Downloading software not in itself a failure to take reasonable care of banking

Categories:

Fraud & scams, Payment method, Bank accounts,

Summary:

Marsha had been having problems with her internet speed, and had been in touch with her internet provider about the matter. A few weeks later, in October 2024, Marsha received a call on her landline from someone claiming to be a technician ringing to fix her modem. The caller asked Marsha to place her mobile phone by her modem, and proceeded to ask Marsha to take some steps on her computer to try to fix her internet speed. The caller tricked Marsha into downloading remote access software on to her computer before asking her to log in to various accounts and webpages to “test her internet speed”. As part of this, Marsha logged in to her internet banking. The caller was able to obtain Marsha’s internet banking details.

Published:

August 2025

The caller then separately logged in to Marsha’s internet banking and set up a payment of $14,200. This triggered a text to Marsha’s mobile with an authentication code, which had to be texted back to the bank (along with a “screen code” that would show on the internet banking page). Marsha’s clear and consistent recollection was that, as soon as she heard her mobile receive a text and read the text, she hung up on the caller and shut down her computer. A few hours later, she checked her banking and discovered the $14,200 payment and immediately called the bank

The bank refused to reimburse Marsha for her loss, saying it considered she had failed to take reasonable care of her banking by downloading remote access software on to her computer.

Our investigation

We did not consider the act of downloading remote access software on its own to constitute a failure by Marsha to take reasonable steps to protect her banking, that is, her internet banking details. Downloading such software is not, in itself, enough to access a customer’s banking, and we therefore looked at whether Marsha took reasonable care of her banking credentials after allowing the remote access software to be installed. We considered it unlikely any reasonable person, including Marsha, would have knowledge of keystroke logging software, which is downloaded along with remote access software and allows a scammer to see the customer’s password when he or she types it in. Many customers would be unaware that simply logging in to their banking while someone was working on their computer amounted, in effect, to disclosing their login details.

We also had reservations about whether Marsha had, in fact, texted the authentication code and online screen code to the bank. Marsha’s evidence was very clear and consistent on this point: she maintained that she did not send a reply text and hung up the phone when she saw the text. The bank did not investigate this point or investigate alternative ways that the scammer might have obtained the code. There were several possible alternatives that were consistent with Marsha’s recollection