Customer acted reasonably despite sharing codes with scammer

Categories:
Fraud & scams,
Summary:
Greer received a call from someone who said he was from her bank and had identified some unusual transactions. The caller said he would suspend her internet banking and cancel payments, and that she would receive codes for these actions, which she should read out to him. Greer checked the caller’s number and it matched the bank's number on its website, so she followed the caller's instructions. She became suspicious and hung up when the caller told her she needed to move her money to a safe account. She called the bank, and a staff member confirmed it was a scam. The scammer had made a transaction of $30,000 from her credit card account and attempted a second large payment (which the bank’s security system had detected and blocked).
Published:
November 2024

Greer spent an hour and a half on the phone with the bank explaining what had happened. The staff member suspended her internet banking and arranged replacement cards, as well as taking the opportunity to register her husband Anton so he also could receive two-factor authentication codes – a process that involved reading out a code sent to him via text message. The staff member then said it might be possible to get back the money and passed Greer to another staff member, to whom she had to repeat her story a second time. The second staff member repeated the steps taken by the first staff member.

After getting off the phone, Greer immediately called the Auckland-based merchant where the scammer had made the purchases, but it was too late – the scammer had picked up the goods just 15 minutes earlier. The bank contacted the merchant to ask it to hold or return but because the goods had already been released, the merchant would not agree to return the money.

Greer asked the bank to reimburse the loss, saying she had not authorised the payments. She also said the bank might have prevented the loss if it had acted promptly when taking their fraud report and trying to recover the money. The bank refused her request, saying she had shared the text code used to authorise the payment – an action that was in breach of the bank's terms and conditions. Nonetheless, it offered to reimburse half of the loss. Greer said the bank’s basis for declining her request – that she had shared the codes – was unfair because the bank had asked Anton to do the very same thing itself – to read out a code sent to him via text message.

Our investigation

The Code of Banking Practice requires banks to reimburse unauthorised transactions unless a customer has acted negligently or dishonestly, failed to take reasonable steps to protect his or her banking or breached the bank's terms and conditions.

The bank’s terms and conditions did in fact say that customers must not share certain codes, but the bank itself had asked Anton to share a code – meaning this wasn’t a universal rule. Banks’ terms and conditions should be consistent with the online fraud guarantee to reimburse customers for unauthorised transactions unless the customer has acted negligently or dishonestly.

We found Greer had indeed taken reasonable care in the circumstances because:

  1. She had checked that the number used by the caller was, in fact, that of the bank. It had appeared to be so, but the scammer had “spoofed” the number, that is, falsified the number displayed on her phone’s caller ID – something Greer was not to know.
  2. The scammer had throughout his interactions with Greer skilfully mimicked the way real banks interact with customers.
  3. The messages accompanying the codes sent by the bank did not warn against sharing them.
  4. The scammer’s explanation for sharing the codes was sufficiently close to their true purpose to trick a reasonable person.
  5. Greer had hung up and called the bank as soon as she became suspicious about the caller's real identity. In addition, we had concerns with how the bank had handled their fraud report, and thought that better handling could have resulted in the loss being prevented.

Outcome

We recommended the bank reimburse the $30,000, along with $1,000 offered for delays in handling their case.

Print this page