Christiana said the bank's system must have been compromised because the scammer used an email address belonging to a staff member, and a technician had checked her laptop, and his report showed no signs of malware, viruses or remote-access use. However, the emails – not the laptop – had been compromised, so we looked into whose emails had been compromised. The evidence showed it was more likely a scammer had hacked Christiana's emails and impersonated the staff member. The emails sent to Christiana had not come from within the bank's system, and the scammer had directed Christiana's responses elsewhere, suggesting he or she did not have access to the staff member's email account. The bank said no other bank customers had been caught in this type of scam, which further suggested the scam was not the result of a problem within the bank.
We also looked at whether the bank had met its obligation to keep Christiana’s banking secure by having appropriate security systems in place to prevent impersonation of bank email addresses. The bank said it used two security systems to authenticate emails. It also said third-party email providers should have systems in place to reject emails not authorised by the domain owner. We were satisfied the bank had taken reasonable steps to meet its obligations to Christiana.
We did not uphold Christiana’s complaint.Print this page