Customer acted reasonably when duped by fake bank website

Common scams targeting bank customers,
In January 2023, Joyce received an SMS text purportedly from the bank saying it had detected an unusual payment attempt on her new card and asked her to click on a link in the text if it wasn't her. Joyce had been trying to activate a new card that morning and was concerned her card had been compromised. She clicked on the link, which took her to what looked like the bank's log-in page where she entered her username and password. She then received another SMS text and an email from the bank containing codes that the website prompted her to enter.
September 2023

The next day, the bank noticed unusual payments from the account linked to her card and contacted Joyce. A scammer had set up the bank's mobile app on another device and accessed her account through the app to make transactions totalling $28,505. The bank tried to recover the funds but managed to retrieve only $4,490. Joyce asked the bank to reimburse her the difference but the bank declined her request, saying she had breached the terms and conditions of her account by entering her username and password into the fake log-in page and also by entering the codes to allow the scammer to set up the mobile app.

Our investigation

The Code of Banking Practice requires banks to reimburse unauthorised online transactions unless customers have acted dishonestly or negligently, breached the terms and conditions of their accounts or cards, or failed to take reasonable steps to protect their banking details. The bank accepted the transactions were unauthorised, but said Joyce was not entitled to reimbursement under the online guarantee because she entered her username, password and authentication codes into a fake bank website, in breach of the terms and conditions of her account.

 However, Joyce did not know she had disclosed her username and password to the scammer, and nor did she intend to disclose them to anyone other than the bank. As for the authorisation codes, she genuinely believed she was giving them to the bank. She did not know the scammer had access to her banking details and therefore was able to set up the bank's mobile app on another device. The text messages accompanying the codes were not sufficiently clear about what the codes were being used to authorise. We did not consider Joyce had acted negligently or breached the terms and conditions of her account when she entered her details and the codes into what she thought was the bank’s website.


The bank agreed to pay the remaining $24,015.

Print this page