During the break, the scammer transferred $30,000 from Dave’s bank account to accounts with two banks, bank A and bank B. Dave said he did not log in to his internet banking the following day, although his username, password and two-factor authentication codes were used twice more to transfer $15,000 and $10,000 out of his accounts to bank B.

Later that day, Dave realised he had been scammed and called his bank, which contacted bank A and bank B to try to recover the money. Bank A told Dave’s bank that the recipient of Dave’s money had already sent it away and it could not be recovered. Bank B told Dave’s bank that some of the money ($6,500 and $7,500) had been transferred to two customers who held accounts with Dave’s bank. Dave’s bank contacted the customer who received the $7,500 but it was too late – they had already sent the money away. Dave’s bank didn’t contact the customer who received the $6,500 and this money didn’t leave that customer’s account until the next day.

 Dave asked his bank to reimburse him for his losses because he had been a victim of fraud but the bank declined because it said he had been negligent.

Our investigation

Under the Code of Banking Practice, a bank will reimburse customers who are genuine victims of internet banking fraud provided they have complied with the bank’s terms and conditions and have taken reasonable care.

 Dave had breached the terms and conditions on the first day by leaving his internet banking logged in while his computer was unattended. We thought it was likely he hadn’t taken reasonable care on the second day because the scammers had been able to obtain the two-factor authentication codes needed to log in, or he had logged in himself, and Dave had been unable to explain how or why this had happened. Therefore, Dave wasn’t entitled to the protection of the fraud guarantee under the Code.

 However, we considered the bank should have tried to recover the $6,500 before its transfer overseas. We also considered the bank hadn’t given sufficient information about the various types of two-factor authentication it offered customers. It had an option which would have protected Dave against the scam, but hadn’t explained the risks and benefits of each option. Had Dave known this, he could have taken steps to make his internet banking more secure against unauthorised access. 

Outcome

We recommended compensation of $5,000 for the lost opportunity to secure his internet banking against unauthorised access, as well as payment of $6,500, the amount the bank had not tried to recover.