WOMAN WHO LOST LIFE SAVINGS IN PHISHING SCAM TAKES ON ING BANK AND WINS

Claudia Lee was travelling in the Central American nation of El Salvador in 2024 when she checked her Australian bank account and realised something was terribly wrong.

The then-26-year-old Darwin woman's ING account had been accessed by a phishing scammer and the bank failed to alert her that anything was possibly amiss.

"I checked my savings account and it'd been fully drained — $48,000 had been taken out of it and I was left with 39 cents," she said.

After facing tech troubles accessing her ING app, Ms Lee had inadvertently clicked on a text message which took her to a fake ING website where she had entered her details.

"It was devastating, it was crazy, because it was the sort of thing I would've thought could never happen to me," she said.

"I'm a young person, I've got relatively good digital literacy and this still happened."

What followed was an anxiety-inducing 18-month saga to try to get ING to take responsibility and reimburse her the money she lost after she said the bank missed a series of red flags.

Her solicitor Tom Hutton said within 48 hours of Ms Lee clicking on the link, the scammer had changed her personal contact details and withdrawn her funds, with ING doing nothing to stop them.

"All of Claudia's contact details had been changed, a joint account had been opened in her name, the transaction limit had been raised from $5,000 to above $20,000, all of her savings had been withdrawn," he said.

"All of that happened without the bank having spoken to Claudia."

Ms Lee had previously notified ING that she was going to be travelling abroad at that time.

She was luckily at the tail end of a months-long trip when she was hit by the scammer and had her return tickets back to Australia already booked.

"I had next to no money left and that was drained very quickly because I had to travel from El Salvador back to Guatemala, and then I was flying through the US to come back to Australia," she said.

"So by the time I got back, I had pretty much nothing and needed to start from scratch."

However, ING refused to admit fault and would not pay up.

"They were a very difficult entity to deal with," Mr Hutton said.

"They were unresponsive and adversarial, right until the end.

"Which in these circumstances was particularly disappointing — a young woman who has lost the entirety of her savings, through really very little fault of her own, we thought."

Authority rules against ING

After months of inaction from ING, Ms Lee took the case to industry regulator the Australian Financial Complaints Authority (AFCA).

In November last year, AFCA ruled in her favour and ING was forced to reimburse her the full amount of her losses, plus compensation.

"The bank has not been able to show, on balance of probabilities, the complainant voluntarily disclosed her pass code or acted with extreme carelessness in failing to protect her pass codes," ombudsman Nay Sharafeldin wrote.

"In addition, I consider the complainant suffered stress and inconvenience by the bank's unclear communication about the progress of the recall requests."

Ms Lee is no longer a customer of ING and is now calling on it and other banks to work towards improving their scam protection policies.

"I think about all the groups out there that are more vulnerable than I am," she said.

"Whether it's older Australians, people with lower tech literacy, people who speak English as a second language.

"As these scams are becoming more sophisticated, it doesn't feel like the protections are becoming better for everyday people."

In a statement, an ING spokesperson said "while confidentiality prevents us from commenting on the specifics of this case, we take responsibility when we get things wrong".

"Our review found that our communications with the customer did not meet our standards and we should have engaged differently," they said.

"We apologise for this."

When asked whether ING had done anything to strengthen its security processes since Ms Lee's complaint, the spokesperson said it was becoming "increasingly difficult to identify and resolve matters where a customer is a victim of a scam that has involved phishing".

"Banks, telecommunications providers and digital platforms are increasingly working together to prevent crime through a combination of consumer education and technology solutions," the bank said.

Regulators 'should come down hard'

Charles Darwin University cybersecurity expert Bharanidharan Shanmugam said there needed to be more of an onus on Australian banks to protect customers from phishing scams.

"I would suggest the regulators should come down hard on banks," he said.

"Making sure that if there are any moneys being lost, the banks should be made accountable for that.

"The banks could come back and argue that 'oh, it's a customer's mistake and we don't have any control over those mistakes by the clients' — but it is not the case.

"There could be more controls so that the account is being safeguarded from any of the malicious activities."

Dr Shanmugam also called on the federal government to strengthen existing consumer banking laws to ensure the banks were legally responsible for money scammed from customers.

In a statement, Assistant Treasurer Daniel Mulino said the Commonwealth was working to address the "serious harm scams can cause Australians, including when they are travelling overseas".

Mr Mulino said the government's Scams Prevention Framework was commencing later this year, and would place more "responsibility on banks and other sectors to do more to prevent, detect and respond to scams through mandatory, enforceable obligations".

He said the framework would apply to Australian banking customers at home and overseas.