Two years later, Daniel was having different technical problems – his computer and internet service were running slowly. He received a call from someone who said he was from his internet service provider. The caller said technicians were carrying out work in Daniel’s area, and this was affecting customers’ internet speed. The caller offered to help Daniel detect and remove viruses, which he said would help correct this problem. Daniel accepted the offer. The caller instructed him to download what he described as virus detection software. He then instructed Daniel to log in to his internet banking to check the site had two padlocks in the corner. Daniel did so and told the caller the site had only one padlock. The caller replied that Daniel should call his bank and set up his international payment facility because this would trigger greater security measures, including the second padlock.

Daniel was on the phone to the caller intermittently over two days, during which time he called the bank to set up an international payment facility. When the bank asked him how much he wanted to send overseas, Daniel told the bank $10,000 when he had no intention of sending any money. The bank set up the international payment facility on Daniel’s instructions.

Eventually Daniel became frustrated and phoned his internet service provider. The company told him it was not doing any work in his area, whereupon he realised he had been scammed. He called the bank, which suspended his internet banking. However, $50,000 had already been transferred to international accounts. The so-called virus detection software was, in fact, remote access software, and the caller had been able to covertly obtain Daniel’s internet banking username and password when he logged in to his internet banking.

Daniel’s bank was able to recover only $10,000. Daniel wanted it to compensate him the remaining $40,000, but it declined, saying he had been negligent by following the caller’s instructions. Daniel said the bank should have required him to use the two-factor authentication system, which would have prevented the loss.

Our investigation

The Code of Banking Practice says a bank will reimburse unauthorised fraud transactions unless the customer has somehow disqualified him or herself from protection (the onus is on the bank to demonstrate this). One of the ways this can happen is if the customer acts negligently (that is, failed to observe a reasonable standard of care). Banks also have an obligation to provide information about how customers can bank securely.

The caller’s technique was sophisticated and his explanations compelling, though Daniel recognised he wasn’t at his best during the call. But Daniel had not been entirely forthcoming with the bank when he called to set up the international payment facility. However, the bank should have reminded Daniel that the two-factor authentication was turned off. The bank’s website said that the two-factor authentication system was a requirement of making international payments. Nonetheless, it had allowed the transfers without this requirement.

Outcome

On this basis, Daniel and the bank agreed to split responsibility for the loss evenly and the bank reimbursed Daniel $20,000.