Bank liable for customer loss of $60,000 in phishing scam

The Banking Ombudsman Scheme is seeing increasing sophistication in online phishing scams.

A bank customer who lost $60,000 after receiving an email from what he thought was the Inland Revenue Department has highlighted the increasing sophistication of phishing scams says Banking Ombudsman Nicola Sladden.

The customer entered his banking details and an SMS code to a fake website because he was convinced he was dealing with the tax department and his bank.

"Ordinarily, banks are liable for a customer’s losses as a result of an unauthorised transaction - typically a scam - if the customer has taken reasonable care to protect his or her banking. In this case, such was the sophistication of the scam that we considered the customer had shown reasonable care in the circumstances."

"We therefore found the bank should reimburse the customer the full $60,000."

"Regrettably, it is but one of a growing number of phishing cases, like the recent road toll text scam, involving customers who are duped into disclosing their banking details and thereby enable scammers to steal their money."

"We urge bank customers to be wary of any email or approach that asks them to carry out an online action via phone call or text. A definite no-no is to click on a link or call a number from a text. Customers should always independently contact the organisation concerned to verify any activity they have not themselves initiated."

In the case of the Inland Revenue Department scam, the customer received an email purportedly from the tax department asking him to log into his myIR page and to verify his bank account details in order to receive a tax refund. The page contained a link to what looked - very convincingly - like his bank’s website where he logged in to his internet banking and entered an SMS code.

The entire interaction, with the exception of the bank’s SMS code, was an elaborate front. The SMS code had been generated by the bank when the scammer had attempted to set up mobile banking on his device. The customer thought the SMS was related to his internet banking log-in and it therefore failed to raise suspicion. The scammer then used the code to complete the mobile banking setup, and over subsequent days made withdrawals totalling $60,000.

Ms Sladden said the bank had rejected the customer’s request to reimburse the loss, saying he had breached the terms and conditions of his account by giving the scammer information to access his internet banking, in particular his log-in details and the SMS code. However, the scheme found the customer had acted reasonably in the circumstances. The scheme said the customer might have been alerted to the scam if the SMS message had made clear the purpose of the code - to set up mobile banking on a new device, not, as he thought, to log in on his internet banking.

Ms Sladden said a growing proportion of complaints to the scheme involved scams, yet it knew this was only the tip of the iceberg. Bank data suggests nearly $200 million a year of scam losses.

Banks are obliged to reimburse a customer’s fraud losses, where someone has accessed their banking without authority, so long as the customer wasn’t dishonest or negligent, complied with the terms and conditions of the account, and took reasonable steps to protect his or her banking.

Ms Sladden said scam victims should contact their bank directly for help in trying to recover their money. The scheme could offer independent advice and help to victims experiencing problems dealing with their bank in such cases.