Cyberattacks, WhatsApp hacks, and reimbursements

After falling victim to a scam, some individuals are targeted again by fraudsters posing as recovery agents who promise to retrieve lost funds for a fee

This is a follow-up article to that which was published last week. Hence, I have added the words Part II.

The intention of my Thought Leadership Forum article of 26 May 2025, (link: https://www.ft.lk/columns/Cyberattacks-WhatsApp-hacks-breaches-and-compromises/4-776867) was to urge banks, regulators, emergency response teams and dedicated institutions, law enforcement authorities and domain experts, internet and cybersecurity professionals to build a “collective infrastructure” in terms of awareness enhancement, risk management and mitigation.

I also discussed a comparative analysis of the practices adopted by other jurisdictions, particularly of the United Kingdom. The examples I gave, clearly showcase the responsibility of banks, not only to reimburse victims but also to monitor and act against fraudulent activities within their own systems. Today, I will discuss examples in India, and a few other perceived to be first world jurisdictions, like Canada, Australia and New Zealand given that there is a belief among many, that in evaluating ourselves as a country, we should not compare ourselves with the developed world. I disagree.

India

There are notable instances in India where banks have been directed to reimburse customers who fell victim to fraud. These decisions often stem from judicial or consumer forum rulings emphasising the bank’s responsibility to protect customer funds and act promptly upon detecting fraudulent activities.

Key cases of bank reimbursements in India

Rajasthan High Court orders IDBI Bank to refund INR 58.9 lakhs

In May 2025, the Rajasthan High Court directed IDBI Bank to refund INR 58.9 lakhs, along with 6% interest since 2022, to a chartered accountant who was a victim of cyber fraud. The court emphasised that the customer bore zero liability and highlighted the need for mechanisms to safeguard customers against unauthorised transactions. 

Consumer Court Directs Bank Manager and Cashier to Refund INR 9.21 Lakhs

A consumer court in Bulandshahr ordered a public sector bank’s manager and cashier to refund INR9.21 Lakhs to a victim defrauded through cloned cheques. The court found that such significant transactions could not have occurred without the collusion of bank officials. 

Supreme Court upholds customer’s right to refund from SBI

The Supreme Court of India ordered the State Bank of India (SBI) to refund INR 94,000 lost in an online scam, reinforcing that banks must prove customer negligence before denying liability. The judgment emphasised the RBI’s guidelines on zero liability for customers promptly reporting fraud. 

Bombay High Court Orders Bank of Baroda to Refund INR 76 Lakhs. In June 2024, the Bombay High Court directed Bank of Baroda to refund INR 76 lakhs fraudulently debited from a company’s account. The court noted that the customer had zero liability in unauthorised transactions where the deficiency lay within the system. 

Consumer forum orders SBI to compensate customer in Patna 

A consumer forum in Patna ordered SBI to reimburse a customer’s fixed deposit amount with interest after funds were withdrawn online through fraud. The forum held that there was a deficiency in service as the bank did not inform the customer before debiting the sum. 

Consumer forums and courts

Judicial bodies have consistently held banks accountable for lapses in security and failure to act swiftly upon fraud detection, often ordering reimbursements and additional compensation for mental harassment and litigation costs.

Bank’s internal actions

While specific details about banks freezing fraudulent recipient accounts within their own systems are not always publicly disclosed, the legal precedents emphasise the banks’ duty to monitor and act against suspicious activities, including internal collusion.'

Canada

While specific case studies of WhatsApp hacks in Canada are not widely publicised, Canadian cybersecurity experts and institutions have been actively involved in investigating and responding to global WhatsApp hacking incidents.

Victim reimbursement landscape in Canada

Unlike some countries that have implemented mandatory reimbursement schemes for scam victims, Canada currently lacks a universal reimbursement policy, or standardised framework compelling banks to refund all victims of fraud.

Bank discretion

Financial institutions in Canada assess reimbursement claims on a case-by-case basis. Factors influencing their decision include the nature of the scam, the victim’s actions, and whether the bank’s security protocols were followed.

Push payment scams

In cases where victims are tricked into authorising payments (known as authorised push payment scams), banks may be less inclined to offer refunds, arguing that the transaction was authorised by the account holder.

Anti-Fraud Centres in Canada

Canadian Anti-Fraud Centre (CAFC), receives reports online collects information on fraud incidents to assist the police in law enforcement.

Recovery scams

After falling victim to a scam, some individuals are targeted again by fraudsters posing as recovery agents who promise to retrieve lost funds for a fee. These are often scams themselves. Legitimate authorities do not charge fees to investigate fraud cases. 

A few examples of reimbursement cases in Canada

Emma Mann – Scotiabank

Emma Mann, a Halifax resident with cognitive impairments, lost $5,200 after scammers posing as Scotiabank agents convinced her to purchase and send gift card activation codes. Recognising her vulnerability, Scotiabank reimbursed the full amount. 

Leslie Milligan – TD Canada Trust

Leslie Milligan, an 82-year-old from Toronto, was deceived by a lottery scam, leading her to deposit a counterfeit check for $16,482.68 and send funds to the fraudsters. Initially, TD Canada Trust held her responsible, but after media coverage, the bank refunded her as a goodwill gesture. 

