Picture: 123RF/SCAN RAIL
Picture: 123RF/SCAN RAIL

A few case studies included in the latest annual report by the Ombudsman for Banking Services may offer a glimmer of hope to consumers who are increasingly finding themselves victims of online banking fraud.

These grievances constitute the biggest category of complaints to the ombud, who found in favour of the banks in 80% of such cases in 2018.

However, in two case studies relating to internet banking fraud, the ombud found against either the consumer’s bank or the “beneficiary bank” — the bank to which the fraudster transferred the victims’ money.

The ombud found that even though the consumers had probably compromised their accounts by unwittingly sharing their online banking credentials, their loss was not because of this compromise but due to a failure on the part of the banks to act appropriately or timeously. Had the banks done what they ought to have, the consumers’ money could have been recovered.

In the first case study, the ombud’s office says “it appeared from the documents and information presented” that the consumer had compromised her confidential internet banking credentials. “No evidence was provided to suggest that the bank was either negligent or guilty of maladministration in respect of the compromise.”

The misunderstanding between the two banks was entirely avoidable and the funds could have been recovered if a hold had been placed on the funds when the consumer reported the incident to her bank
Ombudsman for Banking Services

Funds were transferred from the consumer’s account to an account held at a different bank. The consumer reported the incident to her bank and her bank reported it to the beneficiary bank. The account held at the beneficiary bank was a long-standing business account “and the beneficiary bank could not place a hold on the account” without further information from the consumer’s bank, the ombud’s annual report says.

“There was a misunderstanding between the banks and the beneficiary bank failed to place a hold on the beneficiary account. In the interim, the fraudsters contacted the beneficiary account holder, posing as the consumer, and convinced the beneficiary account holder to make payment to the fraudsters’ account.”

When it was discovered that the funds had been transferred from the beneficiary account to the fraudsters’ account, the funds had already been withdrawn.

“It was our finding, after listening to the phone recordings of the conversation between the two bank consultants, that the consumer’s bank and the beneficiary bank were in a position to mitigate the loss had they acted timeously, but that they had failed to do so. The misunderstanding between the two banks was entirely avoidable and the funds could have been recovered if a hold had been placed on the funds when the consumer reported the incident to her bank.”

The ombud’s office recommended that each bank refund the consumer 50% of her loss, which the banks agreed to do.

‘Microsoft scam’

In the second case, the consumer compromised his account after falling victim to a “Microsoft scam”, the report says.

While the report doesn’t detail the scam, it is typically a technical-support scam in which a scammer poses as a technical-support assistant from a well-known company, such as Microsoft. The fraudster tells you they have detected viruses or other malware on your computer and trick you into installing software that gives them access to your computer remotely.

In the case before the ombud, the fraudsters obtained access to the consumer’s online banking profile and used it to transfer R140,000 from his account to another bank. The consumer reported the incident to his bank, but his bank told him the funds could not be recovered. The consumer complained to the ombud’s office and demanded a full refund.

During its investigation, the ombud’s office found that the beneficiary bank had informed the consumer’s bank a number of times that it needed an SA Police Service case number and affidavit from the consumer, otherwise the hold it had placed on the beneficiary account would be lifted.

The consumer’s bank did not inform the victim of this requirement, resulting in the police case number and affidavit not being provided timeously. This resulted in the fraudster being able to withdraw all the funds.

The banking ombud found that though the consumer’s confidential banking credentials were compromised, the loss he suffered was not because of this compromise but was due to his bank failing to act on the request from the beneficiary bank and communicate its requirements to the consumer timeously.

Essentially, his bank was in a position to mitigate the loss and had failed to do so. The banking ombud recommended that the consumer’s bank refund him, and his bank agreed.

The banking ombud’s annual report says, “Consumers should report fraud to the bank timeously, and if the bank fails to take the necessary measures to mitigate the loss, the bank will be held liable.”