The bank carried out the instructions. Two more telegraphic transfer requests arrived from Sarah’s email. Only one was processed because the two together would have exceeded the remaining balance. 

Sarah and Logan subsequently disputed the withdrawals on the basis they hadn’t authorised them and complained to us when the bank would not compensate them. The bank did not accept it was at fault for acting on the email instructions because they came from an email address Sarah and Logan had given when they opened their accounts. The bank said two staff members had verified that the signature on the requests matched the signature held on file.   

Our investigation

We found that the emails had probably been sent using a programme that hides true IP addresses. We found Sarah’s email account had probably been intercepted while she was using a United States airport’s wi-fi to send emails. With access to her email account, the hacker found old emails containing the term deposit and bank contact details. It became evident the hacker had also found a signed employment agreement attached to an email and copied the signature on to the telegraphic transfer forms. The signature appeared authentic, but did not match either of the two signatures the bank held on file. We considered the bank ought to have seen this and not verified the signature as matching the mandate.  

We also found the bank’s practice when accepting instructions by email was out of step with other banks. Some banks simply do not accept email instructions because of the risk of hacked email addresses. Other banks accept emailed instructions, but only after taking extra steps to verify the requests were from their customer. They will, for example, call the customer on a number held on file and ask a series of security questions.  

We did not accept the complainants contributed to the fraud by accessing their email via public wi-fi. This is common practice, and different to accessing online banking through public wi-fi. We considered the bank would have prevented the fraud if it had taken extra steps to verify the instructions.  

Outcome

We recommended the bank reimburse Sarah and Logan for the full amount fraudulently withdrawn, plus interest. Sarah and Logan accepted our recommendation.