These case studies have been modified so as not to identify any actual cases at FIDReC. They are provided for purposes of learning and are not necessarily indicative of outcomes at FIDReC.
Lily came across an online advertisement that offered a four-hour cleaning session at $20 for first-time users. This was a good deal, so Lily decided to engage the cleaning company. She received a link for her to download an app on her mobile phone. She then followed instructions to make a deposit payment of $5 on the app.
She keyed in her credit card information. But after submitting the information, an error message showing ‘Invalid Card’ appeared. Thinking that something must be wrong with her credit card, she keyed in the details of another credit card. As the error message still appeared, she decided to stop and try again later.
A few hours later, Lily checked her mobile phone and discovered that there were transactions amounting to $10,000 charged to her two credit cards. She called the Bank to report that she did not perform the transactions. The Bank blocked her credit cards immediately.
Lily later found out that the app she had downloaded contained malware. When she downloaded the app, she had granted permissions to the scammers. The scammers got hold of her credentials, took control of her mobile phone, and read SMSes or bank notifications received on the phone.
The Bank informed Lily they were unable to file a chargeback request on her behalf. A chargeback is a request from the card-issuing bank to the merchant for a reversal under the dispute resolution process of the card scheme. The Bank said that Lily was liable for the full amount. Lily disagreed and came to FIDReC.
At mediation, the Bank said that it had sent Lily SMS transactions notifications when the transactions took place. However, she did not act on them until a few hours later. Lily argued that the Bank ought to have noticed that the transactions were suspicious and cancelled the transactions. The Bank explained that once a transaction is charged to a credit card, the Bank is unable to cancel the transaction. The Bank may file a chargeback request on behalf of its customers, but it is subject to the criteria set out under the card scheme. In Lily’s case, a chargeback was not possible as the disputed transactions were authorised by a One-Time Password (OTP) sent to Lily’s mobile number. Nevertheless, the Bank offered to waive 20% of the disputed transactions out of goodwill.
Lily accepted the offer. She recognised that she could be have acted on the notifications sent by the Bank earlier and taken steps to reduce her losses. Lily also noted never to download apps from unofficial sources.
Key Learning Points
- Consumers have, among others, the following duties under the Monetary Authority of Singapore’s E-Payments User Protection Guidelines:
- To monitor transaction notifications,
- To protect access codes (including an OTP) and access to their account,
- To report unauthorised transactions as soon as practicable after receiving any notification alert, and
- To provide information on the unauthorised transactions.
- The financial institution’s duties under the Guidelines are, among others:
- To inform account holders of the user protection duties,
- To provide outgoing and incoming transaction notifications,
- To provide a reporting channel, and
- To assess claims and complete claims investigation.
- If any party has not carried out the required duties, that party should expect to bear some responsibility.
- To protect yourself from malware scams:
- Only download apps from official and verified sources such as Apple App Store or Google Play Store.
- Carefully review the permissions requested by apps.
- Ensure that your internet accessing devices have updated anti-virus software and malware removal tools.
- Update apps and operating systems of devices regularly to ensure protection by the latest security patches.
- Be wary of advertisements for good deals and unusual payment requests.
- If you suspect you may be a victim of a malware scam, do the following:
- Switch your device to flight mode to disconnect from the internet and to prevent scammers from further accessing your device.
- Run an anti-virus scan on your device to identify and remove malware.
- Check for unauthorised transactions.
- Report the incident immediately to your bank and the authorities.
Click here to access more case studies.