Scam victim failed to act on messages accompanying codes

Categories:
Fraud and scams,
Summary:
In February 2024, Harrison received an email purportedly from his cyber security provider asking him to pay an invoice and including a New Zealand telephone number to call. Harrison said he did not respond to the email, but he later received a phone message from that number asking him to call back. He did so, and the caller identified himself as a member of his cyber security provider. The caller, who was a scammer, said Harrison’s account had been suspended due to suspicious activity, and the company would refund some charges. Harrison filled out an online form with his credit card details to enable the refund to proceed. The scammer asked him to log in to his banking to check if the payment had been made, and Harrison did so. The scammer also asked Harrison to allow him to run some scans, which Harrison agreed to. Harrison could see that the scammer was controlling his computer at the same time he had his internet banking open, so he closed the tab. The scammer told Harrison he needed his help to delete fake accounts in his name. Together, they created new accounts with cryptocurrency and fund remittance agencies.
Published:
May 2025

The scammer was able to log in to Harrison’s bank accounts and move money from his other accounts to his account connected to his credit card. He then applied charges totalling $20,000 to Harrison’s credit card. After 10 payments, the bank's system was alerted, and it blocked the credit card. The scammer then transferred Harrison’s money to his transaction account and charged another $10,000 to his credit card. Many of these payments were verified with two-factor authentication codes sent by the bank to Harrison’s mobile. Harrison said he saw the messages when they came in, but the scammer told him he was generating the codes.

Shortly afterwards, Harrison’s wife, who had seen what was happening, realised he had possibly been scammed and called their cyber security provider, which confirmed this. Harrison contacted the bank and the police. He had lost $30,000. Harrison and the bank were able to recover $10,000 from merchants. Harrison asked the bank to compensate him for the remainder, but the bank considered he had breached its terms and conditions and wasn't entitled to any reimbursement. Nonetheless, it offered him half of the loss, or $10,000. He refused the offer and asked us to investigate.

Our investigation

Under the Code of Banking Practice, banks agree to reimburse customers for unauthorised transactions unless the customer breached the bank's terms and conditions or failed to take reasonable steps to protect their banking. The bank’s terms and conditions required Harrison not to share two-factor authentication codes with anyone. Harrison acknowledged he had read the messages accompanying the codes but insisted he hadn't shared the codes. We considered whether Harrison has taken reasonable steps to protect his banking. In our view, a reasonable customer would have read the messages accompanying the codes, absorbed their contents and followed any instructions. In Harrison’s case, the messages said the codes were from his bank to authorise Visa card payments. They also included the name of the merchant and amount of the payment. In addition, the messages said to call the bank if the code wasn't theirs. A reasonable person reading this code would have realised it was from their bank to authorise a payment – not from the cyber security provider, as the caller said, and would have followed the instruction to call the bank. Harrison did not do this, and

the bank was not obliged to refund him. Harrison also failed to show reasonable care by allowing the caller remote access to his computer and to his internet banking when he knew the scammer could control his computer. He had also seen the caller open cryptocurrency and funds remittance accounts in his name – a clear warning sign, or “red flag”.

Outcome

We explained to Harrison that it was unlikely he was entitled to full reimbursement, and Harrison decided to accept the bank's offer.

Print this page