Recovering Money Lost to Online Fraud

DigitalUK-wideLast reviewed: 1 April 20256 min

Online fraud — including investment scams, romance fraud, purchase scams, and impersonation — costs UK victims billions of pounds annually. New rules from the Payment Systems Regulator (PSR) introduced in 2024 require banks to reimburse most victims of Authorised Push Payment (APP) fraud, significantly improving your chances of recovery.

Key points

  • From October 2024, the PSR's mandatory APP fraud reimbursement scheme requires banks to reimburse most victims of authorised push payment fraud within 5 business days.
  • The maximum reimbursement under the PSR scheme is £85,000 per claim, with a maximum excess of £100 that can be applied.
  • You must report fraud to your bank immediately — delay can affect your entitlement to reimbursement.
  • Action Fraud (0300 123 2040) is the national fraud reporting centre; reports are passed to the National Fraud Intelligence Bureau.
  • Unauthorised fraud (where you did not authorise the payment, e.g., card fraud) is covered by separate rules and is generally reimbursed in full.

The PSR APP Fraud Reimbursement Scheme

Authorised Push Payment (APP) fraud occurs when you are deceived into authorising a bank transfer to a fraudster — for example, by a fake invoice, impersonation of your bank, or a romance scam. From October 2024, the Payment Systems Regulator's mandatory reimbursement scheme requires:

  • Your bank (the sending bank) must reimburse you for most APP fraud losses up to a maximum of £85,000 within 5 business days of your claim being assessed.
  • Banks can apply a maximum excess of £100 — meaning the first £100 of any loss may not be reimbursed. Vulnerable customers are exempt from the excess.
  • The sending bank recovers 50% of reimbursed funds from the receiving bank (where the fraudster's account was held), incentivising both banks to prevent fraud.
  • Banks can refuse reimbursement where the victim acted fraudulently or with gross negligence — a high bar that requires the victim to have taken an exceptional and unreasonable level of risk.

What to Do Immediately After Being Defrauded

If you realise you have been the victim of online fraud:

  1. Contact your bank immediately on their fraud line (usually a 24-hour line on the back of your card). Ask them to recall the payment and freeze any remaining funds. Speed is critical — many fraudsters move money within minutes.
  2. Report to Action Fraud at actionfraud.police.uk or 0300 123 2040. Get a crime reference number — you will need this for your bank claim and any insurance claim.
  3. Preserve all evidence: Screenshots of emails, messages, websites, payment confirmations, and any other communications with the fraudster.
  4. Do not engage further with the fraudster — do not make additional payments or provide more personal data.
  5. If you were tricked into downloading remote access software, run a security scan on your device and change all passwords from a different device.

Making a Claim Under the PSR Scheme

To claim reimbursement from your bank:

  1. Submit a formal APP fraud claim to your bank's fraud team in writing (email or online form), including your crime reference number, details of the payment(s), and all available evidence of the fraud.
  2. Your bank must assess your claim within 5 business days (or 35 business days in complex cases, with notification). They must either reimburse you or give reasons for refusal.
  3. If your bank refuses your claim or offers less than you believe you are entitled to, you can escalate to the Financial Ombudsman Service (FOS) — the FOS resolves bank disputes free of charge and can order reimbursement.

Keep records of all communications with your bank about the fraud claim, including the dates and names of any call handlers.

Unauthorised Fraud: Card Fraud and Account Hacking

Unauthorised fraud — where a fraudster uses your payment details without your authorisation (e.g., card cloning, account takeover, SIM swap fraud) — is subject to different rules. Under the Payment Services Regulations 2017 and the FCA's rules:

  • Your maximum liability for unauthorised fraud is £35 where your card was used without a PIN or biometric authentication (unless you acted fraudulently or with gross negligence).
  • Your liability is £0 for unauthorised transactions made after you notified your bank of the loss or theft of your card.
  • Banks must reimburse unauthorised transactions within one business day of a valid report, pending investigation.

If your bank disputes liability and you believe the transaction was genuinely unauthorised, escalate to the FOS. SIM swap fraud is particularly complex — report to your mobile network as well as your bank.

