- Soon:Customers get mixed results when they complain to their banks for not refunding money lost to phishing scams.
- What's next?Last month, the federal government said it would introduce changes to hold banks accountable if their customers were defrauded.
It was while scanning his bank account during an overnight break that nurse Roger Parker realized something had gone "hopelessly wrong."
Parker was saving to pay for a new house, but an app on her phone informed her that $16,000 had been missing from her account.
Unbeknownst to the healthcare professional, 11 new recipients were added to his ING address book within two hours.
Seventeen Unauthorized Transactions: Almost All $999 each with a total value of $16,067 was transferred from their accounts to newly added contacts, and their daily transfer limit was increased to $15,000. None of the transactions were detected by the bank.
In a panic, he called ING, hoping the bank would get his money back.
Instead, Parker said ING informed him that he was at fault and that his account was accessed after he clicked on a phishing link and gave his details to the scammer.
“We have considered all the circumstances that contributed to the transaction and have determined that… ING is unable to accept responsibility for the transactions as the SMS security codes and its secure access code have been disclosed to authorize the transactions in question. an ING representative said in an email to Mr Parker.
"For the reasons stated above, I respectfully decline your request for a refund."
Phishing is when scammers send emails or text messages, often containing links to fraudulent websites masquerading as reputable companies such as banks.
Parker, who said he had no recollection of clicking on a phishing link, was stunned by the decision.
“I was really angry about it. It seems like everything is being blamed on consumers, especially with all of today's technology changing so fast," Parker said.
"Hackers are perfecting their methods and it seems we are the poor bastards who suffer the most."
Banks subject to voluntary regulation
The banking industry's response to financial fraud, and how the Australian Financial Complaints Authority controls the bank's response, are now under scrutiny as consumer advocates call for a change in the rules that would force financial institutions to respond more consistently.
It comes laterA report by regulators shows that Australians lost a record $3.1 billion to fraud last year., but large banks only compensated their customers for about $21 million, and sometimes as little as 2 percent of the amount lost.
Electronic payments, including online banking, are governed by a voluntary provision called the Electronic Payments Code.
Tom Abourizk of the Center for Consumer Action Law said there was a "desperate need for law reform" to better regulate the sector.
"There is a real gap when it comes to clear applicable rules," Abourizk said.
"Banks may opt out of the [Electronic Payments Code]if they start to dislike the decisions made on their basis. And with that in mind, we're making these changes," he added.
Customers who admit to clicking phishing links are more likely to get their money back
In the end, ING recovered only $1,000 of Parker's savings, or about 6 percent of the amount lost.
This character angered a health professional. In an attempt to fully recover his losses, he filed a complaint with the Australian Financial Complaints Agency (AFCA), which settles disputes between banks and consumers.
In the 2022–23 fiscal year, the AFCA received 6,048 fraud complaints, an increase of 46% over the previous year.
Most of these complaints were resolved before a final decision was made, but in 5 percent of the cases, the AFCA made a binding determination, which led to their publication.
ABC reviewed the decisions published between January and July 2022 and found at least five other cases similar to Mr Parker's experience, all from ING customers.
In each case, a new phone was registered with Mobile Banking, numerous new recipients were added to ING's address books, and then several unauthorized transactions of less than $1,000 were made in rapid succession.
The cases involved a client who had lost nearly $6,000 in savings just two days before Mr. Parker.
However, refunds were only granted to customers who acknowledged being a victim of phishing and were able to identify how their accounts were accessed.
In three cases, customers who admitted to unwittingly disclosing their bank details to fraudsters were reimbursed after the AFCA ordered the bank to reimburse the full amount lost as a result of the customer failing to meet the "extreme carelessness" level set out in the Electronic Payments Act. Code.
However, in the other two cases, the AFCA ruled in favor of ING after customers denied they had clicked on suspicious links or divulged their security passwords.
The spokesperson said in these cases there was no other "credible explanation" for how the new phones could have been registered to mobile banking or transactions made "without disclosing" their access codes.
"The AFCA is not aware (from its own experience) of an alternative explanation as to how a third party could obtain the whistleblower's bank password and login details other than the whistleblower verbally disclosing the information to a third party or entering it on a website that the whistleblower had access to." concluded the AFCA.
Parker, who was unsure if he had been scammed, received a $5,000 settlement from ING in May, nearly 12 months after he lost his savings.
The results for victims of the scam are not "based on fairness," the advocacy group says
Tom Abourizk of the Consumer Law Center expressed doubts that the right decision was made in cases where customers were refused a refund, noting that often people do not realize they have been scammed.
He said the inconsistency was symptomatic of gaps in Australian banking law.
“The law as a whole has many loopholes in this area. That's why people who are victims of very similar scams sometimes see different results," Abourizk said.
"And it's not really based on fairness or what's right, but on current legal issues."
“Banks have little or nothing to do when it comes to actively monitoring outgoing transactions from both bank accounts hosted on their platform and accounts they own.”
A spokesperson for the AFCA said it handles financial complaints on a case-by-case basis and supported a mandatory code of conduct for fraud.
“Every case is different and the outcome will depend on the specific facts and circumstances. Subtle differences can mean different outcomes, even when things may appear similar," the spokesperson said.
