Bank failed to investigate alternative explanations for downloading of software on to victim’s mobile

Categories:
Fraud & scams, Transaction errors, Payment method,
Summary:
In September 2024, Antoinette received a call on her landline from someone claiming to be from her telecommunications company who convinced her to download remote access software on to her mobile phone to help fix problems she was having with it. The caller asked Antoinette to put her mobile face down next to her modem. Antoinette was on her landline phone with the caller for several hours. The only time she recalled touching her mobile phone was when she entered a series of numbers into the remote access app to allow the caller continued access to the device. Antoinette was clear and consistent in her recollection that the caller did not ask any questions about her banking, and also that she did not do anything relating to her banking on her mobile phone while the caller had remote access to the device.
Published:
August 2025

However, the scammer was able to access Antoinette’s banking via her mobile banking app and make unauthorised transactions totalling $32,000. The scammer accessed Antoinette’s mobile app by entering a PIN and then confirmed the transactions by sending an authentication code back to the bank via Antoinette’s mobile. 

The bank refused to reimburse Antoinette for her loss, saying it considered she had been negligent by allowing the caller to gain remote access to her mobile.

Our investigation

We did not consider Antoinette had failed to take reasonable steps to protect her banking when she downloaded the remote access software on to her phone. She genuinely believed she was allowing her telecommunications provider to help fix a problem she was having with her phone.

The crucial question was how the scammer was able to access Antoinette’s banking app on her phone. The bank’s records showed numerous successful logins to the app using Antoinette’s app PIN. The bank’s view was that the only explanation was that Antoinette either disclosed the PIN to the scammer or logged in to her banking app herself while the caller had remote access to the device. However, we considered there was not sufficient evidence to support either scenario. Antoinette was adamant she never disclosed her banking app PIN and, in fact, never went near her banking app or discussed her banking with the scammer. She was equally adamant she kept her mobile face down and touched it only in order to enter a sequence of numbers to allow the remote access session to continue. 

There were several other possibilities to explain how the scammer had been able to access Antoinette’s banking app. Antoinette had been receiving emails purportedly from her telecommunications company’s support team in the weeks before the scam, and these emails contained links to click on. On at least one occasion, Antoinette clicked on such a link. Also, scammers are increasingly embedding malware in links that can help them defraud anyone clicking on such a link. The bank did not look into any of these alternative possibilities. 

In the circumstances, we were not satisfied Antoinette had failed to take reasonable steps to protect her banking.

Outcome

The bank offered Antoinette $25,000 to resolve the complaint, and Antoinette accepted the offer.

Print this page