2016 - 2017
Mrs C’s phone banking PIN was obtained by an acquaintance. This person, Ms T, called the bank posing as Mrs C, using the PIN to pass the bank’s authentication process. She was then able to discuss Mrs C’s accounts with a staff member. The staff member made a note that the caller was PIN-validated but sounded young, but didn’t take further action.
Ms T then called the bank again and was again able to speak about Mrs C’s accounts with another staff member. Ms T explained she had forgotten her internet banking password and needed to reset it. The staff member asked an additional security question, which Ms T couldn’t answer. The staff member then advised Ms T she could reset the password using a mobile phone number. Ms T said the existing number was no longer valid so the staff member changed it to one which she provided.
Ms T then used this number to change Mrs C’s internet banking password and access her account. She transferred $5,030 from Mrs C’s account to her own over five days.
Mrs C complained to her bank, which refused to reimburse her as she had breached its terms and conditions by disclosing her PIN. She then complained to our office.
It is almost impossible to guess another person’s PIN, so we considered Mrs C had probably not taken care of it. However, we noted there were several red flags which combined, should have put the bank on notice of potential fraud. These included:
We considered Mrs C’s loss was caused by the bank not taking reasonable steps to confirm Ms T’s identity in spite of these red flags. The bank accepted our view and agreed to compensate Mrs C for all of the unauthorised transfers. Mrs C accepted the bank’s offer.
See our Quick Guide on Looking after your credit and debit cards and PINs for more information about looking after your cards.