Which case won?

The case for the financial services provider
  • The only reason the scammers gained access to the customer’s money is that he voluntarily disclosed his one-off PIN codes by typing them into the email survey he received from the scammers. He was not supposed to disclose his PINs to anyone.
  • By disclosing his PINs, the customer breached the passcode security requirements in the ePayments Code.
  • While the customer’s financial loss is regrettable, we are not liable to reimburse him for the money the scammers stole, because he breached the passcode security requirements of the ePayments Code.
  • It is the customer who is liable for the loss he incurred, not us.
The case for the customer
  • I did not authorise the transactions recorded against my credit card.
  • I had no idea that the PINs I received on my mobile phone from my financial services provider were secret passcodes and that I was not meant to disclose them to anyone. When I received the text message with the passcodes, there was nothing to indicate that they were supposed to be kept secret.
  • I did not “voluntarily” disclose my passcodes to anyone and I did not breach the security provisions of the ePayments Code. I thought I was simply responding to a survey.
  • The Financial Ombudsman Service should find that my financial services provider is liable for my losses.

So, which case won?

Cast your judgment below to find out
Case A Case B

Case B won. You were right!

How people voted
case a69%
case b31%

Expert commentary on the court's decision

Zohra Ali
Zohra AliSenior Associate
“Because the customer was found not to have disclosed his passcodes voluntarily, it was determined that he did not contribute to his losses under the ePayments Code.”
Financial Ombudsman Service finds customer not liable for his losses

In a case study reported in its 2017-18 annual review, the Financial Ombudsman Service (now renamed the Australian Financial Complaints Authority, or AFCA) found in favour of the customer. (See Case study – Passcodes disclosed mistakenly in scam transactions, Financial Ombudsman Service Annual Review 2017-18, p.91.)

Disputes over electronic transactions under the ePayments Code

The ePayments Code stipulates that if there is a dispute over an electronic transaction, it is up to the financial services provider (FSP) to prove one of two things.

The first is that the customer authorised the payment by making the payment himself or herself, or by having someone else carry out the transaction with his or her knowledge or consent.

The second is that if the customer claims not to have authorised the payment, the FSP has to prove that he or she breached certain security provisions of the ePayments Code and is therefore liable for the transaction.

Customer found to be not in breach of the ePayments Code

The Financial Ombudsman Service (FOS) found that the customer, identified only as “Mr H”, did not intend to divulge his passcodes to anyone and that he did not know they were meant to be kept secret. Mr H’s argument that he thought he was merely responding to a survey was found to be valid and convincing.

Because Mr H was found not to have disclosed his passcodes voluntarily, it was determined that he did not contribute to his losses under the ePayments Code.

Additional compensation for stress and inconvenience

Mr H had limited liability of $150 for his losses. The FSP was liable to reimburse him for the remaining sum.

In addition, the FSP had to pay Mr H $250 to compensate him for the stress and inconvenience he experienced due to the FSP sending him several text messages referring to his “liability” for the transactions after he referred the dispute to the FOS.

What is a phishing scam?

A phishing scam is an attempt by a criminal to trick you into divulging personal information such as credit card numbers, passwords and PIN codes in order to steal your money. The tale of Mr H above is a classic case of a successful phishing scam.

Many phishing scams target their intended victims via email, although other approaches are also used, such as text messages, phone calls and social media.

Some phishing emails claim to be from a legitimate organisation such as a bank or internet service provider. Some, like the one that duped Mr H, claim to be offering a prize for participating in a survey.

How can you avoid phishing scams and stay smart online?

The way to minimise your chances of being “phished” is to remain vigilant and be aware of the techniques that scammers use to try to trick you into divulging details that they can use to rob you.

How can you tell when an email you receive is part of a phishing scam?

There are several details that could alert you that you have received an email that is part of a phishing scam.

  • Who is the email from? Many scam emails come from an email address that is similar, but slightly different, to the email domain of the organisation they are trying to impersonate. Other scam emails originate from an email address that is more obviously completely unrelated to the legitimate company. Checking an email’s “from” address carefully is a vital step in spotting possible scams.
  • Who is the email addressed to? Is this the normal way you are addressed? Is there anything odd about how the email refers to you?
  • Is the content of the email dubious? For example, would a major bank really send you an email to notify you of a technical glitch which has locked you out of your account?
  • Spelling, grammar and punctuation – Is everything in the email perfect? Or are there details which instil doubt? Mistakes, ambiguity and poor expression can all be signs that the email could have been sent by fraudsters.
  • Does the email contain links? If so, you can hover over the link with your mouse – BUT DON’T CLICK! – to see the URL of the link. Just as with the “from” address, a suspicious looking URL is a giveaway that the link is dodgy. Clicking on it could take you to a fake login page which harvests your email credentials to gain access to your email account, or to a site which infects your computer with malware.
  • Does the email claim to be screamingly urgent and warn of dire consequences if you do not act immediately? Or does it promise a cash reward? Both of these details are possible indicators of a scam.

The most important thing to remember is not to click on any links or download any attachments from an email if you have even the faintest shadow of a doubt about its validity.

If in doubt, ring the sender of the email

If you receive an email claiming to be from your bank, telephone company, internet service provider, lawyer, accountant or conveyancing company, and you’re not 100 per cent confident that the email is genuine, there is a simple way to verify its legitimacy.

To eliminate any doubt, just pick up the phone and give them a call on the phone number that you would usually use to call them (don’t use a phone number that appears in the email).

Australians losing increasing sums to scammers

Despite the efforts of the government to warn us, many Australians continue to fall victim to scams. Collectively we lost nearly $500 million during 2018 – a substantial increase on the previous year.

As technology advances and systems become ever more sophisticated in the attempt to prevent fraud, scammers become increasingly ingenious in their efforts to rob us.

Human error remains the weakest link in the chain. According to recent figures, human error and compromised credentials make up 67 per cent of reported data breaches. (See Human error the leading cause of data breaches, Casey Tonkin, Information Age, 29 August 2019.)

Mr H in the case described above was fortunate. He was compensated for his losses because the FOS found in his favour. Others in a similar position may not be so lucky.

Being aware of scams and remaining vigilant is your best defence.

For more information please see the articles below.

Protect yourself against payment redirection scams

Business email compromise scams conning Australians out of millions

“I lost my money in a cryptocurrency scam. My financial firm should have warned me.” Which case won?

Useful resources about scams

Stay Smart Online Week – this national awareness week for online safety is run in October each year. Stacks Law Firm is a Supporting Partner of this important initiative.

Scamwatch – website run by the Australian Competition and Consumer Commission (ACCC) which publishes regular updates about scams. You can sign up on this website to receive email alerts about new and current scams.

Phishing – this page describes in detail what phishing is and how it works.

Whaling and spear phishing – this page describes phishing scams that target businesses.

NOTICE: This article is accurate as at the time of publication and does not constitute legal advice. Please see our legal notices page for more information. Information related to coronavirus can be outdated very quickly.

Latest from Stacks

chat button

Fill out this form and one of our local law professionals will be in contact

By submitting this form you agree to the terms of our Privacy policy