Kirk immediately became suspicious and attempted to log in to his banking but was unsuccessful because the scammer had changed his password. Kirk then changed his password himself and called the bank. However, in the 10 minutes it took Kirk to get through, the scammer had made five payments to a new payee totalling $12,500.  

Kirk complained to us that the bank refused to reimburse his loss of $9,300 (the balance of $3,200 having been recovered by the bank).  

Our investigation

We asked the bank how it was possible for the scammer to change a password as well as set up payments to a new payee with only a single two-factor authentication code. The bank said it had set up its systems so that entering one such code was sufficient for all subsequent actions during an online banking session. We found this unsatisfactory because the time immediately following a password change was often when customers were being scammed. We said it was often easier for scammers to convince a customer to hand over a code to reset a password compared to one confirming payment to a new payee.

The bank told us it had subsequently changed its system so that any payment exceeding $2,000 required another two-factor authentication code. It accepted that it was highly unlikely Kirk would have been scammed if this system had been in place at the time. It therefore agreed to reimburse Kirk’s $9,300 loss, as well as offer a goodwill payment of $1,200 in recognition of the stress and inconvenience he had suffered.

Outcome  

Kirk accepted the bank's offer.