call to the police, Charlotte discovered her phone line was diverted on the day of the call, explaining why the bank believed they were speaking to her at her home address.
"I just feel really angry that someone's been able to do it that easily," Charlotte told Watchdog.
"The bank said that the person was in the home, they did the transactions from the home and they passed all the security questions correctly - and that's why they believed that I'd done it."
Charlotte's case pre-dates a new voluntary code of conduct on such scams which most of the banks have signed up to.
In essence, the code says that if a customer - or the bank - has failed to heed warning signs, they will be liable for any subsequent loss.
Under the code, RBS would have been obliged to pay up.
The industry is still consulting on the issue, and the code is expected to be finalised next year.
Fraud lawyer Arun Chauhan told the programme: "I have a lot of sympathy for Charlotte,
"You can hear what [the caller has] tried to do is put together two transactions for the full balance of the account and the bank just don't pick it up as a warning sign.
"They know at the end this is fraud, but they've done nothing about the first transaction and that's why Charlotte should be so critical of the bank."
According to fraud prevention service Cifas, facility takeover fraud - when a fraudster abuses personal data to hijack someone's existing account or services - rose 7% last year to more than 24,000 reported cases.
Bank accounts remain the most targeted product for fraudsters, with more than 100,000 reported cases in the UK last year.
This is how the fraud on Charlotte was carried out:
- Bank records show the fraudster initially calls the bank, posing as Charlotte, and asks for her account to be reset for security reasons. Staff follow the bank's usual security protocol and call Charlotte's landline number, unaware the call has been diverted to a mobile phone
- The security reset is processed despite the caller answering a security question incorrectly. The caller then requests that more than £4,300 should be transferred to another account and the bank allows the transfer
- During the same 23-minute call, the caller requests a second transfer of a similar amount is made to a different account. This time security questions are flagged as being answered incorrectly and the transfer is denied, but the bank does not ask for the original transfer to be recalled
- The bank maintained that because it had called Charlotte's home phone number to verify her identity, it was clear she was aware of the transactions. Following an investigation by Devon and Cornwall Police, it was discovered that the fraudster had made a call to Charlotte's landline provider to fraudulently divert the number to a mobile phone number in a different part of the UK
The FOS warned banks earlier this year that customers should not automatically be blamed for money lost through scams.
It added that fraudsters' growing sophistication meant it was wrong to assume losses were because of customer carelessness.
The FOS aims to resolve issues for customers relating to financial services including bank accounts, insurance, loans, credit and debit cards and investments. Last year, it was contacted by more than two million people.
'Fair and reasonable'
A FOS spokesperson said: "We have made it clear to the banks that it's not fair to automatically blame a customer when they've lost money due to a scam, especially given the sophisticated way criminals exploit banks' security systems.
"When we look at complaints, we have to carefully weigh up the evidence provided by both parties to decide what we think is fair and reasonable in all the circumstances.
"We're pleased that Charlotte's complaint has now been resolved, and she's got her money back. If you've been the victim of a scam, and you feel your bank should have done more to help, please get in touch with us."
After being contacted by Watchdog Live, an RBS spokesperson said: "We would like to apologise to Mrs Higman that the service provided fell short of the high standards we expect.
"On review of Mrs Higman's case, and in light of new information provided to us, we have refunded Mrs Higman in full for her loss."