The Facts
In a case study reported in 2016 by the UK Financial Ombudsman, an investor in the United Kingdom, “Ms Q”, had her emails hacked by fraudsters, who impersonated her and sent emails purporting to be from her to her financial adviser.
Large sum transferred following receipt of emailed instructions
The emails asked the financial adviser to withdraw £250,000 from her investment bond and transfer the money to a solicitor’s bank account in Hong Kong. However, the investment provider told the financial adviser that they could not trace the solicitor’s firm and so would not be transferring money to that account.
The financial adviser then received a follow-up email purporting to be from Ms Q which provided details of a bank account in her name with a bank in the United Kingdom. The email instructed the financial adviser to transfer £250,000 to this bank account.
At this stage the investment provider pointed out that the bank account details were different to the ones they had on file for Ms Q. However, the financial adviser confirmed that the new bank account details were correct and finalised the transfer of the money to that account.
Investor realises her emails have been hacked
The investment provider then sent a letter to Ms Q, confirming that the £250,000 had been withdrawn and transferred to the new bank account in accordance with her instructions.
This was the first that Ms Q had heard of the transaction. Understandably, she was aghast and rang her financial adviser, who explained that he had completed the transaction in accordance with the instructions he had received from her via email.
Ms Q realised that her email account must have been hacked, so the financial adviser had been receiving emails which came from Ms Q’s email address but which she had not actually sent.
Investor recovers some, not all of her money
After Ms Q reported the fraud to the police, she managed to recover around £170,000, leaving her with a shortfall of £80,000. Ms Q asked the financial adviser to make up this shortfall, arguing that it should have taken better care of her money.
When the financial advisor offered to pay only a quarter of the money that Ms Q had lost, the case ended up before the UK Financial Ombudsman, which had to determine whether the financial adviser was responsible for Ms Q’s loss.
Expert commentary on the court's decision
Financial Ombudsman finds in favour of Ms Q
The case involving Ms Q and her financial adviser was reported in the August 2016 edition of ombudsman news. (See case study 135/6.)
After examining the emails which the financial adviser had received from Ms Q’s email account, the Financial Ombudsman sided with Ms Q, agreeing that the financial adviser should have taken better care of her money and could have prevented the fraud.
The factor that was of central importance in the reasoning of the Financial Ombudsman was that the investment provider had notified the financial advisor that it could not trace the firm of Hong Kong solicitors who were initially meant to receive the money.
Financial adviser told to pay full amount of unrecovered funds
In the Financial Ombudsman’s view, “alarm bells should certainly have started ringing” at this point and the obvious course of action for the financial adviser would have been to ring Ms Q to confirm her instructions.
The Financial Ombudsman ordered the financial adviser to pay the investment provider the full amount of the money which had not been recovered, so that Ms Q did not suffer any loss as a consequence of the scam.
Australian investors equally at risk
While this case took place in the UK, there are similar cases that have been reported by the Financial Ombudsman Service Australia (FOS).
In one case heard by FOS in 2016, for example, an investor lost $360,000 in credit card payments to a scam (See Case number: 404469, 18 April 2016, Financial Ombudsman Service Australia).
The investor’s Financial Services Provider (FSP) had been notified of the scam by ASIC two weeks earlier but had done nothing to warn the investor. Further, the FSP’s fraud area had become suspicious after the first three transactions, yet subsequent transactions were nonetheless allowed to proceed.
FOS determined that the FSP’s processes should have detected and blocked the transactions after the first three transactions. The FSP was told to pay the investor an amount equal to 75% of the payments made to the scammers after the first three transactions, with the investor being responsible for the balance of the losses due to his own failure to protect his interests.
For more information please see the articles below.
Protect yourself against payment redirection scams
Business email compromise scams conning Australians out of millions
“I lost my money in a cryptocurrency scam. My financial firm should have warned me.” Which case won?