The scammer was able to log in to Harrison’s bank accounts and move money from his other accounts to his account connected to his credit card. He then applied charges totalling $20,000 to Harrison’s credit card. After 10 payments, the bank's system was alerted, and it blocked the credit card. The scammer then transferred Harrison’s money to his transaction account and charged another $10,000 to his credit card. Many of these payments were verified with two-factor authentication codes sent by the bank to Harrison’s mobile. Harrison said he saw the messages when they came in, but the scammer told him he was generating the codes.

Shortly afterwards, Harrison’s wife, who had seen what was happening, realised he had possibly been scammed and called their cyber security provider, which confirmed this. Harrison contacted the bank and the police. He had lost $30,000. Harrison and the bank were able to recover $10,000 from merchants. Harrison asked the bank to compensate him for the remainder, but the bank considered he had breached its terms and conditions and wasn't entitled to any reimbursement. Nonetheless, it offered him half of the loss, or $10,000. He refused the offer and asked us to investigate.

Our investigation

Under the Code of Banking Practice, banks agree to reimburse customers for unauthorised transactions unless the customer breached the bank's terms and conditions or failed to take reasonable steps to protect their banking. The bank’s terms and conditions required Harrison not to share two-factor authentication codes with anyone. Harrison acknowledged he had read the messages accompanying the codes but insisted he hadn't shared the codes. We considered whether Harrison has taken reasonable steps to protect his banking. In our view, a reasonable customer would have read the messages accompanying the codes, absorbed their contents and followed any instructions. In Harrison’s case, the messages said the codes were from his bank to authorise Visa card payments. They also included the name of the merchant and amount of the payment. In addition, the messages said to call the bank if the code wasn't theirs. A reasonable person reading this code would have realised it was from their bank to authorise a payment – not from the cyber security provider, as the caller said, and would have followed the instruction to call the bank. Harrison did not do this, and

the bank was not obliged to refund him. Harrison also failed to show reasonable care by allowing the caller remote access to his computer and to his internet banking when he knew the scammer could control his computer. He had also seen the caller open cryptocurrency and funds remittance accounts in his name – a clear warning sign, or “red flag”.

Outcome

We explained to Harrison that it was unlikely he was entitled to full reimbursement, and Harrison decided to accept the bank's offer.