It was an email offering a discount on an electric toothbrush that began the sequence of events that ruined Anna's life.
Within minutes of entering her card details, she got a call from her bank telling her fraudulent transactions were being made. The next day Robert Clayton from Britain's Financial Conduct Authority (FCA) called to say they were pursuing the criminals responsible but that her savings were at risk.
There was no toothbrush, though. No fraud department, no Robert Clayton. They were all part of a scam to gradually siphon off Anna's life savings, and within a few weeks the plot had succeeded, to the tune of about 200,000 pounds ($270,000).
"I am still in shock, the guilt and shame are impossible to convey," said the 78-year-old widow from central England, who did not want her full name to be used in this story.
She is one of thousands of people who have seen savings swept away this year by an unprecedented wave of online bank fraud hitting Britain, where you're more likely to be a victim of online fraud than any other crime.
The country is the global epicenter for such attacks, according to five of the biggest British banks and more than a dozen security experts who said scammers were buying up batches of consumers' personal details on the dark net to target the record numbers shopping and banking online since the pandemic.
The country's super-fast payments infrastructure, relatively light policing of fraud-related crime, plus its use of the world's most widely used language English, also made it an ideal global test bed for scams, the banks and specialists added.
A British record of 754 million pounds was stolen in the first six months of this year, up 30% from the same period in 2020, according to data from banking industry body UK Finance, and up more than 60% from 2017, when it began compiling the figures.
That represents a per capita fraud rate roughly triple that seen in the United States in 2020, according to a Reuters calculation from UK Finance and the latest available Federal Trade Commission data.
"The most sophisticated fraud tends to start in the U.K., and then move two years later to the U.S. and then around the world," said Ayelet Biger-Levin, vice president of product strategy at the U.S.-based cybersecurity firm BioCatch, which provides anti-fraud technology to banks.
"In the last 12 months, we have seen more fraud attacks than we had seen in any other year in history. Data breaches have also accelerated, so there's a lot more personal information out there that criminals can take advantage of."
Unlike simple email-based scams of the past purporting to be from princes or oil barons seeking your help to shift their millions, the modern bank scam can be sophisticated, multi-phased and extremely convincing.
"We've seen some cases where the fraudster has been talking to somebody for three or four years as someone else before they actually scam them out of a large amount of money," said Brian Dilley, group director for economic crime prevention at Britain's biggest bank Lloyds.
Deena Karia, another scam victim, told Reuters how she lost 10,000 pounds in early February after buying a seemingly safe bond purportedly issued by Credit Suisse and apparently listed on the price-comparison site MoneySuperMarket.
After filling out a form on the website and receiving a call from a staff member there, she called them back on the number listed on the website to check the phone number was legitimate, made further checks about the bond and went on to invest.
Karia, from outer London, still does not know exactly how her money was stolen but believes the scammers may have created a fake website mimicking MoneySuperMarket.
The genuine MoneySuperMarket warned on Feb. 15 of crooks faking its website and impersonating its staff. A spokesperson for the company said it is working to take down such fake websites and phone numbers, working with the FCA to highlight cloned websites and reporting issues to the police.
"I lost my dad not long ago, I'm caring for my mother and that money would have supported us for years," Karia said.
Barclays, her bank, has refunded only half the money, saying she could have done more to protect herself.
"We have every sympathy with Miss Karia who was the victim of an investment scam and as the case is currently being investigated by the Financial Ombudsman Service, we await the conclusion of their review," Barclays said.
The government's National Economic Crime Centre (NECC) agrees with the banking sector's assessment that fraud represents a threat to British security.
"It is growing from an already enormous scale," said Chris Reed, fraud threat lead at NECC, which he said was meeting at least every month with bank bosses, technology executives and telecoms companies to assess and respond to threats.
Britain's Faster Payments' network, which allows transfers between bank accounts to settle instantly rather than in hours or days as in the United States and other developed banking markets, means criminals can rapidly spirit away funds.
"The faster payment system has facilitated faster fraud," said Richard Emery, a fraud expert who is advising Anna and 63 other scam victims whose average loss is 102,000 pounds.
Pay.UK, which runs the network, said the system supported the British economy, consumers and businesses. It added that criminals were getting better at exploiting digitization and that it was working with the industry and regulators to fight fraud.
While security experts and senior bankers said many fraud attacks could be traced overseas - including from India and West Africa - Britain is also increasingly exporting attacks.
Crimes such as authorized push payments (APP) – where people are tricked into authorizing a payment by a criminal posing as their bank or other trusted company – are proliferating globally after having started off as a largely U.K. phenomenon.
The country ranks second in the world behind the United States as a source of automated bot attacks, the fastest-growing type of fraud attack in the world, according to data from LexisNexis Risk Solutions, a financial crime analysis firm.
Bot attacks see criminals use a high volume of stolen identity credentials to overrun a website, allowing them to set up new accounts or access existing ones.
"It's popular to say the fraud threat is imported into the U.K., and I don't think that bears analysis," said NECC's Reed. "There is a significant U.K. nexus to a lot of fraud, our operational experience is showing that."
Britain's banks – which often pick up the compensation bill when people are scammed – are trying to respond.
HSBC, which has operations in the Americas and Asia, has hired more than 300 staff in a year to support its anti-fraud operations in its home market and increased annual spending by 40% to deal with an "exponential" number of customers affected, the bank told Reuters.
"The U.K. is the hotbed of activity for fraudsters. Currently, the U.K. accounts for about 80% of our global personal fraud losses," it said.
Lloyds said it had invested 100 million pounds in its defenses over the past two years, while rival NatWest has 10% of its workforce – amounting to 6,000 people – dedicated to combating financial crime. TSB hired 100 extra staff to support fraud victims in the last year.
But lenders are also pressing the government to make social media platforms, where they say some attacks originate, share the burden. British lawmakers told bosses at Facebook, Google, Amazon and eBay last month that they needed to do more combat fraud.
The NECC's Reed said another problem was that just 1% of policing resources were dedicated to fighting fraud, despite it making up over a third of all crime in England and Wales.
"I won't hide away from the fact that resourcing of the response is completely out of step with the scale and seriousness of the threat. We've got a mountain to climb."
This means that criminals are emboldened to target people like Anna, who has little hope of recovering her savings.
The fraudsters had told her to shift her "at risk" cash to an account on a cryptocurrency platform that they emptied – while isolating her from family by stressing secrecy and coaching her on how to respond to skeptical bank officials.
"They knew the name of my financial adviser, they were utterly convincing as FCA staff," she said. "And they told me I could not tell anyone about the investigation as it would damage their efforts to catch the crooks."