08 Jan 2015
Scams are increasingly common and sophisticated. Bank customers need to be vigilant to ensure they don’t become a victim and lose money. We receive complaints from customers who have lost money to scammers and we investigate the circumstances of their cases to determine whether the customer or bank is liable for the losses.
This guide has tips and advice to protect your finances from potential scammers, information about common scams that affect bank customers, and general guidance on our approach to complaints about scams.
Be on guard at all times with your banking by taking the following precautions:
If you are not satisfied with your bank’s response you can contact us to see if we can help you.
In phishing scams a customer receives an email seemingly from their bank. The email says the customer needs to confirm some personal details, usually their internet banking username and password. It will contain a link to a website which looks like the bank’s but is fake, made to gather the username and password information. Once the scammers have these details they can access the customer’s account and take money.
Be wary of emails which appear to be from your bank but ask you to confirm your personal details. Banks will not ask you for your password in emails. Be wary also of clicking links within emails. If you need to visit your bank’s website type the address into your browser.
If you enter your details into a fake website as a result of a phishing scam you may be liable for any losses because you have disclosed your internet banking password.
Bank customers can also be tricked into sending their money to scammers. The circumstances in which customers do this vary. Common examples include customers being asked to send a processing fee to access an investment or inheritance, or to help someone they have met on an online dating website. Some customers caught by these scams have sent hundreds of thousands of dollars overseas.
You should always be careful if someone you don’t know or have only met online asks you for money. In most cases once money has been sent it cannot be recovered. If your bank has correctly followed your sending instructions it will generally not be liable for your losses.
Another scam involves bank customers being sent stolen money from another victim’s bank account and being asked to forward it, often overseas. The customer forwarding the money is often a middle person, known as a mule.
The customer generally doesn’t know the money is stolen, and has been told what they think is a legitimate reason to make the payment. Examples include customers who think they are sending money as part of a job application, or customers sending money to help someone they have an online relationship with.
In some cases a bank’s terms and conditions will allow it to reverse a payment from the mule’s account if the mule knew or should have known the funds were stolen. In other cases we may apply a mistaken payment analysis, which says the mule must repay the money unless:
Further information about this framework can be found in our Quick Guide on Mistaken Payments.
These scams involve getting a customer to disclose their PIN. The scammer has generally already stolen the customer’s wallet, but to use the cards they require the PIN.
Scammers use different techniques to get their victims to disclose PINs. For example, the scammer may say they are from the bank, and that there have been suspicious transactions suggesting the card has been stolen. The scammer says they will cancel the card for the customer, and require their PIN to authorise the cancellation. Banks never ask you for your PIN.
Another common technique is when the customer is told they have won a prize such as a voucher. The customer has to pick a four-digit number so they can be identified when they pick up the prize. The scammer may actually be standing at an ATM making the call. If the customer does not immediately give their bank PIN the scammer will say the number provided has been taken, and to pick another one. The scam relies on the customer eventually providing their bank PIN.
You should never reveal your current PIN to anyone, including bank staff. If you need a four-digit code for something other than a bank card you should make it different from your bank PIN(s).
If you disclose your PIN, even unintentionally, to anyone you’re breaching your bank’s terms and conditions and you will generally be liable for fraudulent transactions.
Other Banking Ombudsman Scheme Quick Guides with advice for safe banking include:
Mr F began corresponding with Ms B through an online dating site. After several months, Ms B told him she was moving to Ghana. Later, she emailed saying that she needed him to buy her a laptop as it had been stolen when she arrived in Ghana. He did so, and sent it to the address Ms B had supplied.
Ms B then began requesting money from Mr F for other things. She managed to convince him to call the bank and instruct it to transfer money to an account in Britain in the name of a Mr W. On four separate occasions, Mr F transferred money to Mr W’s account.
When Mr F realised he had been defrauded, he contacted his bank. He believed it should have alerted him to the possibility the recipient was a fraudster and should have prevented the transfer of $43,972 to the account. In Mr F’s view, banks should query customers about transactions involving the transfer of large sums overseas.
