Fraud’s favourite moment: IT outages and scammer tactics

Recent outages for major high street banks have shown how scammers exploit chaos – posing as reps to steal credentials and take over accounts

When banking systems go down, fraudsters step up. Recent outages at several high street banks left thousands of customers unable to access their accounts or make payments for days. This wasn’t just an inconvenience – it was open season for cybercriminals. During these disruptions, scammers exploit customer anxiety and institutional blind spots, impersonating bank representatives through phone calls, texts, and emails in a bid to take over accounts or steal personal data.

So, how vulnerable are banks and customers during outages, and what can be done to mitigate the risks? We spoke to two experts on financial crime and fraud prevention to understand the scale of the threat and the solutions available.

A perfect storm for fraudsters

“IT outages present significant opportunities for fraudsters,” says Rayane Houhou, Senior Management Consultant – Financial Crime and Fraud Prevention at bigspark. “When banking systems are down, normal fraud detection and monitoring capabilities may be impaired, creating windows of vulnerability. We’ve observed criminals specifically waiting for such disruptions to launch coordinated attacks, as these moments of system weakness align with heightened customer anxiety and reduced institutional control.”

Rayane outlines the most common scams that emerge during these crises. “One major example is impersonation fraud, where scammers pose as bank staff, offering fake ‘emergency assistance’ to access customer accounts,” he explains. “Phishing scams involve fraudsters sending emails and texts with malicious links disguised as service status updates; meanwhile, social engineering exploits customer frustration, tricking them into revealing sensitive information. Push payment fraud pressures customers into transferring money to ‘secure accounts’ due to the outage.

“In these moments of uncertainty, customer panic creates the perfect conditions for social engineering. When people can’t access their money or verify their account status, they’re more likely to act on urgent messages or calls that appear to offer help. Fraudsters exploit this psychological vulnerability.”

Are banks prepared?

Despite growing awareness of these risks, preparedness among banks varies. “Leading banks have dedicated playbooks for fraud prevention during outages, which is a regulatory requirement, but many institutions still focus primarily on system recovery rather than holistic security,” says Rayane. “There’s often a gap between technical incident response and fraud prevention strategies.”

Sandra Bendlova, Senior Managing Consultant – Gen AI, Product & Strategy at IBM iX, shares these concerns. The views expressed in this article are her own. “The concept of operational resilience is gaining traction, particularly since the UK’s Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA) introduced stricter requirements,” she says. “But there’s still a disconnect between system recovery efforts and fraud prevention strategies. Outages need to be treated as fraud risk events, not just technical failures.”

What needs to change?

A multi-layered approach to security is needed from banks during outages. “Banks need pre-prepared customer communication strategies to prevent impersonation fraud, and back-up fraud monitoring systems that remain operational even when core banking systems fail,” says Rayane. “Also, enhanced authentication protocols for high-risk transactions are needed, as well as dedicated fraud response teams focused on preventing scams during service disruptions.”

Sandra highlights the need for better integration between technical and fraud response teams. “Banks should stress-test fraud prevention systems in outage simulations, just as they do with cybersecurity threats,” she says. “Operational resilience is about more than just keeping the lights on – it’s about ensuring customers aren’t left exposed.”

Building customer awareness

Customers also have a role to play in protecting themselves from fraud during outages. “Banks should provide clear channels for reporting suspected fraud, even when services are disrupted,” says Rayane. “If you receive an unexpected call, text, or email claiming to be from your bank, don’t engage – contact your bank directly through official channels.

“Also, avoid making urgent transfers or payments until normal service is restored, be wary of unsolicited contact from anyone claiming to be from your bank, document suspicious communications and report them promptly, and keep official bank contact details handy and verify any requests for action.”

Lessons from recent outages

The recent outages have raised broader concerns about the resilience of banking systems. The UK Treasury Select Committee has launched an inquiry into IT failures at major banks, demanding transparency on the frequency and impact of service disruptions. Lawmakers are also scrutinising how well banks are protecting customers from fraud during outages.

“Regulators are taking note of how these situations are handled,” says Sandra. “The pressure is now on banks to prove they have robust fraud prevention strategies in place – not just reactive customer service efforts after the fact.”

Future-proofing against fraud

While recent outages have exposed vulnerabilities, they have also prompted improvements. “We’ve seen advancements, particularly accelerated by the volume of fraud during the COVID-19 pandemic,” says Rayane. “There’s been progress in customer authentication, coordination between IT and fraud teams, and the development of more sophisticated back-up monitoring systems.”

Sandra adds that the integration of AI and generative technology could further strengthen banks’ defences. “Generative AI can assist during high-volume query periods, helping banks detect and respond to fraud attempts faster,” she says. “AI-driven monitoring, combined with proactive communication, can significantly reduce customer risk during outages.”

Key takeaways

For banks, Rayane emphasises the need for scrutiny. “Regular testing of fraud prevention systems during simulated outages, or establishing clear communication protocols to prevent exploitation, could be beneficial,” he says. “Training staff to handle fraud risks specifically during outages and enhancing fraud monitoring capabilities with AI-driven tools will also help.

“As for customers, never trust unsolicited messages claiming to be from your bank, always verify requests through official bank channels, and be extra cautious of urgent transfer requests.”

Fraudsters thrive in moments of chaos, and banking outages provide a prime opportunity. While banks are making strides in operational resilience, there’s still work to be done in closing the fraud prevention gap. Until then, awareness and vigilance remain the strongest tools against financial crime in an increasingly digital world.