TL;DR
Recent large-scale data breaches have raised fraud risk for UK consumers. Report fraud to Action Fraud, claim under the Contingent Reimbursement Model for Authorised Push Payment fraud, and follow ID theft steps if data has been exposed.
Last reviewed 3 June 2026
Key facts
- Action Fraud is the UK national reporting centre for fraud and cybercrime. Online reporting at actionfraud.police.uk or by phone on 0300 123 2040.
- From October 2024, mandatory reimbursement for Authorised Push Payment (APP) fraud applies up to £85,000 per claim under PSR rules.
- UK Finance reports total UK fraud losses of around £1.17 billion in 2023, with APP fraud accounting for £459 million.
- Cifas is the UK fraud prevention service. Members include banks, building societies, insurers and credit reference agencies.
- The 159 service (a phone shortcode) connects directly to a customer's bank to verify suspect calls.
What to do if you have been scammed
If money has been transferred and the recipient was a fraudster, follow these steps immediately:
Contact the bank that processed the payment. Banks have established procedures for tracing recent payments. Speed matters; funds can sometimes be recovered if reported within hours.
Report to Action Fraud. Use the online reporting form at actionfraud.police.uk or call 0300 123 2040. An incident reference number is generated. The National Fraud Intelligence Bureau uses Action Fraud data to identify investigable fraud patterns.
If it was an Authorised Push Payment (APP) fraud: Mandatory reimbursement rules from the Payment Systems Regulator took effect on 7 October 2024. Customers who were tricked into making a payment from a UK account to another UK account are reimbursed up to £85,000 per claim, subject to a customer standard of caution. Banks must reimburse within five business days unless they invoke a 'stop the clock' for further investigation.
What to do if your data has been exposed
After a data breach (Carnival, Marks & Spencer historically, MoveIt, Capita and many others), exposed data is monetised by criminals through phishing, identity theft and account takeover. Action steps:
Reset passwords and enable two-factor authentication on email, banking and any account that may have shared the breached password.
Check Have I Been Pwned (haveibeenpwned.com) for any of your email addresses to see which historic breaches included them.
Cifas Protective Registration: Cifas offers a paid protective registration service that flags applications for credit in your name for additional verification. This is appropriate where significant identification data (passport, driver's licence, address history) has been exposed.
Credit reference agency alerts: Experian, Equifax and TransUnion offer alerts when new credit applications appear in your name.
Tell HMRC if your government identification has been exposed, particularly National Insurance number, to prevent fraudulent tax-related activity.
Recognising the current scam patterns
UK Finance and Action Fraud report several persistent fraud patterns:
Impersonation fraud: Callers pretending to be from a bank, HMRC, Royal Mail or police. The 159 service connects directly to the customer's bank to verify suspicious calls.
Investment scams: Often via social media, promising guaranteed returns. The FCA maintains a warning list and a ScamSmart tool. Anything promising returns significantly above mainstream rates is a warning sign.
Purchase scams: Fake online sellers on social media and marketplace sites. The mandatory APP reimbursement scheme covers these but evidence of caution is needed.
Romance scams: Slow-build relationships leading to requests for money. Action Fraud reports these as among the highest individual losses.
Smishing and phishing: SMS messages from supposed delivery firms, HMRC or banks containing malicious links. Forward suspect SMS to 7726 (free) to report.
Advisory: Fraud is a criminal offence. Reporting is essential even where recovery seems unlikely. Action Fraud aggregates reports for the National Fraud Intelligence Bureau, which identifies patterns that lead to investigations.
Related guides
Disclaimer
This article is for general information only and does not constitute financial, legal, tax, insurance, or investment advice. Kael Tripton Ltd is registered with the Information Commissioner's Office (ICO ZC135439) as a data controller but is not authorised by the Financial Conduct Authority. Figures and rules are correct at time of publication and may change. Always check the primary source linked below before acting on any information, and seek advice from a qualified professional for your specific circumstances.
Sources
Frequently asked questions
How do I report a scam in the UK?
Report to Action Fraud at actionfraud.police.uk or by phone on 0300 123 2040. If money has been transferred, contact the bank first. For suspicious SMS, forward to 7726.
Will my bank refund me if I was scammed?
From October 2024, mandatory reimbursement applies for Authorised Push Payment (APP) fraud up to £85,000 per claim under PSR rules. The bank must reimburse within five business days unless it has grounds for further investigation.
What is the 159 service?
159 is a free phone shortcode that connects directly to a customer's bank for security verification. It is used to confirm whether a call claiming to be from the bank is genuine. Participating banks include all major UK retail banks.
Is Cifas Protective Registration worth paying for?
Cifas Protective Registration costs around £30 for two years and flags credit applications in the registrant's name for additional verification. It is appropriate where significant identification data has been exposed in a breach. Free credit reference agency alerts cover credit application monitoring without the additional verification step.
