Penny saw a cleaning service advertised on Facebook and messaged the company representative via WhatsApp for more information about the services offered. The representative responded and sent Penny a link for a deposit of RM10. She tried to make the payment, but it was unsuccessful.

Penny later realised that three unauthorised transactions, amounting to RM20,000, had been made from her savings account to the same beneficiary. However, she only found out about the transactions from the bank after receiving several successful post-transaction notifications.

Penny also discovered that her online transfer limit was increased from RM20,000 to RM50,000 per day. Penny immediately reported the matter to the bank. The bank rejected Penny’s claim because the online banking activities were made using a valid username and password and authenticated using a One-Time Password (OTP) sent to Penny’s phone.

The bank explained that the OTPs were sent to Penny as transaction notifications and as an extra security measure to safeguard her online banking account from scams. Penny asserted that she did not perform the transactions as she did not know the identity of the person who received the funds.

She argued that she typically used her fingerprint to access her bank account through the bank’s mobile banking application, and her transactions did not require any OTP for approval. As such, she should not be held responsible for the unauthorised transactions.

OUR FINDINGS

The findings revealed that Penny’s banking credentials, such as username, password, and OTPs, were compromised through phishing malware embedded in the fake cleaning service payment gateway, enabling the disputed transactions.

In response to Penny’s contention that she approved her transactions using her fingerprint on her mobile phone, the bank explained that their online banking facility allowed users to perform transactions up to RM1,000 per day using biometrics.

A password is required for transactions exceeding RM1,000. The record also showed three unsuccessful attempts to transfer funds from Penny’s account, which fell within the bank’s fraud monitoring parameter.

OUTCOME

The Ombudsman opined that while Penny was responsible for safeguarding her banking credentials, the bank should have implemented safety measures in line with the fraud trends, mainly when transactions were performed to the same new beneficiary after three unsuccessful attempts.

Given that the bank had already detected the three suspicious transactions, the bank should have blocked or suspended Penny’s internet banking account instead of only blocking the suspicious transactions. Blocking or suspending her internet banking account could have prevented the subsequent unauthorised transactions. As such, the Ombudsman apportioned the loss between Penny and the bank.