After Louis lost $109k to scammers, banks are finally combatting the 'flaw' the scammers used
- Replies 4
Louis May lost his $109,000 first home deposit to scammers in July last year.
The scam began with an email, purporting to be from his conveyancer, requesting property settlement, and included account details and a fraudulent PEXA (Property Exchange Australia) form.
The 24-year-old Sydney-based tradesman made two payments, but two days later received a message from the bank asking for settlement funds.
"It was the morning that I was supposed to get the keys to my new apartment," he said.
"It was the most horrible feeling I've ever had.
"I had to be on two phones at the same time to try to sort everything out. I couldn't work out what had gone wrong and was on hold for ages trying to call the police, call the bank, call the lawyers, call anyone."
He spoke to his conveyancer, discovered the scam, and immediately reported it to the bank. But the money was gone.
Now, the banking sector is rolling out a system intended to combat the security flaw the scammers used to trick him.
The system is called "Confirmation of Payee", and is intended to reduce scam losses by telling customers when a payment recipient's name does not match other account details.
The technology is intended to combat fake invoice and payment redirection scams, similar to the kind perpetrated against Mr May, which cost Australians $152.6 million last year.
Major and mid-tier banks would implement the system during July, the Australian Banking Association (ABA) said, with all other deposit-taking institutions like credit unions and building societies rolling it out by the end of the year.
While acknowledging the positive step, consumer and victim advocates criticised the banking sector for lagging behind other countries, and said the way Confirmation of Payee was designed meant customers often accepted liability for scams.
For Mr May, the technology came too late, and it's unclear whether it would have averted the scam.
He took his case to the Australian Financial Complaints Authority (AFCA).
In its determination, AFCA found the bank had told Mr May it only used BSB and account number when processing the electronic payments, advising him to check these details were correct.
As he prepared to send the second transfer of $100,000, he also received a warning the BSB and account number were not found in the bank's records, meaning the account could be new, or received few payments.
"Scammers sometimes use new accounts to avoid detection — speak to the payee to check it's really them requesting the payment and confirm the BSB and account number," the warning stated.
A Commonwealth Bank spokesperson said prior to transferring the funds, Mr May called CBA to increase his transfer limit, prompting the bank to discuss scam risks.
"In addition, prior to making the transfer, Mr May was provided with a warning from CBA's NameCheck feature concerning the recipient account," the spokesperson said.
Mr May acknowledged he received the warning and had ticked a box stating he had read it, but said he went ahead believing the instructions had come from his conveyancer.
"I was worried I could lose my deposit or stuff up buying my house if I didn't transfer the money," he said.
"I have never done a bank transfer for such a large sum of money in my life before. I thought the bank would have my back."
AFCA deemed the bank's warnings to be adequate, and determined the bank was not required to compensate or take further action.
AFCA also noted the bank recalled the disputed transactions the day the scam was flagged, but no funds could be recovered.
Adrian Lovney, spokesperson for Australian Payments Plus which developed the Confirmation of Payee system, said the service was "a simple concept" but one that "adds a powerful extra layer of protection for everyday transactions".
ABA chief executive Anna Bligh said while Australia was one of the only countries in the world where scam losses were reducing, investing further in scam-fighting tech was crucial.
A national awareness campaign to educate customers about the new technology is set to be run under the tagline: "Check the name. Spot the scam".
Financial losses reported to Scamwatch decreased by 33 per cent between 2023 and 2024, from $476.8 million to $318.8 million.
However, losses were up in the first five months of this year compared to last year, climbing from $114.8 million $147.1 million, according to Scamwatch data.
An ABA spokesperson said scam losses in Australia would inevitably fluctuate but the overall trend was down.
After entering the account name and payment details, and before making a payment, a matching service checks whether the information matches the recipient's bank data.
If details match, the account name will be displayed for confirmation. If there's a close match, for example John Smyth instead of John Smith, the customer will see the account name and can confirm if it's correct.
Where details don't match, the customer will be shown a warning. The true account holder's name won't be shown to help protect privacy, except for some business and government accounts.
Once a warning was given, it was up to the customer to decide if the payment goes ahead.
Confirmation of Payee may have helped her son detect the scam, but she is still critical of the approach banks have taken.
