My husband recently phoned the call centre for our bank in the UAE, where we have a current account. He wasn’t able to book a golf session using his credit card and wanted to know why.
The agent asked him to contact their concierge. Within 15 minutes, he received a call from a person who claimed to be from the concierge department and defrauded him of Dh11,000 ($2,995).
How did the fraudster know my husband was looking to book a golf session?
The bank has denied responsibility for the issue, claiming that it was my husband’s fault for passing on the one-time password to the caller.
They refused to conduct an internal investigation. Although the police investigated the matter, they discovered that the money had been converted into cryptocurrency, so it was impossible to trace.
Is there is a way to recover the money? We’ve been hearing that such phone scams are on the rise. Please advise. MF, Dubai
Debt panellist 1: Steve Cronin, founder of DeadSimpleSaving.com
The simplest diagnosis of your issue is that someone working in the bank may have helped to defraud your husband. Their motive is likely to be greed.
A hacker with access to the bank’s phone or data systems is possible, but it would take a lot to be able to analyse all the latest information from customers almost instantly.
The other alternative is that the bank was never called in the first place and your husband’s phone or the call centre number had been compromised.
Your husband’s big mistake was to share the OTP over the phone. Banks emphasise that there is never a situation in which they would request this information.
It is unlikely you will get your money back now that the police investigation has concluded and the bank has refused to co-operate. You have several choices remaining:
- Report the bank to the UAE Central Bank's Consumer Protection Unit. You will need to note all the details of phone calls and correspondence with the bank. You can only make such a report if you have made a complaint to your bank in writing and it has not provided a satisfactory response within 30 days.
- Contact a senior member of the bank (ideally the retail part of the bank) on LinkedIn and explain what happened. They may not have heard about it and may be in a position to act.
Debt panellist 2: Carol Glynn, founder of Conscious Finance Coaching
I'm sorry to hear about the unfortunate and costly situation your husband encountered. Phone scams and fraudulent activities are indeed on the rise, and it's essential to be vigilant when dealing with sensitive information over the phone.
Based on the information you provided, it seems there are a few possibilities as to how the fraudster knew your husband was looking to book a golf session.
As you mentioned, there could have been an internal leak or a data breach at the bank, which resulted in the fraudster gaining access to customer information, including your husband's interest in booking a golf session.
How was your husband trying to book his golf session? There could have been a leak on the website he was attempting to use or from the club he was trying to book with?
If he was using a website, could the fraudsters have gained the information online either from the site or by having spyware on your personal laptop/phone? I would recommend checking both for any malware.
Watch: The New Zealand bot helping you troll email scammers
It's also possible that the fraudster randomly called your husband and used a common scam tactic, hoping that he had recently made such a transaction. It would require a significant level of good luck on the fraudster's part to time this so opportunely.
Regarding the recovery of the money, continue trying to communicate with the bank to understand their position and express your concerns. Request a more thorough investigation into the incident. Do this in writing using their dedicated customer service email address.
Consult with a lawyer who specialises in financial fraud or consumer protection to understand your rights and explore potential legal options. Continue working with the police and provide them with any relevant information they may need to assist with their investigation.
I suspect the chances of recovering the money may be slim, as your husband gave the OTP and it has been converted into cryptocurrency, as tracing these types of transactions can be challenging.
To protect against such scams in the future, never share sensitive information like OTPs, PINs, or account details over the phone, especially if you receive an unsolicited call.
Messages with OTPs provide the amount being charged alongside the OTP. Always check the amount listed in the text message/email is the correct amount you are expecting to be charged.
Be cautious about sharing personal information online, and review your privacy settings on social media platforms.
If you receive a call from someone claiming to be from a legitimate organisation, independently verify their identity by calling the official number listed on the organisation's website or documentation.
Keep in mind that scams can be sophisticated and it's crucial to stay vigilant and informed to protect yourself and your finances.
Debt panellist 3: Keren Bobker, financial adviser and senior partner at Holborn Assets
This is a curious situation. Quite the coincidence that you received a call like this and I would be raising that as a serious concern with the bank as much as anything else.
You say that the bank employee asked you to make contact with the relevant department and they were not going to get the relevant person to call you. However, I understand how it would seem plausible to receive such a telephone call and to assume it was legitimate.
I would expect a bank to conduct an internal investigation if such a case is brought to their attention by any customer as it is too much of a fluke for this to happen by chance.
The secondary issue is regarding the OTP. No bank ever asks for that over the telephone, or in person.
I understood that this is common knowledge and it has certainly been made clear by many banks, the media, and the UAE government in various publications.
It should also be in the terms and conditions of any bank account or credit card agreement, and thus accepted by the customer. As that was freely given, it technically absolves the bank of responsibility.
An OTP is designed to be a secondary security measure for a single transaction. It is for use with an online transaction only and is never requested verbally by any retailer. This has always been the case.
My view is that the bank needs to instigate a proper internal investigation and that they are being negligent by refusing to do so given the facts of the case.
The Debt Panel is a weekly column to help readers tackle their debts more effectively. If you have a question for the panel, write to firstname.lastname@example.org