On 30 August 2022, Tom received an SMS purportedly from the government, informing him that RM500 in the Special Financial Assistance Programme (Bantuan Khas Kewangan) would be credited to his e-wallet account if he clicked the link provided in the message. The following day, Tom clicked the link and was prompted to input his mobile phone number and One-Time Password (OTP) to access the website. Despite his attempts, he failed to log in successfully, even after receiving new OTPs.
Upon checking his e-wallet account, Tom discovered two unauthorised transactions totalling RM5,000. He reported the incident to the police and filed a claim for a refund with his e-wallet issuer. However, the e-wallet issuer rejected his claim.
OUR FINDINGS
Records from the e-wallet issuer indicated that the transactions were carried out on Tom’s account using a valid registered mobile number, a 6-digit PIN, and OTPs. Tom’s e-wallet account was accessed from a new device.
The OTPs he entered during the login attempts allowed the scammer to register their device and access Tom’s e-wallet account from this new device. Consequently, Tom’s account balance was used to reload the e-wallet account, and the transactions were authenticated using a valid 6-digit PIN.
Upon successful login from the new device, all transaction notifications were directed to the application inbox of the scammer’s device. When Tom contacted his e-wallet issuer to report the incident, the transactions had already been completed, and their efforts to recover the funds from the beneficiaries’ accounts were unsuccessful.
OUTCOME
The findings revealed that Tom was deceived into clicking the phishing link, granting scammer access to his e-wallet credentials. Tom received a message containing the OTP to authorise the login on the new device, which read as:
‘8xxxxx. Valid for 5 minutes. Don’t share for security reasons. Call 03-xxxxxxxxx if you didn’t perform this request.’
The OTP provided for the new device lacked clarity and did not indicate its purpose or the device’s make and model, which could have alerted Tom to the scam earlier. Considering the prevailing fraud trends, e-wallet providers must implement diverse measures to detect and prevent scams. Similarly, consumers must take responsibility for safeguarding their e-wallet credentials.
As a result, the Case Manager recommended that the loss be divided between Tom and the e-wallet issuer. However, the e-wallet issuer rejected this recommendation and referred the matter for adjudication.
After reviewing the case and considering the facts and principles of fairness and reasonableness, the Ombudsman agreed with the Case Manager’s reasoning. He decided the loss should be apportioned between Tom and the e-wallet issuer.