She said a system that warned of a mismatch and then required the customer to decide whether the payment progressed put the onus upon the customer to detect the scam.
"The banks 'name checking' services online will continue to be more of a way to make customers fully liable for transfers," she said.
Biometric checks usually involve some form of facial scan, but could also include fingerprint scanning, or behavioural analytics that verify customers' identities.
The roundtable offered a comparison point on how Australia compared with other countries in combating scams.
While Australia compared well to the US, it compared less favourably to the UK, which introduced Confirmation of Payee in 2020.
The UK has also made banks liable for most scam losses up to 85,000 British pounds ($177,530) since October, with repayment split between the sending and receiving bank, unless the bank proved the customer had been negligent.
UK banks were not liable for some types of transaction, including for scam payments made via cash or crypto, international transfer, or via the likes of Paypal.
Speaking on the UK's progress, Robert Harris, from fraud detection company Feedzai, said since October 86 per cent of fraud losses had been reimbursed to customers.
"Probably the biggest surprise to many is that there's been no increase in claims. On average the number of claims has actually gone down," Mr Harris said.
Repayment being split between the sending and receiving bank has also fostered more collaboration and information exchange to stop fraud, with 86 per cent of receiving banks being told of the scam within two hours of the customer flagging with their bank, Mr Harris said.
Consumer Action Law Centre chief executive Stephanie Tonkin said compensation rates in Australia were far lower, and the country should adopt a similar model to the UK, making banks more liable.
She pointed to recent Australian Securities and Investments Commission (ASIC) reports showing banks were reimbursing two to seven per cent of scam losses.
"So victims are paying billion-dollar losses, which is extraordinary," she said.
An ABA spokesperson said where banks were at fault, they reimbursed customers, and that would continue.
The spokesperson argued a UK-style model risked undermining Australia's "whole-of-scam-chain approach".
"It also fails to incentivise other sectors such as telecommunications and social media platforms which actually deliver scams to customers … to improve or strengthen their protections," the spokesperson said.
"I'm just in disbelief banks haven't changed this flaw years and years ago," he said.
Mr Gamble said among the most common scams exploiting lack of payee verification were term deposit scams.
Victims would search online for term deposit comparisons, click on a fraudulent website, and be contacted by someone claiming to be from a bank.
The victim would deposit money into an account they thought was in their name, and because there was no name verification, the victim would not be told the account was actually in another's name.
Mr Gamble welcomed the inclusion of biometric checks for new bank accounts but said it would not solve "the money mule-problem" – where scammers used the accounts of real people, who were often ignorant they were involved in a crime, who allowed their accounts to be used for a small fee.
An ABA spokesperson said banks now have enhanced intelligence sharing with each other to help combat mules.
"We know international criminal gangs will continue to evolve their tactics and find new ways to steal money — it's therefore crucial government, banks, telcos, digital platforms as well as consumers all play an ongoing role in the fight against scammers."
Most other initiatives in the accord are complete, including intelligence sharing between banks, limiting of payments to high-risk channels like crypto exchanges, and implementation of a comprehensive anti-scam strategy, the ABA says.
An initiative to introduce warnings and delays for transactions to new unknown payees has been implemented for over 90 per cent of retail customers, the ABA says.
With the help of his family, he was able to settle on the home, but it left him with no money to fix up the apartment he bought, and he was unable to move in.
"I had to keep taking overtime, so I worked pretty much seven days a week to try to get the strata levy together," he said.
"It's on your mind all the time, until you work out you just have to put it out of your head to get away from it."
By Geraden Cann
The scam began with an email, purporting to be from his conveyancer, requesting property settlement, and included account details and a fraudulent PEXA (Property Exchange Australia) form.
The 24-year-old Sydney-based tradesman made two payments, but two days later received a message from the bank asking for settlement funds.
"It was the morning that I was supposed to get the keys to my new apartment," he said.
Louis May lost $109,000 to a scammer and was offered 1,000 in compensation from his bank. (Supplied)
"It was the most horrible feeling I've ever had.
"I had to be on two phones at the same time to try to sort everything out. I couldn't work out what had gone wrong and was on hold for ages trying to call the police, call the bank, call the lawyers, call anyone."
