Five of the transactions exceeded $9,900 and required two-factor authentication, which would have entailed Ralph entering a code the bank sent via SMS to his mobile to authenticate the transaction. But since the scammer had gained remote access to Ralph’s phone, he was able to enter the codes himself. At the scammer’s request, Ralph did open and deleted the codes.

The bank recovered $15,000, leaving the home loan account overdrawn by $97,000. Ralph asked the bank to reimburse him for this loss, but the bank declined the request because it believed he had failed to take reasonable care by granting someone remote access to his computer and mobile.

Our investigation

Our task was to decide whether Ralph or the bank was liable for the loss. Ralph was entitled to reimbursement under the Code of Banking Practice for unauthorised transactions unless he had breached the bank’s terms and conditions or failed to take reasonable care to protect his banking details. We considered it was reasonable for him to believe the scammer was legitimate and to follow the instructions to install remote access software on his computer and mobile. Scammers can be very compelling, plus Ralph was expecting contact from his telecommunications company. We were concerned, however, that Ralph had opened and deleted text messages that said they were from his bank and sought authorisation to process a payment from his account. We thought a reasonable person would have read the messages, realised someone was attempting to take payments from his or her accounts and contacted the bank.

We were also concerned about the bank’s failure to pick up a series of significant transactions from an account that had never previously been drawn on and amounted to out-of-character behaviour.

Outcome

Ralph and the bank agreed to split the loss equally.