Siti is a credit card holder with the bank, holding a credit limit of RM16,000.

She received an email purportedly from her streaming service provider claiming that her subscription would be suspended due to payment issues. To rectify the matter, she clicked a link within the email, which directed her to a website where she followed instructions to update her payment details. Subsequently, RM10,000 was charged to her credit card.

FINDINGS

The investigation revealed that the link Siti accessed led to a sophisticated phishing website designed to harvest credit card information. Upon entering her card details, a third party initiated a transaction for RM10,000.

By entering her credit card details and the subsequent SMS OTPs into the fraudulent site, Siti inadvertently compromised her credentials and facilitated the successful registration of her card onto L Pay on a third-party device, which enabled the unauthorised RM10,000 transaction.

OUTCOME

The case manager concluded that the unauthorised transaction was made possible because Siti disclosed her security credentials to an unverified source.

As the RM10,000 charge was successfully processed following a valid L Pay registration and authenticated using the OTP provided by Siti, she was held liable for the full amount of the disputed transaction.