Sarah, 65, is a retiree and a registered YPay e-wallet account holder. On 25 October 2022, around 12:00 pm, Sarah received a message from an anonymous number claiming to be from the Majlis Keselamatan Negara (MKN) stating that a government support fund of RM500 had been credited to her YPay e-wallet. The message included a link: https://ypaymy.top.

She clicked the link and was directed to a phishing website. After clicking the link, RM490 was debited from her credit card and transferred to her e-wallet, with subsequent transfers made from her e-wallet to multiple beneficiaries. The total disputed amount was RM2,024.90.

FINDINGS

The disputed transactions totalling RM2,024.90 were made via Sarah’s e-wallet after a PIN reset and OTP verification on a new device. Sarah’s credentials were compromised via a phishing link. High-frequency top-ups and prepaid purchases comprising eight reloads and nine payments within 13 minutes went undetected.

OUTCOME

The case manager recommended apportioning the losses equally, taking into account that the PIN was reset and the account accessed from a new device, as well as the occurrence of eight transactions within a 13-minute window, seven of which were high-value transfers to the same beneficiary. The FSP rejected the recommendation and referred the matter to the Ombudsman. The Ombudsman upheld the case manager’s recommendation and apportioned the liability equally.