Frequently asked questions

I was scammed via a fake cryptocurrency investment platform. Can I recover my money?
If you made payments via bank transfer, the PSR APP fraud scheme should apply — report to your bank and Action Fraud immediately. Recovery depends on how quickly the fraud is reported and whether the receiving bank can trace the funds. If you paid by credit card, Section 75 of the Consumer Credit Act may apply if the card provider is jointly liable for the misrepresentation. Cryptocurrency sent directly is extremely difficult to recover.
My bank is saying I was "grossly negligent" and refusing to reimburse me. What can I do?
Gross negligence is a high legal threshold — far higher than ordinary carelessness. Escalate to the Financial Ombudsman Service if your bank refuses reimbursement on this basis. The FOS will assess whether the bank's refusal is justified and can order reimbursement. Fraud victims who followed a convincing deception are rarely found to have been grossly negligent.
I sent money to a scammer abroad via a money transfer service. Is it covered?
The PSR APP fraud scheme currently covers bank-to-bank transfers made through Faster Payments and CHAPS. Transfers made via international money transfer services (e.g., Western Union, MoneyGram) or through cryptocurrency exchanges are generally not covered by the PSR scheme — check the specific service's fraud protection policies and report to Action Fraud.
Should I contact the police as well as Action Fraud?
For most online fraud, reporting to Action Fraud is the correct first step — Action Fraud passes reports to the National Fraud Intelligence Bureau, which assesses them for police investigation. You should also contact your local police (101) if you have information that could assist an investigation or if the fraud involves a local suspect. A crime reference number from either source is important for insurance and bank claims.

What to do next

  1. 1
    Report to Action Fraud

    Report online fraud and get a crime reference number.

  2. 2
    Financial Ombudsman Service

    Escalate a refused APP fraud reimbursement claim to the FOS.

  3. 3
    Data breach rights

    Protect yourself if personal data was stolen as part of the fraud.

  4. 4
    Cyberstalking

    Legal protections if fraud forms part of targeted harassment.

Official bodies and resources

Financial Conduct Authority

Regulator

Regulates financial services firms and financial markets in the UK to ensure they are honest, fair, and effective.

Visit website0800 111 6768

Financial Ombudsman Service

Ombudsman

Resolves complaints between consumers and financial businesses such as banks, insurers, and lenders.

Visit website0800 023 4567

Citizens Advice

Charity

Provides free, confidential, and independent advice on a wide range of issues including benefits, housing, debt, and employment.

Visit website0800 144 8848

Was this page helpful?

Related guides

When a Company Has a Data Breach

A personal data breach occurs when an organisation accidentally or unlawfully destroys, loses, alters, discloses, or gives access to your personal data without authorisation. When this happens, UK GDPR places obligations on the organisation — including notifying you if the breach is likely to cause you harm — and gives you rights to complain and potentially claim compensation.

6 min

Dealing with Cyberstalking

Cyberstalking involves using digital technology — social media, email, messaging apps, location tracking, or spyware — to harass, monitor, or stalk a victim. It is illegal in the UK under the Protection from Harassment Act 1997, with specific stalking offences carrying sentences of up to 10 years imprisonment. If you are a victim, a range of criminal and civil protections are available.

6 min

UK GDPR Rights for Individuals

The UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018) give individuals in the UK eight legally enforceable rights over how organisations collect, store, and use their personal data. These rights apply whether the data is held by a business, public body, or online platform.

6 min

Scam Recovery and Bank Reimbursement

If you were deceived into sending money to a fraudster by bank transfer — known as Authorised Push Payment (APP) fraud — new rules introduced by the Payment Systems Regulator (PSR) in October 2024 require most UK banks to reimburse you up to £85,000. This represents a major improvement in consumer protection. This guide explains how the reimbursement scheme works, what you need to do, and what to do if your bank refuses to pay.

9 min

Financial Ombudsman Service: How to Complain

The Financial Ombudsman Service (FOS) is the UK's free, independent dispute resolution service for complaints about financial products and services. It handles over 200,000 complaints a year covering everything from bank charges and payment protection insurance to insurance claim rejections and mortgage disputes.

7 min read

Disclaimer

This information is for general guidance only and does not constitute legal advice. You should seek qualified legal help if your situation requires it.