A Canadian customer was hit with nearly $20,000 in fraudulent credit card charges last year after receiving a sophisticated spoofed phone call. Despite his insistence that he did not share a crucial security code, Scotiabank initially held him liable for the full amount, highlighting significant challenges customers can face when battling banks over fraud and raising questions about transparency and investigation standards. This case underscores the growing issue of credit card fraud and the responsibility of financial institutions.
Contents
The Spoofed Call and Suspicious Charges
Jordon Judge received a call in October claiming to be from Scotiabank. The caller used “spoofing” technology to make it appear as a legitimate bank number. The fraudster alerted Judge to two suspicious charges on his Visa card, which Judge confirmed he did not authorize. The caller claimed they would block the charges.
However, two days later, Judge discovered two large transactions on his statement: one for $17,900 to Anglia Ruskin University in the U.K. and another for $1,800 to someone named Paula S. Taylor.
“Those were not my charges,” Judge told Go Public, expressing his astonishment. He believed he would not be held accountable for unauthorized transactions.
Bank Insists Customer Was Liable
Despite Judge’s claims, Scotiabank initially insisted he was responsible for the almost $20,000 in fraudulent charges, plus accumulating interest.
Under federal law in Canada, customer liability for unauthorized credit card transactions is typically capped at $50 unless the bank can prove the customer was grossly negligent in protecting their card or information. Scotiabank’s stance implied they believed Judge was somehow responsible beyond this minimal limit.
The Role of the One-Time Passcode
During the initial spoofed call, the fraudster asked Judge for his birth date and mother’s maiden name, which he provided. Crucially, the fraudster also asked him to share a “one-time passcode” (OTP) that had been texted to his phone for authorization.
Judge stated he refused to share this code because the text message explicitly warned him not to disclose it to anyone, including Scotiabank representatives.
Scotiabank one-time passcode text message warning customer not to share code during credit card transaction.
Despite Judge’s refusal to share the code, Scotiabank’s internal reviews continued to place responsibility on him. Letters from the bank’s Escalated Customer Concerns Office (ECCO) and the Customer Complaints Appeals Office cited the use of a one-time passcode for the university charge, stating that the code being sent to Judge’s phone “indicates” or “suggests” it was disclosed.
Experts Question Scotiabank’s Investigation
The bank’s lack of clear evidence and reliance on inference drew criticism from experts and advocacy groups.
Geoff White, executive director of the Public Interest Advocacy Centre, found it “concerning” that Scotiabank held Judge responsible without providing concrete evidence. “Evidence that may ‘suggest’ something isn’t evidence of a fact,” White said. He argued the onus is on financial institutions to secure their systems and processes, not on individuals to prove their innocence.
Cybersecurity expert Claudiu Popa, with 35 years of experience, reviewed Scotiabank’s correspondence. He stated the bank failed to demonstrate it had conducted even a “basic investigation,” which would typically involve reviewing time-stamped logs showing when an OTP was received and when it was entered. Popa noted such evidence was never provided by the bank.
Geoff White, Director of the Public Interest Advocacy Centre, commenting on bank liability in credit card fraud cases.
Popa also countered Scotiabank’s assertion that one-time passcodes are a proven fraud deterrent, explaining that codes sent via email or SMS are vulnerable to various compromises, including malware, spyware, and SIM hijacking, making them less secure than authenticator apps.
The Vulnerability of SMS Passcodes
The Canadian Anti-Fraud Centre (CAFC) also recommends using authenticator apps over SMS or email passcodes. CAFC spokesperson Jeff Horncastle explained that authenticator apps generate time-sensitive passcodes that are not susceptible to SIM swapping or text/email interception, which can allow fraudsters to gain access to these codes.
Advocacy groups like Option consommateurs in Quebec have been pushing the federal government to strengthen consumer protections in banking. They propose that the Bank Act should mandate transparency in bank investigations and clarify that the bank bears the burden of proof when claiming a customer was highly negligent.
Cybersecurity expert Claudiu Popa discusses bank fraud investigations and evidence requirements.
How Judge Finally Got His Money Back
The situation changed after the media outlet Go Public became involved.
Go Public contacted Anglia Ruskin University about the $17,900 charge. A university representative confirmed that Scotiabank had never contacted them regarding the transaction – a detail that further surprised the cybersecurity expert, Popa, who felt the bank had a duty to investigate such leads.
Following inquiries from Go Public, the university conducted its own investigation and subsequently reimbursed Judge for the $17,900 charge. They did not provide details on their findings.
Go Public also repeatedly asked Scotiabank for the evidence supporting its decision to hold Judge responsible. While the bank did not directly respond to these inquiries, it eventually credited Judge’s account for the remaining $1,800 charge to “Paula S. Taylor” and the interest that had accrued on both transactions.
Judge received no explanation from Scotiabank for this change of heart after months of fighting. He previously declined a $200 “goodwill gesture” from the bank that would have required him to drop his claim. Judge expressed frustration that it seemingly took media involvement for the bank to fully address the issue.
Implications for Other Customers
Although Jordon Judge was eventually fully compensated after an eight-month ordeal, his experience highlights a significant concern: the difficulty customers can face in challenging bank decisions regarding fraud, especially when banks lack transparency or fail to provide clear evidence.
Cybersecurity expert Claudiu Popa worried that many others in similar situations may not have the resources or ability to pressure their financial institutions for transparency and resolution. This suggests a potential for individuals to be “silently victimized” by sophisticated fraud and opaque bank processes.
This case reinforces the importance of understanding your bank’s fraud policies, being vigilant against scams, and potentially pushing for detailed explanations and evidence if you become a victim. It also adds weight to calls for stronger regulations requiring transparency and placing the burden of proof on banks in cases of disputed fraud liability.
