Our investigation

We concluded the transaction was unauthorised because it was made without Ignatius’ knowledge or consent. Unless Ignatius had failed to take reasonable steps to protect his banking credentials, the online fraud guarantee would require the bank to refund the full amount. We therefore needed to establish whether Ignatius had indeed taken such steps. The bank processed the payment after the fraudster entered the two-factor authentication code sent to Ignatius’ device. The fraudster could have obtained the code in only one of two ways: either by installing malware on Ignatius’ device or by tricking him into disclosing the code on the fake Spotify website. Ignatius arranged for a company to conduct an anti-virus scan of his device. It found no malware. We therefore concluded Ignatius had probably been tricked into disclosing the code which authorised the payment to the travel site.

Outcome

We did not uphold Ignatius’ complaint. The bank repaid him half of the loss on a goodwill basis.