The transactions were made in the middle of the night from Europe while I was asleep in the UAE. As soon as I woke up and saw the transactions, I alerted my bank and they blocked the card. I also filled in a card dispute form.
However, in February, the bank told me that the transactions had been authorised with one-time passwords. I did not share any OTPs with anyone. The bank was not helpful and has since closed the case.
I even contacted the police e-crime department, but they were not able to resolve the case or return my money.
How was the OTP, which was supposed to have been sent to my registered phone number and email, accessed by the fraudsters?
What can I do next to recover my money? BK, Dubai
Debt Panellist 1: Steve Cronin, founder of DeadSimpleSaving.com
I’m sorry to hear about this, especially as I’m not sure you are going to get your money back easily.
Cyber fraud has gone through the roof and comes in a variety of forms. Some attacks encourage you to enter your card details in a fraudulent website.
Others find a way to get you to enter the OTP without realising what you are doing.
More dangerous is a SIM swap, where the fraudster convinces your phone’s network provider to send them a copy of your SIM card. This is how they could receive the OTP without you being aware of anything.
However, there are other signs of a SIM swap and providers are trying to make it harder for fraudsters to impersonate you.
These signs include: you suddenly can’t send messages or make calls, you get a message saying your SIM has been activated somewhere else, receive messages about failed log-in attempts or changes to passwords and security questions.
You may also be unable to access your account with your network provider, cannot use certain apps on your phone or notice unusual activity on your social media accounts.
You did everything right by immediately calling the bank to block the card and filling in a dispute form.
Did the fraudsters manage to get the OTP generated from the account or is this an excuse from your bank? You may never find out, but you could try to ask for proof from your bank that the OTP was sent out.
If you are unhappy with the bank’s response, you can complain to the UAE Central Bank’s Consumer Protection Unit online or in person at a branch.
You will need to inform the bank that you are unhappy with their actions and request they propose a solution within 30 days before you complain to the UAE Central Bank.
If, after 30 days, they have not responded satisfactorily, then you can make your complaint to the Consumer Protection Unit.
More and more of these cases are happening, so even if your case is not resolved, it will contribute to showing the UAE Central Bank that financial institutions need greater security processes for the authentication of card transactions.
You should also contact the merchant involved in the transactions, as they may be prepared to reverse the transaction once they know it is fraudulent.
In future, protect your email, bank and social media accounts through Two-Factor Authentication (2FA) on an authorisation app, so fraudsters can’t get access to your email or bank details.
This also removes the need for use of OTPs. You may want to get a new card provider — try to find one that authenticates payments via 2FA involving your face or thumb on your mobile, rather than using OTPs. As you have discovered, OTPs are not very secure at all.
Finally, keep your card limit low so you won’t lose too much if your card is hacked again.
Debt Panellist 2: Carol Glynn, founder of Conscious Finance Coaching
I'm sorry to hear that you've been a victim of cyber fraud.
It sounds like you've already taken some steps to address the issue, such as alerting your bank, filling in a card dispute form and contacting the police e-crime department.
However, since the bank has closed the case and you haven't been able to recover your lost funds, there are a few additional steps you could take.
These include contacting your bank again and requesting a detailed investigation into the unauthorised transactions.
You could also ask for clarification on how the transactions were authorised with OTPs without your knowledge or consent.
Watch: What is cyber crime and how can I protect myself online?
Ask for evidence, such as transaction logs or IP addresses, to determine the source of the fraudulent transactions.
As a precautionary measure, change your online banking password, PIN and any other account credentials associated with your credit card.
Choose strong, unique passwords that are not easily guessable and enable 2FA wherever possible.
There are regulatory authorities and consumer protection agencies that oversee financial institutions.
Consider filing a complaint with the UAE Central Bank to escalate the issue and seek their assistance in resolving the matter.
You will need to have evidence you submitted a formal complaint to your bank and 30 days have elapsed without a satisfactory resolution.
You could also consider seeking legal and financial advice from professionals who specialise in cyber fraud or consumer protection.
They may provide you with guidance on your rights, options and steps to take to recover your lost funds.
Recovering lost funds from cyber fraud can be challenging — and it may take time and effort.
It's important to stay persistent and proactive in your efforts to resolve the issue.
Remember to document all your interactions with your bank, regulatory authorities and other relevant parties, and keep copies of any relevant documents or evidence as you may need it later.
The Debt Panel is a weekly column to help readers tackle their debts more effectively. If you have a question for the panel, write to email@example.com