Our investigation
Banks must reimburse unauthorised payments unless the customer has acted fraudulently, dishonestly or negligently, failed to take reasonable steps to protect his or her banking, or breached the bank's terms and conditions. Eden’s bank's terms and conditions said customers must not disclose verification codes to anyone,including to bank staff.
We raised with the bank whether it was fair and reasonable for the bank to decline to reimburse Eden based on its belief that she shared the code with someone she believed to be from the bank. We noted banks have a practice of asking customers for codes to verify certain actions. Granted, those actions are relatively limited, but we thought it unreasonable to expect customers to know the difference between a legitimate situation where a bank would request a code and an illegitimate – but nonetheless convincing – situation where it would not request a code.
We then looked at whether it was reasonable for Eden to believe the call was from her bank. We considered it was because the scammer had used a means called “spoofing” to make it appear as though the call came from the bank. Also, the scammer had access to personal information about Eden – probably obtained from a data breach or phishing scam – and was able to act convincingly during his interactions with her.
Outcome
The bank agreed to reimburse all of Eden’s loss.
Print this page