He spoke to his conveyancer, discovered the scam, and immediately reported it to the bank. But the money was gone.
Now, the banking sector is rolling out a system intended to combat the security flaw the scammers used to trick him.
The system is called "Confirmation of Payee", and is intended to reduce scam losses by telling customers when a payment recipient's name does not match other account details.
The technology is intended to combat fake invoice and payment redirection scams, similar to the kind perpetrated against Mr May, which cost Australians $152.6 million last year.
Major and mid-tier banks would implement the system during July, the Australian Banking Association (ABA) said, with all other deposit-taking institutions like credit unions and building societies rolling it out by the end of the year.
While acknowledging the positive step, consumer and victim advocates criticised the banking sector for lagging behind other countries, and said the way Confirmation of Payee was designed meant customers often accepted liability for scams.
He took his case to the Australian Financial Complaints Authority (AFCA).
In its determination, AFCA found the bank had told Mr May it only used BSB and account number when processing the electronic payments, advising him to check these details were correct.
Louis May with his mother Alex Brooks, who has now become an advocate for scam victims. (Supplied)
As he prepared to send the second transfer of $100,000, he also received a warning the BSB and account number were not found in the bank's records, meaning the account could be new, or received few payments.
"Scammers sometimes use new accounts to avoid detection — speak to the payee to check it's really them requesting the payment and confirm the BSB and account number," the warning stated.
A Commonwealth Bank spokesperson said prior to transferring the funds, Mr May called CBA to increase his transfer limit, prompting the bank to discuss scam risks.
"In addition, prior to making the transfer, Mr May was provided with a warning from CBA's NameCheck feature concerning the recipient account," the spokesperson said.
Mr May acknowledged he received the warning and had ticked a box stating he had read it, but said he went ahead believing the instructions had come from his conveyancer.
"I was worried I could lose my deposit or stuff up buying my house if I didn't transfer the money," he said.
"I have never done a bank transfer for such a large sum of money in my life before. I thought the bank would have my back."
AFCA deemed the bank's warnings to be adequate, and determined the bank was not required to compensate or take further action.
AFCA also noted the bank recalled the disputed transactions the day the scam was flagged, but no funds could be recovered.
A response to rising scams
Banks had invested $100 million in the new Confirmation of Payee technology, the ABA said.Adrian Lovney, spokesperson for Australian Payments Plus which developed the Confirmation of Payee system, said the service was "a simple concept" but one that "adds a powerful extra layer of protection for everyday transactions".
ABA chief executive Anna Bligh said while Australia was one of the only countries in the world where scam losses were reducing, investing further in scam-fighting tech was crucial.
Anna Bligh speaks to the media about the new technology. (Supplied: ABA)
A national awareness campaign to educate customers about the new technology is set to be run under the tagline: "Check the name. Spot the scam".
Financial losses reported to Scamwatch decreased by 33 per cent between 2023 and 2024, from $476.8 million to $318.8 million.
However, losses were up in the first five months of this year compared to last year, climbing from $114.8 million $147.1 million, according to Scamwatch data.
An ABA spokesperson said scam losses in Australia would inevitably fluctuate but the overall trend was down.
How Confirmation of Payee will work
The new service activates when a customer makes a first-time payment using a BSB and account number.After entering the account name and payment details, and before making a payment, a matching service checks whether the information matches the recipient's bank data.
If details match, the account name will be displayed for confirmation. If there's a close match, for example John Smyth instead of John Smith, the customer will see the account name and can confirm if it's correct.
Where details don't match, the customer will be shown a warning. The true account holder's name won't be shown to help protect privacy, except for some business and government accounts.
Once a warning was given, it was up to the customer to decide if the payment goes ahead.
System 'puts onus on customer'
Witnessing what happened to her son Louis, Alex Brooks started her own podcast where she speaks to other scam victims, and became the vice president of advocacy group Scam Victim Alliance.Confirmation of Payee may have helped her son detect the scam, but she is still critical of the approach banks have taken.
She said a system that warned of a mismatch and then required the customer to decide whether the payment progressed put the onus upon the customer to detect the scam.
