ASIC’s deputy chair Sarah Court is expected to address the media later in the morning.
Loading
The announcement follows an investigation by this masthead that revealed HSBC had dawdled in its response to scammers, who used the same or similar tactics to steal from hundreds of its Australian customers over at least 10 months in 2023 and 2024.
Even as people’s passwords were changed and large amounts of money were moved by people overseas or those using private internet servers, the bank failed to stop the suspicious transactions.
Melbourne engineer Aaron, who did not wish to use his last name for privacy reasons, had $45,000 taken from his family’s HSBC home loan account in late February this year, one of at least 329 HSBC customers who fell victim to a similar swindle.
The father-of-two was sitting in his car during a lunch break when he received a call from someone who introduced themselves as a member of HSBC’s fraud team.
Because the scammer called him using the bank’s real number (a technique known as spoofing) and already knew several of Aaron’s personal details, they convinced Aaron to provide several one-time passwords, which they then used to take over his account. The criminals were then able to raise the daily transfer limit on Aaron’s account from $5000 to $50,000.
This same technique was also used with other victims, but it took HSBC almost a year to stop allowing adjustments to daily limits to be made using online banking.
In May this year, HSBC offered Aaron a $1000 “goodwill payment”. Aaron rejected the offer and complained to the Australian Financial Complaints Authority. HSBC later said it would reimburse Aaron the entire stolen amount plus a $2000 goodwill payment, acknowledging “we could have responded in a timelier manner”.
The bank denied it was officially liable for the scam losses. In the same email in July, HSBC referenced clause 12.4 of the ePayments code, which says a “user must not act with extreme carelessness in failing to protect the security of all passcodes”.
Aaron said he was saddled with shame and fear over the saga, and mending damaged personal relationships.
“Getting me the money back was a relief, but I’m probably always going to be mentally scarred,” he said.
“A lot of people [believe] the bank is there to protect your money,” Aaron said. “They’re not there to protect your money, from my point of view right now, they’re there to protect their own interests.”
A recent landmark ruling by Australia’s financial complaints authority rejected HSBC’s argument that it was not liable for $47,000 stolen from one of the early victims and censured the bank for its customer service and adversarial approach to the case.
HSBC has said previously it had improved its fraud and scam prevention systems, including increasing SMS warnings for customers making payments of more than $500, limiting payments to some cryptocurrency platforms, and adding 70 people to the bank’s fraud and scams team.
Financial Services Minister Stephen Jones said it was likely multiple overseas criminal gangs were behind the long-running HSBC impersonation scam.
“They purchase stolen data and operate a boiler room, which is like a call centre operation,” Jones said.
More to come.
Start the day with a summary of the day’s most important and interesting stories, analysis and insights. Sign up for our Morning Edition newsletter.
Read the full article here
