It began with a text purportedly from O2. The message informed Stephen Frew that his latest payment could not be processed and asked him to update his card details via a link. Frew duly obliged. Within a week the £21,330 he was about to use as a deposit on a flat was stolen from his bank account.

He is far from alone. The senior hospital nurse, who is in charge of Covid admissions, is one of thousands to have lost their life savings in an online scam known as Authorised Push-Payment (APP) fraud, which has intensified as fraudsters exploit the pandemic to target stressed customers. Over £200m was lost to APP fraud in the first half of this year according to new figures from trade association UK Finance.

Scammers are adapting their tactics as people spend more time at home. “We are using internet platforms for shopping more than ever,” says Katherine Hart of the Chartered Trading Standards Institute. “Phishing scams have existed for a long time, but the current crisis has made people more vulnerable.”

The scam usually starts with an email, text or phone call purporting to be from a trusted organisation, warning householders of suspicious activity on their account or enforcement action over unpaid bills. The goal is to frighten them into divulging security details that will allow access to their bank account. And whereas fake demands were once relatively easy to spot, sophisticated technology can make the messages almost indistinguishable from official correspondence.

Since March my consumer inbox has filled with heartbreaking tales from young and old who have suffered life-changing losses. While banks have improved fraud prevention technology – £73.1m stolen in APP fraud was reclaimed for customers in the first six months of 2020, an 86% increase on last year – many victims are still left out of pocket.

A voluntary scheme for compensating customers has been denounced as a lottery by campaign groups, who say that only 38% of stolen funds have been covered by banks who signed up to the pledge, and that some banks refuse to engage.

In Frew’s case the scammers used the card details he had submitted via the text link to make four purchases several days later. This triggered a phone call from his bank, Triodos, flagging up suspicious transactions. So when a second call told him his account had been hacked, he didn’t question it.

This time, however, it was the scammers masquerading as Triodos’s fraud team. Number-spoofing technology made it look as though they were ringing from the bank’s customer service department, and their knowledge of the fraudulent payments convinced him they were authentic. When they told him they needed his security details to move his money to a safe account, he unsuspectingly complied.

“My partner and I have now had to abort the purchase of the flat and are left with solicitors’ fees to pay and no deposit for another property,” he says.

Triodos refunded the credit card transactions and the £21,330, but it reclaimed the latter sum after an investigation concluded that Frew had ignored warnings not to disclose security details. Gareth Griffiths, head of retail banking, says: “We reimbursed the previous day’s incidents of card fraud for this customer, but it is difficult to continue to secure an account if they give out their private security details over the phone.” Frew has issued a formal complaint about the decision and intends to appeal to the Financial Ombudsman Service.

While banks are stepping up measures to detect and prevent fraud, critics claim that the authorities are failing to catch the criminals behind it. Victims are told to report the crime to Action Fraud, a data processing centre outsourced by City of London police. However, an investigation by the consumer group Which? branded the centre unfit for purpose after finding that many complaints are not passed on to the police for investigation. Only 2% lead to charges. It was recently revealed that police chiefs are seeking a new company to take over the service in a £60m revamp. Action Fraud insists that every report is important and helps build a clearer picture of criminal activity.

In April, City of London Police and the National Cyber Security Centre launched a Suspicious Email Reporting Service. It allows the public to refer possible phishing messages to an automated service which will scan web links and remove the websites if they are found to be invalid. It has so far identified 6,501 scams after receiving 1.7 million reports.