Bank not at fault for impersonation of staff member

Home Guides & cases Case notes Fraud & scams - 78133

Bank not at fault for impersonation of staff member

Categories:

Fraud & scams,

Summary:

A scammer intercepted emails between Christiana and her bank while she was in the middle of arranging an investment and directed her to put $10,000 into a different account, which she did. When she realised she had been scammed, she asked the bank to compensate her. The bank said the scammer had compromised Christiana's emails, and it wasn't at fault for her loss.

Published:

September 2022

Our investigation

Christiana said the bank's system must have been compromised because the scammer used an email address belonging to a staff member, and a technician had checked her laptop, and his report showed no signs of malware, viruses or remote-access use. However, the emails – not the laptop – had been compromised, so we looked into whose emails had been compromised. The evidence showed it was more likely a scammer had hacked Christiana's emails and impersonated the staff member. The emails sent to Christiana had not come from within the bank's system, and the scammer had directed Christiana's responses elsewhere, suggesting he or she did not have access to the staff member's email account. The bank said no other bank customers had been caught in this type of scam, which further suggested the scam was not the result of a problem within the bank.

We also looked at whether the bank had met its obligation to keep Christiana’s banking secure by having appropriate security systems in place to prevent impersonation of bank email addresses. The bank said it used two security systems to authenticate emails. It also said third-party email providers should have systems in place to reject emails not authorised by the domain owner. We were satisfied the bank had taken reasonable steps to meet its obligations to Christiana.