Customer justified in disclosing code to what she believed was bank employee

Home Guides & cases Case notes Fraud & scams - 88314

Customer justified in disclosing code to what she believed was bank employee

Categories:

Fraud & scams,

Summary:

In February 2024, Eden received a call from someone purporting to be from her bank. The caller’s number matched that of the bank. The caller said someone had gained access to her credit card account and was trying to make a purchase. A payment of $6,000 was made, and authorised with a two-factor authentication code sent to Eden’s mobile. The caller said she needed to move her money to a safe account. At this point, Eden became suspicious and hung up. She called her bank, and it confirmed it had not called her. She then realised the caller was a scammer.

The bank was unable to recover the money. It declined to reimburse the loss, saying Eden had authorised the payment with an authentication code sent to her mobile phone, and that in sharing the code she had breached the bank’s terms and conditions. Eden said she received the message containing the code but denied sharing it with the scammer. To determine whether the scammer had used malware, spyware or some other means to obtain the code, Eden took her phone to a computer professional, but he could find nothing to suggest this had happened.

Published:

November 2024

Our investigation

Banks must reimburse unauthorised payments unless the customer has acted fraudulently, dishonestly or negligently, failed to take reasonable steps to protect his or her banking, or breached the bank's terms and conditions. Eden’s bank's terms and conditions said customers must not disclose verification codes to anyone,including to bank staff.

We were not able to determine how the scammer came to obtain the code. But we considered whether it was fair and reasonable for the bank to decline to reimburse Eden based on its belief that she shared the code with someone she believed to be from the bank. We did not consider it reasonable because banks have a practice of asking customers for codes to verify certain actions. Granted, those actions are relatively limited, but we thought it unreasonable to expect customers to know the difference between a legitimate situation where a bank would request a code and an illegitimate – but nonetheless convincing – situation where it would not request a code.

We then looked at whether it was reasonable for Eden to believe the call was from her bank. We considered it was because the scammer had used a means called “spoofing” to make it appear as though the call came from the bank. Also, the scammer had access to personal information about Eden – probably obtained from a data breach or phishing scam – and was able to act convincingly during his interactions with her.