Disclosure of credentials and codes allowed scammer to access customer’s funds

Categories:
Fraud & scams, Bank accounts,
Summary:
In January 2026, Brad received a text message purporting to be from the police about an overdue traffic fine. The text contained a link to make the payment. That same night, Brad’s banking credentials were used to set up his bank’s mobile banking app on a new device. Several days later, five transactions totalling $2,055 were made using Brad’s debit card. The first transaction triggered the bank’s fraud detection system, but further transactions were completed before the card was blocked. Brad said the bank should reimburse his loss because the transactions were made from overseas, at a time when he was in New Zealand, and also because the bank did not block the transactions quickly enough. The bank said the security messages and authentication codes were clear and refused to reimburse the money.
Published:
July 2026

Our investigation

The scammer had used Brad’s banking credentials and authentication codes to register a new device for mobile banking and add Brad’s card to a digital wallet. During discussions with us, Brad accepted that he had not read the messages accompanying the authentication codes and had not taken reasonable care of his banking information. In other words, Brad had failed to take reasonable care of his banking, and in such a situation the bank did not have to reimburse him. The scammer was only able to access Brad’s accounts because Brad’s banking credentials and authentication codes had been disclosed.

Brad remained concerned that the bank had failed to stop any further transaction after the first transaction alerted its fraud detection systems. The bank maintained that it had responded appropriately to the first alert. Nonetheless, the bank offered Brad $750 to resolve the complaint.

Outcome

Brad accepted the bank's offer.

Print this page