A campaigner is planning a group action aimed at trying to recoup the losses of Santander customers caught out by fraudsters.
Richard Emery, who has worked in civil litigation for 20 years, said he would take a group complaint to the ombudsman or the courts.
He believes that a loophole in Santander’s security system was exploited by fraudsters.
But Santander said that victims failed to keep a passcode private.
One of these victims was Alex Luke, from London, who had £180,000 stolen from her account.
“I had a call from someone I thought was BT,” she told the BBC. “They had all my personal details and they said that they needed to put security on to my computer to prevent me losing everything.
“So they got me to log on to my Santander account and get a security code.”
She later discovered that nearly all of her money had gone from her account. Her bank managed to recover £40,000 but Santander refuses to compensate her for the rest of the missing money.
Mr Emery, who runs 4keys International, argued that there was a loophole that allowed fraudsters, posing as BT, to gain access to the money – and others had suffered the same fate.
“If Santander customers create a new account payee, they have to authorise it with a One-Time Passcode system or OTP. But there was a huge loophole – you could amend an existing payee, changing their account and sort code numbers,” he said.
“All other banks prevent a change to existing payees’ account details. They should now compensate all customers affected. Whilst the customer holds the first key to the door, Santander holds the second key and in these cases they left the door open and the crooks exploited it.”
But Santander does not agree.
“We refute Mr Emery’s position that there is a loophole,” a spokesman said.
“The security for amending a payee and a new payee was the same. If the customers had not given access to their account and shared their individual one-time passcode with a third party, then they would not have lost their money.”
However, within three weeks of Mr Emery’s objections, which were broadcast on BBC Radio 4’s Money Box, Santander had upgraded its security.
Mr Emery said he was planning to take a group case to the Financial Ombudsman or, if that failed, file a collective civil action against Santander.
Fraudsters are continually changing the way they target bank customers, according to Action Fraud – the UK’s national reporting centre for fraud and cyber-crime.
Thieves have been stealing large sums of money from victims’ bank accounts by intercepting calls, or tricking people into revealing details of texts sent by banks, as in the case of Alex Luke.
Meanwhile, many companies are having their coffers emptied by scam emails, such as community football club Laurel Park FC, in Lower Earley, near Reading in Berkshire, which supports 400 young players in 27 youth teams.
It was conned out of nearly £30,000 when the club’s treasurer received what seemed to be a genuine email from the chairman along with invoices from a supplier, which he paid.
But the account details were those of a fraudster and despite pleading with their bank, Barclays, the club has taken a big financial hit and faced closure
Ian Jobson, the club’s development officer, said: “Because we requested the payments to be made, Barclays believed we were liable for the loss. The fraudsters got away with it.”
Barclays said they had already warned businesses and community projects of rising “CEO fraud”.
“This scam is a tragic case of criminal theft by a fraudster impersonating the chairman in an email to an employee within his business. We acted swiftly to recover any funds that remained in Barclays accounts at the time this was reported. We hope that the police urgently investigate this matter and bring the criminal to justice,” the bank said.