The bank said it could not have known the transfers were suspicious, and was not responsible for losses from transactions he authorised.
It was clear to us Mr F was a fraud victim, but we had to determine whether the bank was liable. We were satisfied it was unaware Mr F might have been the victim of a scam: it could not therefore have warned him about something it didn’t know about.
The bank was also unaware Mr F had met Ms B on an internet dating site. He gave bank staff the impression Ms B was a trusted friend. He gave a plausible explanation about the intended use of the money. When a bank employee queried the transfer to Ms B via Mr W’s account, an unusual practice, he appeared unconcerned. Mr F also said he appreciated that Ghana was not the best place to be sending money.
From the information we reviewed, including phone calls between Mr F and bank staff, it was clear Mr F requested and authorised the payments to the British account. We considered that even if Mr F had been warned about the possibility of fraud, he would possibly still have made the payments, because he strongly believed Ms B was genuine.
The fraudster, by starting with the transfer of a relatively small amount, had set out to establish a track record between Mr F and Mr W, enabling later and larger transactions to take place without raising bank staff suspicions.
Mr A had been unemployed for two years. He received an email from a stranger, offering employment as a mystery shopper. He replied with the requested contact details and the name of his bank, and received his first assignment – transferring money to an account in Nigeria.
Despite having suspicions, Mr A decided his bank would intervene if it had any concerns about the transactions and so followed instructions. He gave his new employer his bank account number and $3,000 was soon paid into his account. He immediately transferred $2,700 to the Nigerian account, leaving him with a payment of $300.
But soon after he transferred the money, his bank discovered the $3,000 deposit into his account had been fraudulent and reversed it. Mr A was left with a $2,700 debt and blamed the bank, believing its security systems should have protected him from unauthorised access of his account.
Having $3,000 deposited into his account when he had freely given the details is not unauthorised access and is outside the bank’s control. The unauthorised access was into the account of a customer from another bank from where the fraudsters obtained the $3,000 they transferred to Mr H.
While he may have believed the transaction was legitimate, we did not consider that was a reasonable view given the circumstances of the job offer and his initial suspicions. We reviewed the bank’s terms and conditions which allowed for transaction reversals if funds may be used for money laundering, so we determined the bank was entitled to reverse the transaction.
Mr A’s 3,000 debt was, meanwhile, increasing further in the hands of a debt collection agency. With our encouragement, the bank agreed to recall the debt and accept a lump sum payment of $3,200 - around $1,000 less than Mr A would have had to pay the collection agency.
Mrs M took a phone call at work from someone saying she had won a $1,000 AA gift voucher. The caller asked for a four-digit password to redeem her voucher. She gave three and each time the caller said they were already taken. She was then given a random one to use. Unbeknown to Mrs M at that stage, her handbag containing two EFTPOS cards had been stolen from work and the so-called voucher was simply a trick to get the PINs for her EFTPOS cards.
The offender then accessed more than $6,000 of Mrs M’s money via purchases and cash withdrawals. When Mrs M realised her handbag was gone, she cancelled her cards and asked the bank to reimburse her when she became aware of the theft.
The bank said it was not liable because Mrs M had not taken care of her cards as specified in her accounts’ terms and conditions. She had left her bag in an unsecured place and been careless with her PINs (which were the same for both cards). It understood she had disclosed the digits of her PIN to the offender when she gave the three 4-digit passwords. The offender then used this information to decipher her PIN.
However, as a goodwill gesture the bank offered to reimburse half her loss. Mrs M did not accept because she didn’t think she was in the wrong and complained to us. She told us she did not give her PIN to the offender, but our investigation suggested otherwise as:
We thought it likely that Mrs M had used the same passwords for different purposes. Customers should not reveal their PINs and, for additional security, we recommend customers have unique PINs for each bank card and not use these for other purposes.
Given this, we encouraged Mrs M to reconsider the bank’s offer as it appeared she contributed to her loss by revealing her PIN. Mrs M accepted our view and decided to accept the bank’s offer.