Granting remote access to internet banking did not amount to taking reasonable care

Home Guides & cases Case notes Other - 52330

Granting remote access to internet banking did not amount to taking reasonable care

Categories:

Common scams targeting bank customers,

Summary:

Polly was having problems with her internet when she received a call from her internet services provider. She gave the caller remote access to her computer to help fix the problems. The caller instructed Polly to log in to commonly used websites as part of the troubleshooting process. Polly logged into her internet banking, along with some other website. Unknown to her, the caller was able to obtain Polly’s username and password and transferred $10,000 to another New Zealand bank account.

Published:

January 2020

Speaking to a friend later that day, Polly realised she might have been scammed and her internet banking might be at risk. She called the bank and told it to suspend her internet banking. Neither Polly nor the bank checked her recent transactions, so the $10,000 transaction went unnoticed until the next day when Polly asked the bank to reinstate her internet banking. The bank was able to recover $1,300. Polly asked it to compensate her the remaining $8,700. The bank declined because it considered she had not taken reasonable care with her internet banking.

Our investigation

The Code of Banking Practice says a bank will reimburse unauthorised fraud transactions unless the customer has somehow disqualified him or herself from protection (the onus is on the bank to demonstrate this). One of the ways this can happen is if the customer acts negligently (that is, fails to observe a reasonable standard of care). Banks must exercise reasonable care and skill when attempting to recover fraud losses.

We thought it was reasonable for Polly to believe the caller was her internet service provider trying to help out, but unreasonable for her to log in to her internet banking while the caller had remote access. Polly had had experience with this software before and knew it meant the other person could see what she was doing and could control her computer. Having not taken reasonable care, she wasn’t entitled to reimbursement under the Code.

However, we also thought both Polly and her bank should have checked her accounts to see if any funds had been withdrawn when her suspicions were aroused. If either had done so, efforts to recover the money could have begun sooner. Police were able to provide us with information showing $7,500 was still in the account the next morning, so an earlier recovery attempt would probably have been successful.

In light of our views, the bank offered Polly $3,100 – half of the difference between what was actually recovered and what could have been recovered with earlier action.