KUALA LUMPUR – Multinational banking giant HSBC is being sued for AU$23 million (RM64 million) for failing to protect 950 Australian customers from a long-running “spoofing” scam which operated from January 2020 to August 2024.
The Australian Securities and Investments Commission (Asic) lodged the claim against HSBC’s Australian arm in the federal court today, revealing that the global scam had a significantly larger local impact than initially estimated, reported ABC.
Over nearly five years, scammers managed to extract a total of AU$23 million, with individual losses exceeding AU$90,000 in some cases.
Scam reports were particularly high between October 2023 and March 2024.
The corporate watchdog’s investigation uncovered that HSBC often took an excessive amount of time to address scam reports, with some cases taking up to 145 days to investigate and even longer to unlock affected accounts.
In one extreme case, a customer had to wait 542 days to regain access to their account, far exceeding the regulatory requirement of resolving unauthorised transaction reports within 21 days, or 45 days under exceptional circumstances.
Deputy Chair Sarah Court of Asic said: “We will not hesitate to take court action where we consider banks fail to comply with their obligations to protect their customers.”
She emphasised that HSBC’s failings were “widespread and systemic,” marking the first instance where a financial institution is being held accountable for such extensive complaint failures.
“This is the very first time that we have held a financial institution to account for what we consider to be these widespread complaints failures. I also suspect that it is the first case of this kind taken globally,” she remarked.
The spoofing scam involved fraudsters using sophisticated software to disguise their phone numbers, making text messages and calls appear as though they were coming from HSBC.
Victims received messages that mimicked legitimate HSBC communications, including alerts about suspicious transactions related to their accounts. When customers panicked and called the provided numbers, they were connected to fake fraud teams that appeared genuine, complete with HSBC’s on-hold messages.
These scammers then persuaded customers to share personal information, allowing them to seize control of accounts and transfer funds illicitly.
One notable victim, Mary Yu, recounted her ordeal after receiving a text about her HSBC account appearing alongside genuine bank messages regarding her home loan.
Believing the message to be authentic, she called the number provided and spoke with someone who posed as a member of HSBC’s fraud team.
“Unfortunately, I made that call, and that’s when my nightmare began,” Yu explained.
The scammer, appearing knowledgeable about her recent transactions, convinced her to provide her username and answer a personal security question.
“It wasn’t until the next morning when I woke up to an email from HSBC about suspicious activities that I realised I’d been scammed,” she said.
Despite her efforts to seek reimbursement, HSBC initially blamed her for sharing her personal details. After escalating her complaint to the Australian Financial Complaints Authority (Afca), Yu was eventually repaid AU$90,000 after a 10-month ordeal.
“It just felt like talking to a brick wall,” she expressed, highlighting the bank’s inadequate response to her situation.
The Australian Competition and Consumer Commission’s (ACCC) National Anti-Scam Centre had issued alerts as early as February, warning customers about impersonation attempts via calls and texts. Despite these warnings and direct concerns raised by the ACCC, HSBC’s response was deemed insufficient by Asic.
Court noted the potential for significant penalties, saying: “We will be seeking very significant penalties to send a message not just to HSBC but to the banking sector as a whole.”
She added that the maximum penalties, while currently theoretical, could set a strong precedent for future cases.
Following a landmark decision by Afca in August, which mandated HSBC to fully reimburse a scam victim despite the victim having shared passcodes under duress, the bank began implementing more robust security measures.
These improvements include requiring customers to call the bank directly to increase their daily transaction limits, thereby preventing unauthorised changes through the banking app or online platforms.
Additionally, HSBC has blocked payments to high-risk channels such as cryptocurrency platforms and enhanced SMS warnings for transactions exceeding AU$500. The bank has also registered its telephone numbers on a special register to prevent spoofing and reduce the incidence of fraudulent calls.
HSBC has responded by stating that it has been working closely with Afca to resolve the majority of scam-related complaints.
“Almost all of those remaining cases have now been resolved and those that remain are expected to be resolved shortly,” the bank commented. HSBC also emphasised its ongoing commitment to investing in fraud and scam prevention, detection, and response initiatives to protect its customers from future threats. – December 16, 2024