Category Fraud/Crime

Internet Banking: Victims of phishing may have to carry the loss

22 September 2011 Norton Rose
Aslam Moosajee

Aslam Moosajee

If you allow your internet banking profile number, PIN and password to get into the hands of a third party, you will not be able to hold your bank liable for the losses you suffer.

Many of us regularly receive emails which purport to be from a bank. These emails usually contain a link and request you to click on the link to update your details. It also usually contains a threat that if you do not do so before the end of that day, you will not have access to internet banking. Those that have fallen prey to these emails subsequently discover that the email was not from their bank, but from a fraudster, who armed with the victim’s account number, PIN and password, fraudulently transfers money out of the victim’s account. This is commonly known in the banking industry as “phishing”.

A judgment delivered in the South Gauteng High Court late last year may have gone unnoticed, because it has not yet been reported, but banks can take comfort from the judgment.

In the case of Nashua Mobile (Pty) Ltd v G C Pale CC (CC), the CC sued Nashua Mobile for damages after money was fraudulently transferred out of its bank account, by a person who managed to obtain from Nashua Mobile a SIM card (through a SIM swap) containing the cell phone number of an employee of the CC. During January 2008, amounts in excess of R160000 were fraudulently transferred from the CC’s bank account, through a series of internet banking transactions, to beneficiaries unknown to the CC.

A Nedbank employee testified that a fraudster would require more than just the account holder’s SIM card to access the account. The fraudster would also require the account holder’s profile number, PIN and password. The Nedbank employee also explained that in order to gain access to the bank account, there had to be a combination of the account holder’s profile number, PIN and password together with the reference number that is sent by SMS by Nedbank to the client’s cell phone number.

It was argued before the court that even if Nashua Mobile was negligent in allowing the SIM swap, the CC’s claim ought to fail, because there was no causal connection between the loss and any negligence on the part of Nashua Mobile. The court concluded that the CC’s profile number, PIN and password must have been passed onto the fraudster by the employee of the CC falling victim to a phishing scam or that the fraudster would have needed a helping hand from somebody inside the bank or somebody else at the CC. The court therefore concluded that even if it is accepted that Nashua Mobile may have negligently issued the SIM card to the fraudster, the CC’s loss was too remote from any negligence on the part of Nashua Mobile, to impute liability on Nashua Mobile.

Even though the bank was not sued in this case, based on the reasoning in this case, if a bank’s customer is defrauded after falling victim to a phishing scam and after providing the fraudster with the profile number, PIN and password, a court will conclude that the proximate cause of the loss is the customer’s negligence in providing the profile number, PIN and password. Therefore the victim will not be able to hold the bank liable for his/her loss.

Aslam Moosajee
litigation & dispute resolution
Norton Rose South Africa

Quick Polls


The shocking crime and motor vehicle accident statistics shared during a recent SHA presentation suggests that group personal accident and personal accident cover are a no-brainer. Do you agree?


Not sure
fanews magazine
FAnews April 2024 Get the latest issue of FAnews

This month's headlines

FAIS Ombud lashes broker for multiple compliance blunders
TCF… a regulatory misfit initiative?
The impact of NHI on medical malpractice insurance
Fixed versus variable: can you have your cake and eat it too?
The future world of work
Subscribe now