Roger knew something was wrong when he checked his bank's application and saw 11 new recipients. (2023)

• Soon:Customers get mixed results when they complain to their banks for not refunding money lost to phishing scams.
• What's next?Last month, the federal government said it would introduce changes to hold banks accountable if their customers were defrauded.

It was while scanning his bank account during an overnight break that nurse Roger Parker realized something had gone "hopelessly wrong."

Parker was saving to pay for a new house, but an app on her phone informed her that $16,000 had been missing from her account.

Unbeknownst to the healthcare professional, 11 new recipients were added to his ING address book within two hours.

Seventeen Unauthorized Transactions: Almost All $999 each with a total value of $16,067 was transferred from their accounts to newly added contacts, and their daily transfer limit was increased to $15,000. None of the transactions were detected by the bank.

In a panic, he called ING, hoping the bank would get his money back.

Instead, Parker said ING informed him that he was at fault and that his account was accessed after he clicked on a phishing link and gave his details to the scammer.

“We have considered all the circumstances that contributed to the transaction and have determined that… ING is unable to accept responsibility for the transactions as the SMS security codes and its secure access code have been disclosed to authorize the transactions in question. an ING representative said in an email to Mr Parker.

"For the reasons stated above, I respectfully decline your request for a refund."

Phishing is when scammers send emails or text messages, often containing links to fraudulent websites masquerading as reputable companies such as banks.

Parker, who said he had no recollection of clicking on a phishing link, was stunned by the decision.

“I was really angry about it. It seems like everything is being blamed on consumers, especially with all of today's technology changing so fast," Parker said.

"Hackers are perfecting their methods and it seems we are the poor bastards who suffer the most."

Banks subject to voluntary regulation

The banking industry's response to financial fraud, and how the Australian Financial Complaints Authority controls the bank's response, are now under scrutiny as consumer advocates call for a change in the rules that would force financial institutions to respond more consistently.

It comes laterA report by regulators shows that Australians lost a record $3.1 billion to fraud last year., but large banks only compensated their customers for about $21 million, and sometimes as little as 2 percent of the amount lost.

Electronic payments, including online banking, are governed by a voluntary provision called the Electronic Payments Code.

Tom Abourizk of the Center for Consumer Action Law said there was a "desperate need for law reform" to better regulate the sector.

"There is a real gap when it comes to clear applicable rules," Abourizk said.

"Banks may opt out of the [Electronic Payments Code]if they start to dislike the decisions made on their basis. And with that in mind, we're making these changes," he added.

Customers who admit to clicking phishing links are more likely to get their money back

In the end, ING recovered only $1,000 of Parker's savings, or about 6 percent of the amount lost.

This character angered a health professional. In an attempt to fully recover his losses, he filed a complaint with the Australian Financial Complaints Agency (AFCA), which settles disputes between banks and consumers.

In the 2022–23 fiscal year, the AFCA received 6,048 fraud complaints, an increase of 46% over the previous year.

Most of these complaints were resolved before a final decision was made, but in 5 percent of the cases, the AFCA made a binding determination, which led to their publication.

ABC reviewed the decisions published between January and July 2022 and found at least five other cases similar to Mr Parker's experience, all from ING customers.

In each case, a new phone was registered with Mobile Banking, numerous new recipients were added to ING's address books, and then several unauthorized transactions of less than $1,000 were made in rapid succession.

The cases involved a client who had lost nearly $6,000 in savings just two days before Mr. Parker.

However, refunds were only granted to customers who acknowledged being a victim of phishing and were able to identify how their accounts were accessed.

In three cases, customers who admitted to unwittingly disclosing their bank details to fraudsters were reimbursed after the AFCA ordered the bank to reimburse the full amount lost as a result of the customer failing to meet the "extreme carelessness" level set out in the Electronic Payments Act. Code.

However, in the other two cases, the AFCA ruled in favor of ING after customers denied they had clicked on suspicious links or divulged their security passwords.

The spokesperson said in these cases there was no other "credible explanation" for how the new phones could have been registered to mobile banking or transactions made "without disclosing" their access codes.

"The AFCA is not aware (from its own experience) of an alternative explanation as to how a third party could obtain the whistleblower's bank password and login details other than the whistleblower verbally disclosing the information to a third party or entering it on a website that the whistleblower had access to." concluded the AFCA.

Parker, who was unsure if he had been scammed, received a $5,000 settlement from ING in May, nearly 12 months after he lost his savings.

The results for victims of the scam are not "based on fairness," the advocacy group says

Tom Abourizk of the Consumer Law Center expressed doubts that the right decision was made in cases where customers were refused a refund, noting that often people do not realize they have been scammed.

He said the inconsistency was symptomatic of gaps in Australian banking law.

“The law as a whole has many loopholes in this area. That's why people who are victims of very similar scams sometimes see different results," Abourizk said.

"And it's not really based on fairness or what's right, but on current legal issues."

“Banks have little or nothing to do when it comes to actively monitoring outgoing transactions from both bank accounts hosted on their platform and accounts they own.”

A spokesperson for the AFCA said it handles financial complaints on a case-by-case basis and supported a mandatory code of conduct for fraud.

“Every case is different and the outcome will depend on the specific facts and circumstances. Subtle differences can mean different outcomes, even when things may appear similar," the spokesperson said.

"Enforceable rules would provide more transparency about legal liability, which in turn would help the work we do as an ombudsman."

Last month, the federal government said it could go the way of the UK., which will force banks to pay compensation to victims of fraud from next year.

"We will definitely raise the bar and definitely hold the banks accountable for much more," said Financial Services Minister Stephen Jones at the time.

The government has been contacted for comment.

ING declined to comment on Parker, citing privacy considerations, but said it regularly reviews and updates its security measures.

"In the event that a customer is defrauded, we investigate the matter thoroughly and try to recover the money where possible," an ING spokesman said.

"We know that fraud by criminal gangs is becoming more sophisticated, targeting many industries and becoming more commonplace."

Some banks are better at protecting customers than others, says a cybersecurity expert

Alana Maurushat, a cybersecurity expert at Western Sydney University, stated that not all banks are created equal when it comes to security.

"They implement very different technologies and use different risk strategies to deal with these types of unauthorized strategies," said Dr Maurushat.

"If an institution, whether it's your telecoms provider or your bank, insists it's not responsible for something, seek further advice."

“Some of the experts I work with are extremely paranoid in this area. Right now, they're literally checking their bank account details every night."

As for Roger Parker, he's in the process of switching banks.

“You shouldn't go through this; it should be an easy process,” said Parker.