Doug mentioned to the bank that a few days earlier he had received an email from the Inland Revenue Department about a tax refund. He had been dealing with the Inland Revenue Department that week and so this email was not out of the blue. He clicked on a link in the email to take him to his myIRD log-in. There he was prompted to reset his myIRD password and click through to his bank website in order to receive a tax refund. The link took him to a look-alike bank website where he was instructed to log in to his internet banking. The scammer used Doug’s log-in details to set up mobile banking on the scammer’s  device – triggering a genuine SMS message from the bank. Doug received the SMS text from the bank. The SMS had a code to be entered to “continue with your log in”. Doug entered the code.

The bank told him the email came from a scammer, not the Inland Revenue Department, and that he had breached the terms and conditions of his account by giving the scammer information to access his internet banking, in particular his log-in details and SMS code. It said it was therefore not obliged to reimburse him for his loss. It did, however, offer him $30,000 as a goodwill gesture. 

Doug declined the offer, complaining that he had not disclosed his banking details but had simply entered them into what he thought was the bank's website. He noted that the SMS message he received from the bank was genuine, and this had reassured him he was, in fact, entering his details into the bank’s online banking website. He also complained that the bank should have detected the unusual transactions on his internet banking.

Our investigation

Banks are liable for unauthorised transactions as long as a customer has taken reasonable care to protect his or her banking and complied with the terms and conditions of the account. In our view, the bank had not shown that Doug had failed to take reasonable care to protect his banking, or that he had breached the terms and conditions of his account.  He had not disclosed his internet banking details or SMS code to another person. Rather, he had followed steps to log in to his internet banking on what he thought was the bank's website. Some businesses include links for legitimate purposes and it was not unreasonable in the circumstances for Doug to have believed that the links he clicked on were legitimate.  Nor was it unreasonable in the circumstances for him to have entered the SMS code sent to his phone because the accompanying message said it was needed to continue with his log-in. We noted that if the SMS message had made clear the purpose of the code – to set up mobile banking on a new device – Doug might have been alerted to the scam.

Outcome

The bank reimbursed Doug the full $60,000, plus interest.