Banks compensate for fraud even when customers share passwords
Banks are being told they must share fraud losses, even in cases where customers handed over Pins and passwords to crooks.
Ordinarily, when customers have been conned into handing over their Pin (personal identification number) or password to criminals, banks are not obliged to compensate them for their losses.
But in several Banking Ombudsman cases, banks were found not to have acted on ‘‘red flags’’ or moved to protect customers too slowly, letting crooks steal more.
‘‘Banks have no general duty to protect people from the consequences of their own decisions, but they do have a duty to provide services with reasonable care and skill,’’ Banking Ombudsman Nicola Sladden said.
The ombudsman scheme received 370 complaints about scams last year, and she believed thatwas just the ‘‘tip of the iceberg’’.
In some cases, the ombudsman found banks could not have done anything to prevent their customers from being scammed, including in cases where customers lied to banks about what they were going to use their money, or a loan, for.
Failure to move quickly
A man was conned by a cold caller claiming to be from his telecommunications provider to give him remote access to his computer. The crook used that access to make three transfers over two days, stealing $55,000.
This happened because the man had left his internet banking logged in on the first day, and on the second day had either logged in himself, or let the crook obtain the two-factor authentication he needed to log into his internet banking.
The ombudsman found the bank hadn’t helped the man understand he could have better protected his accounts, and found the bank could have tried to prevent $6500 of the money stolen from going overseas.
The bank had to pay the man $11,500 towards his losses.
Slow to act
In a similar case, a woman who was having problems with her internet connection was cold-called by a crook pretending to be from her telecommunications provider.
She too gave the crook remote access to her computer, and he convinced her to log into some of her commonly used websites as part of the ‘‘troubleshooting process’’, including internet banking. He stole $10,000 from her.
She later realised she might have been scammed, and called the bank, but neither she nor the bank checked her recent transactions.
That hindered efforts to recover the money, the ombudsman concluded, and only $1300 was recovered.
‘‘Police were able to provide us with information showing $7500 was still in the account the next morning, so an earlier recovery attempt would probably have been successful,’’ Sladden said.
The ombudsman ordered the bank to pay half the $7500 that could have been recovered.
Red flags ignored
One couple in their 70s were hoodwinked into ‘‘investing’’ into a supposed Hong Kong investment scheme, cashing up their term deposits, and sending them via Western Union to Hong Kong. After two months, they’d sent $100,000 overseas. They took out two $10,000 personal loans over the course of two weeks, and sent that money to Hong Kong too.
The ombudsman found the borrowing done by the couple was so contrary to their normal account conduct that the bank should have questioned them closely about it.
The bank reimbursed the couple half of the last $10,000 loan.
Bank allowed second theft
‘‘Banks . . . do have a duty to provide services with reasonable care and skill.’’
Nicola Sladden
Banking Ombudsman
A father lent his son-in-law money to buy a property, and also gave him his internet banking login details so he could keep track of repayments. The son-in-law betrayed him by transferring $112,500 from his accounts.
A family member of the father notified the bank, which told him the father was responsible for his loss, as he had given away his login details.
The bank told this family member to tell the father to change his login details, which he didn’t do.
The son-in-law also managed to load his own mobile number as the father’s, doing so in a visit to a branch, and had set up mobile banking. Six months later, the son-in-law used it to take another $45,000.
The ombudsman found the bank had not taken steps to secure the father’s banking, and it ended up paying him compensation of $30,000.
Sladden said people should never share their pins or passwords with anybody. ‘‘Keep your cards close, don’t share bank Pins or passwords, and stop and think before clicking links,’’ she said.
Scammers were getting smarter, and the stakes were high for banks and their customers, she said.
‘‘When shopping online, only use your card on trusted sites. Beware of random texts, such as the bogus package delivery text, or emails asking for login details, Pins or passwords. Before clicking links, stop and think: Is this for real?’’