WENDY KNOWLER

Fewer than one in four complaints lodged by aggrieved bank customers with the Ombud for Banking Services (OBS) are resolved in favour of the customer.

The sad reality is that most complaints arise because of fraud, and if the customer is found to have been duped into giving a fraudster access to their bank account, the ombud’s office can’t hold the bank liable. Not unless the bank could have prevented the fraudulent transactions from happening, had it acted promptly when the victim reported it.

But here’s the interesting bit: in the case of one form of bank fraud — which is particularly rampant now, and leading to substantial losses — the ombud’s office is finding in favour of customers in 100% of cases.

I’m talking about digital wallet fraud — one major bank alone reportedly received more than 6,000 complaints from clients who had fallen victim to it between January 2022 and the end of May this year. Here’s how it works: the fraudster sets up an account with a payment platform such as Apple Pay or Google Pay on their smartwatch or phone, and then links the victim’s stolen credit card details — card number, expiry date and the CVV number — to it.

But before a payment platform on a smart device can be linked to a credit card, the credit card account holder must approve it. So the bank sends the credit card account holder an SMS about the linking request, along with a code, and the linking is only successful when that code is entered into the payment platform set up on said device.

That begs the question — how does the fraudster get that code from the victim?

Reana Steyn, the ombud, said fraudsters were impersonating legitimate businesses such as the South African Post Office, courier services and VodaBucks, “which require clients to enter OTPs [one-time pins] to redeem credits”.

Through these fake website links and e-mail addresses, the fraudsters have been able to obtain all the details they require to get approval for the linking of their devices to the payment platforms.
— Reana Steyn

“Through these fake website links and email addresses, the fraudsters have been able to obtain all the details they require to get approval for the linking of their devices to the payment platforms.”

So why, if the victims have indeed been authorising those links — albeit unwittingly — has the ombud’s office been finding in their favour and recommending that the bank reimburses their losses? The reasoning is two-fold: that “linking” text notification that banks have been sending their customers does not sufficiently alert them to the potential fraud risk, and the victim gets no further warnings or any OTP notifications as the fraudster starts spending on their account.

Once the victim has authorised the linking of their credit card to the crook’s device, that crook can go on a spending spree, hovering their phone or smartwatch over those till-point scanners repeatedly, without the need for any OTPs.

“It’s a question of mandate,” Steyn said. “The bank needs to act on the mandate and instructions of the client to make a payment. Yes, the victims have erroneously given the bank permission to link the fraudster’s device to their credit card, because they didn’t understand what they were authorising. But the mandate is to link the device, not to make payments willy nilly indefinitely without further notification.”

There needs to be a layer of security for every payment made via digital wallet, Steyn said, as is the case with traditional credit card purchases. When digital wallet fraud first came to light last year, the banks refused to be held liable for any of their clients’ losses, but the good news is that after strident talks with the ombud’s office — and multiple complaints settled in their clients’ favour — the banks are now settling and as a result, fewer victims are lodging complaints with the ombud’s office.

Of the 154 digital wallet fraud complaints lodged with the ombud since January, 132 have been settled, all of them in favour of the complainants, recovering for them a total of R2.5m; an average of R19,000 per complainant.

But one bank has dug its heels in. I so wish I could name it, but I can’t; at least not yet. “They believe the OBS is wrong, and are refusing to settle the losses of those clients who fall victim to this form of credit card fraud,” Steyn told me.

She is meeting with that bank’s executives this week in the hope that they come round. For the clients of the other banks, the ombud’s intervention has been a godsend — not only are those who have fallen for this form of fraud breathing sighs of relief, but the banks have been compelled to engage with the various payment platforms about introducing additional security layers for digital wallet payments.

Shortly after I reported on the ombud’s first warning about digital wallet fraud in August, I heard from the mother of a young Cape Town-based doctor, who had fallen victim to it two months earlier. Five payments within the space of two minutes, totalling about R11,500, were paid to an entity listed as Nuttachai International.

Most of these fraudulent digital wallet purchases are happening in foreign jurisdictions such as Dubai, France, Thailand and Spain, while the legitimate cardholders are in South Africa — “a clear indication of an international syndicate at work”, Steyn said.

The doctor’s bank had denied all liability for her losses, hence her mother’s approach to me. My advice was that her daughter lodge a complaint with the ombud. A short while later she came back to me to thank me for that advice.

“We lodged the complaint and then the bank guy who had earlier told [her daughter] that they couldn’t help her, phoned her to say they had ‘decided to make an exception’ and reimburse her. Great joy all round.”

Well done to the OBS, and, while we wait for digital wallet anti-fraud messaging to improve, think hard — very hard — before you respond to any card “link” request sent to you by your bank.

• Contact Knowler for advice with your consumer issues via email consumer@knowler.co.za or on X (Twitter) @wendyknowler