- About this Annual Review
- Year at a glance
- Acknowledgement of country
- Board Chair message
- Chief Executive Officer and Chief Ombudsman message
- Organisational overview
- AFCA Independent Review
- Who complained to AFCA?
- Overview of complaints
- Open cases
- Closed cases
- Banking and finance complaints
- Buy now pay later
- Scam complaints
- Financial difficulty complaints
- Small business complaints
- General insurance complaints
- Significant events
- Life insurance complaints
- Superannuation complaints
- Investments and advice complaints
- Complaints lodged by Aboriginal and Torres Strait Islander peoples
- Complaints lodged by consumer advocates and financial counsellors
- Complaints lodged by paid representatives
- Complaints outside AFCA’s Rules
- AFCA’s Systemic Issues function
- AFCA’s Code compliance and monitoring functiong
- Engagement, awareness and accessibility
- Corporate information
- AFCA General Purpose Financial Report
Stage at which scams complaints closed
At Case Management
At Rules Review
Top three scam complaint products (received)
Personal transaction accounts
Time taken to close scams complaints
Closed in 0–30 days
Closed in 31–60 days
Closed in 61–180 days
Closed in 181–365 days
Closed in in more than 365 days
- AFCA continues to see a significant volume of complaints involving scams.
- Consumers who fall victim to scams suffer financially and emotionally, and the outcomes can be devastating.
- As scams continue to evolve, AFCA is working closely with industry, regulators and governments to keep our approaches to this dynamic space aligned, and to ensure we help consumers and financial firms resolve complaints efficiently and fairly.
- As we evolve our understanding and approach, definitions of scam and fraud will become clearer. Currently, AFCA classifies all types of scams and fraud as scams.
From 1 July 2022 to 30 June 2023, AFCA received 6,048 scam-related complaints and closed 5,354. Most of the complaints (59%) were closed at the Registration and Referral stage. At the Case Management stage, we closed 1,585, or 30%. Around 5% of scam complaints, or 260, were closed at the Rules Review stage. We closed just over 3%, or 182, at the Preliminary Assessment stage. The Decision stage saw 194 complaints, or 4% of the total, closed.
The main products relating to scam complaints were personal transaction accounts (3,469 complaints) and then credit cards (834). We received 146 complaints relating to business transaction accounts.
Scams are often perpetuated by sophisticated international organised crime syndicates. In the past, most scams involved the unauthorised removal of funds from consumers’ bank or credit card accounts without their knowledge. We continue to see the scammers behind such unauthorised transactions adapt to new products and technologies. Separately, there has been growth in scam transactions where consumers are persuaded by scammers to authorise payments. Typically, authorised scams involve investments, romance and buyer/seller transactions. The most common type of scam continues to involve investments – particularly in cryptocurrencies.
Complaints to AFCA tend to be a lag indicator of trends in different types of scams, given the time it can take for consumers to realise they’ve been scammed and to complain about it. However, some scams we have been seeing point to increased sophistication and evolution of scams. Specifically, AFCA is seeing increasing numbers of ‘phishing’ and identity spoofing scams. A typical example would involve a consumer responding to an SMS purporting to be from their bank, clicking on a link to a fake bank site and being asked to enter their internet banking details.
Consumers are also falling victim to scammers who have collected data about them from various sources. Recent examples include scammers fraudulently collecting information about a person and loading it into a digital wallet on the scammer’s phone.
Case study – Digital wallets
The complainant received a text message stating she had an outstanding toll road invoice. She clicked on a link that took her to what she thought was the legitimate toll road operator’s website. Then she entered her credit card details to pay the invoice.
The website was fake and was used to harvest the complainant’s credit card details and a one-time password (OTP), which the complainant thought was needed to authorise the toll payment. This enabled the scammer to load the credit card as a digital card onto their own mobile phone.
Shortly after, the scammer used their mobile phone to make 16 transactions of $1,000 each at well-known retail stores. No further PIN or pass code was required to make the disputed transactions. The complainant reported the disputed transactions to her financial firm the following day.
The financial firm said the complainant had authorised the disputed transactions because, by allowing the scammer to add the credit card details to the digital wallet, she must have disclosed the OTP.
Findings and outcome
The ombudsman found the disputed transactions were unauthorised. This meant the liability provisions of the ePayments Code (the Code) applied. Under clause 10.2 of the Code, a card holder is not liable for unauthorised transactions that are made using an ‘identifier’ without a ‘pass code’ or a ‘device’.
A digital card is an ‘identifier’ and the disputed transactions did not require a pass code or device. The mobile phone onto which the digital card was loaded was not a device as defined by the Code. Therefore, under clause 10.2 of the Code, the financial firm was liable for the disputed transactions.
The financial firm said the complainant breached the pass code security requirements of the Code, which requires card holders not to disclose pass codes that are needed to perform transactions (clause 12.1). The financial firm said the complainant must have disclosed the OTP to enable the credit card to be added to the digital wallet.
The ombudsman found the complainant did not knowingly disclose the OTP to the third party. She thought she was engaging with a legitimate website to authorise a payment. The OTP was not a pass code needed to ‘perform a transaction’. The Code distinguishes between pass codes needed to perform transactions and pass codes needed to authenticate users (which the OTP arguably did). A card holder is only liable if they disclose pass codes needed to perform transactions.