"The banks 'name checking' services online will continue to be more of a way to make customers fully liable for transfers," she said.
How Australia compares
The rollout of Confirmation of Payee was flagged at a global anti-scam roundtable in June during which the ABA also flagged that all new bank accounts would require biometric checks from the start of July.Biometric checks usually involve some form of facial scan, but could also include fingerprint scanning, or behavioural analytics that verify customers' identities.
The roundtable offered a comparison point on how Australia compared with other countries in combating scams.
While Australia compared well to the US, it compared less favourably to the UK, which introduced Confirmation of Payee in 2020.
The UK has also made banks liable for most scam losses up to 85,000 British pounds ($177,530) since October, with repayment split between the sending and receiving bank, unless the bank proved the customer had been negligent.
Consumer Action Law Centre chief exectuive Stephanie Tolkin said Australia was a "honeypot" for scammers. (ABC News: Patrick Stone)
Speaking on the UK's progress, Robert Harris, from fraud detection company Feedzai, said since October 86 per cent of fraud losses had been reimbursed to customers.
"Probably the biggest surprise to many is that there's been no increase in claims. On average the number of claims has actually gone down," Mr Harris said.
Repayment being split between the sending and receiving bank has also fostered more collaboration and information exchange to stop fraud, with 86 per cent of receiving banks being told of the scam within two hours of the customer flagging with their bank, Mr Harris said.
Consumer Action Law Centre chief executive Stephanie Tonkin said compensation rates in Australia were far lower, and the country should adopt a similar model to the UK, making banks more liable.
"So victims are paying billion-dollar losses, which is extraordinary," she said.
Ms Tonkin said scam victims could bring a case against a bank if the bank had failed to meet responsibility standards, but it was on the victim to prove the business's failures had caused the loss.An ABA spokesperson said where banks were at fault, they reimbursed customers, and that would continue.
The spokesperson argued a UK-style model risked undermining Australia's "whole-of-scam-chain approach".
"It also fails to incentivise other sectors such as telecommunications and social media platforms which actually deliver scams to customers … to improve or strengthen their protections," the spokesperson said.
A flaw that 'bred a billion-dollar industry'
Ken Gamble, chairman of cybercrime investigation agency IFW Global, described the lack of payee verification as a "fundamental flaw" in the banking system which had incubated "a billion-dollar scam industry.""I'm just in disbelief banks haven't changed this flaw years and years ago," he said.
Mr Gamble said among the most common scams exploiting lack of payee verification were term deposit scams.
Victims would search online for term deposit comparisons, click on a fraudulent website, and be contacted by someone claiming to be from a bank.
The victim would deposit money into an account they thought was in their name, and because there was no name verification, the victim would not be told the account was actually in another's name.
Mr Gamble welcomed the inclusion of biometric checks for new bank accounts but said it would not solve "the money mule-problem" – where scammers used the accounts of real people, who were often ignorant they were involved in a crime, who allowed their accounts to be used for a small fee.
An ABA spokesperson said banks now have enhanced intelligence sharing with each other to help combat mules.
"We know international criminal gangs will continue to evolve their tactics and find new ways to steal money — it's therefore crucial government, banks, telcos, digital platforms as well as consumers all play an ongoing role in the fight against scammers."
Progress on the Scam-Safe Accord
Confirmation of Payee was a key initiative of the sector's "Scam-Safe Accord" — a set of safeguards banks signed up to in 2023 following a sharp rise in scam losses.Most other initiatives in the accord are complete, including intelligence sharing between banks, limiting of payments to high-risk channels like crypto exchanges, and implementation of a comprehensive anti-scam strategy, the ABA says.
An initiative to introduce warnings and delays for transactions to new unknown payees has been implemented for over 90 per cent of retail customers, the ABA says.
A lasting impact
For Mr May, the loss of his first home deposit has had a lasting impact.With the help of his family, he was able to settle on the home, but it left him with no money to fix up the apartment he bought, and he was unable to move in.
"I had to keep taking overtime, so I worked pretty much seven days a week to try to get the strata levy together," he said.
"It's on your mind all the time, until you work out you just have to put it out of your head to get away from it."
By Geraden Cann
.png){kind=icon}
