The Facts

Man provides credit card number and PIN codes to online scammers

The case of a man who fell victim to a phishing scam reads as a textbook example of cyber fraud. The man received an email inviting him to participate in an online cash survey. The email contained a web link and instructions to click on the link to complete the survey.

As part of the survey, the man was asked to provide his credit card number, which he did. Unbeknownst to him, by doing so, he made this information available remotely to the scammers who had sent him the email.

The fraudsters then asked the man to enter one-off PIN codes sent by his financial services provider to his mobile phone, which he did.

Transactions made using credit card details

This enabled the scammers to make transactions using the man's credit card. These transactions totalled over $5,000 and were with merchants outside Australia.

When the man's financial services provider denied liability for the losses, he lodged a dispute with the Financial Ombudsman Service, which had to determine whether he was liable.

case a - The case for the financial services provider

case b - The case for the customer
  • The only reason the scammers gained access to the customer's money is that he voluntarily disclosed his one-off PIN codes by typing them into the email survey he received from the scammers. He was not supposed to disclose his PINs to anyone.
  • By disclosing his PINs, the customer breached the passcode security requirements in the ePayments Code.
  • While the customer's financial loss is regrettable, we are not liable to reimburse him for the money the scammers stole, because he breached the passcode security requirements of the ePayments Code.
  • It is the customer who is liable for the loss he incurred, not us.
  • I did not authorise the transactions recorded against my credit card.
  • I had no idea that the PINs I received on my mobile phone from my financial services provider were secret passcodes and that I was not meant to disclose them to anyone. When I received the text message with the passcodes, there was nothing to indicate that they were supposed to be kept secret.
  • I did not "voluntarily" disclose my passcodes to anyone and I did not breach the security provisions of the ePayments Code. I thought I was simply responding to a survey.
  • The Financial Ombudsman Service should find that my financial services provider is liable for my losses.

So, which case won?

Cast your judgment below to find out

Zohra Ali
Disputes and litigation
Stacks Law Firm

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.