"Enforceable rules would provide more transparency about legal liability, which in turn would help the work we do as an ombudsman."
Last month, the federal government said it could go the way of the UK., which will force banks to pay compensation to victims of fraud from next year.
"We will definitely raise the bar and definitely hold the banks accountable for much more," said Financial Services Minister Stephen Jones at the time.
The government has been contacted for comment.
ING declined to comment on Parker, citing privacy considerations, but said it regularly reviews and updates its security measures.
"In the event that a customer is defrauded, we investigate the matter thoroughly and try to recover the money where possible," an ING spokesman said.
"We know that fraud by criminal gangs is becoming more sophisticated, targeting many industries and becoming more commonplace."
Some banks are better at protecting customers than others, says a cybersecurity expert
Alana Maurushat, a cybersecurity expert at Western Sydney University, stated that not all banks are created equal when it comes to security.
"They implement very different technologies and use different risk strategies to deal with these types of unauthorized strategies," said Dr Maurushat.
"If an institution, whether it's your telecoms provider or your bank, insists it's not responsible for something, seek further advice."
“Some of the experts I work with are extremely paranoid in this area. Right now, they're literally checking their bank account details every night."
As for Roger Parker, he's in the process of switching banks.
“You shouldn't go through this; it should be an easy process,” said Parker.
In a phishing attack, a scammer pretends to be from a reputable company to get you to reveal personal information that can be used to steal your money or identity. Phishing tactics are often employed as part of email scams and website scams.How can you tell if someone is phishing on your bank account? ›
- An unfamiliar greeting.
- Grammar errors and misspelled words.
- Email addresses and domain names that don't match.
- Unusual content or request – these often involve a transfer of funds or requests for login credentials.
- Urgency – ACT NOW, IMMEDIATE ACTION REQUIRED.
Protect your Confidential Information.
Your bank will never ask for your account number, social security number, name, address or password in an email or text message.
Not surprisingly, the banking industry is one of the top targets of hackers using phishing attacks to breach security. And, while safety protocols are built into both internal and consumer-facing banking websites and apps, it is often the human element that fails to detect the scam, resulting in thefts large and small.What is bank frauds examples? ›
It is a serious crime that can occur in many different forms, ranging from simple check fraud to complex schemes such as identity theft and money laundering. Some of the most common types of bank fraud include counterfeiting, check fraud, identity theft, loan scams, credit card fraud and phishing.Can someone open a bank account in your name without you knowing? ›
Why accounts are opened in other people's names. Scammers may open a bank account fraudulently in someone else's name to bounce checks or overdraw the account. Others may intend to use the account for storing illicitly obtained funds.What happens if someone has your bank account number and routing number? ›
When a scammer has your bank account and routing numbers, they could set up bill payments for services you're not using or transfer money out of your bank account. It's tough to protect these details because your account number and routing number are printed right at the bottom of your checks. But do your best.Can someone hack my bank account with my phone number? ›
Savvy scammers know that by hijacking your mobile phone number they can assume your identity, intercept security protocols sent to your phone, and gain access to your financial and social media accounts. One way to hijack your phone number is through a porting-out scam.What looks suspicious to a bank? ›
Unusual Large Business Deposits of Cash: Large amounts of cash regularly deposited into an account for a company that is not normally a cash business. Personal Accounts with Suspicious Activity: A personal banking account that is established with a small deposit but regularly has large sums of money flowing through it.What makes banks suspicious? ›
Suspicious transactions are any event within a financial institution that could be possibly related to fraud, money laundering, terrorist financing, or other illegal activities. Suspicious transactions are flagged to be investigated, but many suspicious transactions are simply false positives.
You can be denied a checking account for a number of reasons, such as negative marks in your banking history, suspicions of fraud or an inability to verify your identity. Read on to find out why banks may turn down your checking account application and what your options are.How do banks protect against phishing? ›
Biometrics in Banking
Traditionally, financial institutions have used passwords and PINs to protect account data. In recent years, two-factor authentication has been encouraged to ensure the person logging in can verify their identity using a code sent via text, phone call or email.
One of the most frequent problems with cybersecurity in the banking sector is phishing assaults. They can be used to enter a financial institution's network and conduct a more severe attack like APT, which can have a disastrous effect on those organizations (Advanced Persistent Threat).What is bank impersonation? ›
This is when a fraudster sends a text message that looks like it has been sent by your bank or other trusted provider, like PayPal or a utilities company, to say there's a problem with your account. They may ask you to call a phone number or click a link to trick you into giving away your personal details.What is bank spoofing? ›
This technique involves sending an SMS to the victim pretending to be their bank with a view to obtaining the information required to commit the scam or fraud or any other criminal act.Can you sue a bank for false information? ›
If a bank engaged in fraudulent behavior such as failure to disclose account terms, misusing your customer information, or charging you unfair fees, you could pursue a civil lawsuit against the bank.Can someone steal your bank info from knowing your bank? ›
If fraudsters can combine your bank details and other easy-to-find information — such as your Social Security number (SSN), ABA or routing number, checking account number, address, or name — they can easily begin to steal money from your account.