These case studies have been modified so as not to identify any actual cases at FIDReC. They are provided for purposes of learning and are not necessarily indicative of outcomes at FIDReC.
John was a young professional in his first job. He got his first credit card and linked it to an electronic wallet. A week later, he received an email supposedly from his electronic wallet provider. The email said that his account had been “restricted” and that he needed to log into the account to “verify it”.
John clicked on the link in the email to “verify” his account. He followed the website instructions and keyed in his electronic wallet credentials. He then received an SMS notification of a one-time password (OTP) from his credit card bank. This notification stated: “Your … OTP Code for online purchase is XXXXXX”. John proceeded to key in the code on the website thinking it was necessary to remove the restriction on his account.
Later that morning, John noticed an SMS alert from the bank. It stated that there had been a charge of EUR1,400 on his credit card by a merchant called “dumpster.com”. He realised something was wrong and immediately called the bank. He reported that his electronic wallet had probably been hacked. The bank immediately cancelled John’s card and issued a replacement card.
The bank also made a chargeback request on John’s behalf. A chargeback is a request from the card-issuing bank to the merchant for a reversal under the dispute resolution process of the card scheme. Unfortunately, the chargeback was not successful. The bank said that John should be liable for the full amount. John refused and came to FIDReC.
When mediation was not successful, John proceeded for adjudication at FIDReC. The bank accepted that John was the victim of a phishing scam. But it said that John should not have provided his OTP for an online purchase when he was not making one. Because the bank could not get a chargeback from the merchant, John should be responsible for the full amount. John argued that he was an innocent victim and that he thought he was verifying his restricted account. Further, if the OTP SMS had stated the name of the merchant as dumpster.com, John would not have provided the OTP.
The adjudicator considered the submissions and evidence of both parties. He noted that both John and the bank were victims of a scam. John should not have provided his OTP, but the bank’s OTP SMS could also have been clearer by stating the name of the merchant. The adjudicator decided that John and the bank should each bear 50% of the amount.
Key Learning Points
• Criminals can use phishing scams to trick you into giving away your personal information. This may happen through, email, SMS, or phone calls
• Always be cautious when you receive any email, SMS, or phone call with an alarming message requiring you to act by verifying your account.
• Never give out your OTP unless you are certain that it is for a transaction that you have made.
• The credit card agreement usually allows you to limit liability for unauthorised transactions on your card. However, this is only where you have not acted fraudulently or negligently, and you have informed the card issuer of the unauthorised transaction as soon as reasonably practicable.
• You can enable SMS or email alerts for all banking transactions to allow you to make a prompt report when something goes wrong.
Click here to access more case studies.