The corporate watchdog is suing multinational banking giant HSBC over a scam that netted $23 million, alleging it failed to protect 950 Australian customers from a long-running “spoofing” scam.
The Australian Securities and Investments Commission (ASIC) lodged the claim against HSBC’s Australian arm in the federal court today, with details showing the global scam had a much bigger local impact than first thought.
The action relates to 950 reports alleging scammers netted $23 million over nearly five years from January 2020 to August 2024.
Some customers lost more than $90,000 each with scam reports peaking in the period between October 2023 and March 2024.
ASIC Deputy Chair Sarah Court alleged the bank’s failings were “widespread and systemic”.
“All banks need to pull their weight in the fight against scams. We will not hesitate to take court action where we consider banks fail to comply with their obligations to protect their customers,” she said.
Ms Court said ASIC believed the case was the first of its kind.
“This is the very first time that we have held a financial institution to account for what we consider to be these widespread complaints failures. I also suspect that it is the first case of this kind taken globally.”
The “spoofing” scam relied on fraudsters using software to disguise their phone number so that text messages appeared in the same text chain as legitimate HSBC messages.
Scam calls also appeared to be from the bank.
Scammers then warned customers that suspicious transactions had appeared on their accounts, prompting them to panic and call a number which connected them to a fake fraud team, complete with a HSBC on-hold message.
Under the guise of helping protect their account, scammers coerced customers into sharing information which allowed them to seize control of accounts and access funds.
ASIC alleges it took the bank 145 days to investigate some reports and 95 days to unlock some accounts, with one customer waiting 542 days to regain access to an account.
HSBC was required to complete an investigation into a report of an unauthorised transaction within 21 days, and within 45 days in exceptional circumstances.
The ACCC’s National Anti-Scam Centre issued an alert in February, warning customers of calls and texts which impersonated the bank. ACCC also raised their concerns directly with the bank.
ASIC has been investigating HSBC for months and spoke with victims about their experiences.
While there are no laws mandating how banks should act in relation to scams, they have a legal obligation to protect the personal information of customers which is reinforced by various industry codes.
Ms Court said it was too early to speculate on the extent of the penalties and costs that HSBC might incur as a result of the legal action.
“In this case the maximum penalties are so high that I would say they are almost theoretical,” she said.
“What I can tell you though is that if we are successful in that case, will be seeking very significant penalties, firstly to send a message to HSBC … but also importantly to send a broad message to the banking sector … that they have to take these obligations very seriously.”
Consumer Action CEO Stephanie Tonkin said the court action sent a “clear and important signal” to all banks and underscored why the government’s Scams Bill needed to make redress for victims “front and centre”.
“The stories we heard from the HSBC victims who contacted us were heartbreaking, they were shamed by their bank and denied support when they reached out for help,” Ms Tonkin said.
Customers take on HSBC
In late January, Mary Yu received a text saying someone had tried to create a verification code for her HSBC account.
It appeared in the same thread as bank messages about her home loan.
The Melbourne woman called what she thought was the bank’s helpline.
“Unfortunately, I made that call, and that’s when my nightmare began,” she said.
The person who answered pretended to be from the bank’s fraud team and reassured her they would help secure her account against fraud.
They already knew details about her recent transactions, she said.
Unlike other victims she didn’t read out a one-time pass code but she did provide her username and an answer to a personal question the bank used to authenticate her.
Ms Yu went to bed thinking her money was safe.
Instead, the scammer removed her from the account, increased the daily limit and shifted almost $100,000 over consecutive days, before it was stolen.
“It wasn’t until the next morning when I woke up and received an email overnight from HSBC saying that there’s been some new suspicious activities happening in my account.
“That’s when it occurred to me, ‘I was scammed’.”
Ms Yu sought reimbursement from HSBC, but the bank refused, saying she was to blame for sharing her personal details.
She took her complaint to the Australian Financial Complaints Authority (AFCA) and the bank initially offered to reimburse a small amount — which she declined.
After 10 months she was eventually repaid $90,000 but is highly critical of how HSBC handled her case.
“It just felt like talking to brick wall,” Ms Yu said.
Ms Yu is one of about 80 scam victims who banded together in a support group.
Bank improves security measures
A key turning point was a landmark determination by AFCA in August which found the bank should repay a scam victim in full and pay additional compensation for breaching the banking code.
Even though the victim had disclosed pass codes to the scammer that had been used to steal their money, AFCA found the person hadn’t done so voluntarily because they had been manipulated into believing they were talking to the bank.
AFCA was also highly critical of the bank, finding it had failed to respond to the customer about its fraud investigation in the promised time frame, hadn’t put them through to the fraud team and the customer had been forced to escalate the case themselves.
Since the AFCA decision, the bank’s approach to financial settlements has improved.
In late March, the bank published a warning which said, “Increasingly scammers are reaching out to potential victims through cold calls, SMS messages, and social media claiming that an urgent account issue such as a recent transaction”.
The bank eventually took measures to improve security by changing how customers increased their daily limit, making it impossible to do so from the banking app or online without first calling HSBC.
There were 360 complaints made to AFCA about the HSBC spoofing scam but just 17 remain open.
HSBC said in a statement it has been working with AFCA.
“Almost all of those remaining cases have now been resolved and those that remain are expected to be resolved shortly,” it said.
“We continue to make significant investments in our fraud and scam prevention, detection, and response, with specific efforts on preventing impersonation scams and ‘spoofing’ of phone numbers.”
HSBC has blocked payments to some high-risk channels, like cryptocurrency platforms and increased SMS warnings for payments over $500.
The bank has also put their telephone numbers on a register that allows telecommunication companies to block outbound calls and prevent spoofing.
