These case studies have been modified so as not to identify any actual cases at FIDReC. They are provided for purposes of learning and are not necessarily indicative of outcomes at FIDReC.
Betty wanted to transfer some funds to her friend through internet banking. The Bank’s internet banking mobile app was under maintenance, so Betty searched online for the Bank’s internet banking website. She clicked on the first link that appeared in the search result. She keyed in her internet banking username and password, as well as a One-Time-Password (OTP) sent to her mobile number. A notice then appeared saying that her account was locked and would be reactivated within 24 to 48 hours. Betty decided to do the transfer the next day and closed the website.
The next morning, Betty found several messages on her mobile sent by her Bank after midnight. The messages informed of many telegraphic transfers from her account. Realising that something was wrong, she went to the Bank branch to make a report. Betty then discovered that the website she had keyed her information into the previous night was a fake website.
Betty blamed the Bank for her losses because the Bank’s internet banking mobile app was unavailable when she needed it. This led her to search for the Bank on the internet and click on the fake website link. Despite many discussions, the Bank rejected her request for compensation and referred her to FIDReC.
At mediation, the Bank explained that the OTP Betty received and keyed into the fake website was for the registration of a digital token. The SMS for the OTP stated this. By keying in her internet banking details and OTP into the fake website, Betty allowed a fraudster to register another mobile device as a digital token. This meant that the fraudster could authorise transfers from Betty’s account. The Bank felt that Betty could have prevented her own losses by checking the website address. She could also have read the OTP SMS before keying in the OTP.
With the Case Manager facilitating the discussion, Betty learnt more about the use of digital tokens. She recognised that she should have checked the content of the OTP SMS before entering the OTP. The Bank, on its part, acknowledged that Betty was misled into clicking the fake website link when the Bank’s mobile app was under maintenance. The Bank also sympathised with Betty as she had lost all her savings.
The Bank agreed to bear a small proportion of Betty’s losses as a goodwill gesture. Betty accepted the Bank’s offer and signed a written settlement with the Bank.
Key Learning Points
- Learn to spot the signs of scams on www.scamalert.sg, a website from the National Crime Prevention Council. Keep up to date on scam advisories and alerts.
- Do check the website address before clicking on any links or keying in your banking details on a website. Refer to official sources like the MAS Financial Institutions Directory for website addresses or hotline numbers of banks.
- Before keying in any OTP on a website, read the contents of the OTP SMS. The SMS will usually state the purpose of the OTP. If the purpose stated is not correct, contact your Bank immediately.
- Depending on the circumstances, financial institutions may offer a goodwill payout to cover their customers’ losses. Such goodwill gestures do not set a precedent for future cases. During mediation, no one can compel financial institutions to make any goodwill offer.
Click here to access more case studies.