Evelyn Hadican – Unspecified bank

Evelyn Hadican, a 72-year-old, was scammed out of over $ 3,000 through a fraudulent job offer. After reporting the incident, her bank returned the stolen funds. 

Earl Jones Ponzi Scheme – Royal Bank of Canada (RBC)

Victims of Earl Jones’ Ponzi scheme filed a class-action lawsuit against RBC, alleging negligence. The case was settled, with investors receiving about 30 cents on the dollar. 

Norbourg scandal – Various institutions

In the Norbourg financial scandal, approximately 9,200 investors lost millions. By 2011, a settlement ensured full reimbursement to all investors. 

Australia

Reimbursement landscape in Australia

In Australia, the reimbursement of scam victims, including those targeted through platforms like WhatsApp, is undergoing significant changes. While historically, victims faced challenges in recovering lost funds, recent government initiatives aim to enhance protections and provide clearer pathways for compensation.

Australian Financial Complaints Authority (AFCA)

Traditionally, victims could lodge complaints with AFCA. However, as of early 2025, AFCA ruled in favour of scam victims in only about 4.8% of cases, highlighting the difficulties victims faced in securing reimbursements. 

Bank discretion

Reimbursements largely depended on individual bank policies, with many institutions hesitant to refund victims, especially in cases where the victim authorised the transaction under false pretences.

Recent government initiatives

To address these challenges, the Australian government has introduced several measures –

Scams Prevention Framework

Announced in late 2024, this framework imposes stringent obligations on banks, telecommunications companies, and social media platforms to prevent, detect, and respond to scams. Entities failing to meet these obligations could face fines up to $50 million and be required to compensate victims. 

Enhanced role for AFCA

The government allocated $14.7 million over two years to AFCA to establish a “single front door” for scam victims seeking redress. This initiative aims to streamline the compensation process and provide victims with a clearer pathway to recover lost funds. 

Impact and ongoing challenges

These initiatives have led to a notable decline in reported scam losses. For instance, Australians reported $82.1 million in losses to Scamwatch in the October to December 2023 quarter, a 43% decrease compared to the same period in 2022. 

Legislative gaps

Consumer groups have criticised the current legislation for not mandating compensation for victims, arguing that it places the burden on individuals to prove negligence by large corporations. 

Industry pushback

Some banks and tech companies have expressed concerns over the proposed obligations and potential financial liabilities, leading to debates over the balance between consumer protection and corporate responsibility. The following are Notable Cases of Reimbursement in Australia.

HSBC ordered to compensate $ 47,000 scam loss

In a landmark decision, HSBC was directed by AFCA to reimburse a customer who lost over $ 47,000 due to a sophisticated SMS phishing scam. AFCA determined that the customer did not voluntarily disclose their passcodes and that the bank failed to implement adequate fraud detection measures. 

Our Central Bank, the banking system, dedicated institutions legally and otherwise responsible for cyber security or computer emergency response initiatives and indeed IT, legal and accounting professionals must get to the drawing board. We yet have a relatively safe banking system. Let’s risk manage and protect it and the individual customers, banks, institutions and regulators that sustain it

Commonwealth Bank recovers funds in $ 1.2 million scam

Former Tasmanian Senator Stephen Parry was defrauded of $ 1.2 million after a scammer compromised his conveyancer’s email and provided fraudulent bank details. The Commonwealth Bank managed to recover a significant portion of the funds, although approximately $ 206,000 remained unrecovered. 

Partial refunds in remote access scam

Tanya Owens from Brisbane lost her life savings of $ 6,500 and incurred $ 12,000 in unauthorised credit card charges after a scammer, posing as a government official, convinced her to install remote access software. While Citibank and other institutions refunded some of the stolen funds, Great Southern Bank declined reimbursement, attributing the loss to customer error. 

New Zealand

Here’s an overview of notable incidents:

Impersonation Scams (“Hi Mum” Scam)

Scammers impersonate family members, often claiming they’ve lost their phone and are using a new number. They then request urgent financial assistance. In 2024, Wellington Police issued warnings about such scams circulating in the region. A mother lost over $ 11,000 after believing she was helping her daughter, who claimed to have a broken phone. 

The Financial Markets Authority (FMA)

The FMA warned about scams involving WhatsApp groups led by so-called “mentors” promoting fraudulent investment platforms. In 2022, New Zealand residents were contacted by “Global Venture” through WhatsApp to trade cryptocurrencies, with reports of funds being unreasonably withheld. 

New Zealand’s reimbursement of scam victims

The reimbursement of scam victims, including those affected by WhatsApp-related fraud, is evolving with recent initiatives aimed at enhancing consumer protection.

As of April 2025, New Zealand banks have committed to reimbursing scam victims up to NZ$500,000 if the bank fails to adequately warn and protect the consumer from a scam. This commitment is part of five new protections (Eligibility Criteria) introduced to the Code of Banking Practice, which will be progressively rolled out over the next seven months. 

Notable reimbursement cases and challenges

A customer who fell victim to a bank impersonation scam was reimbursed $6,000 following the intervention of the Banking Ombudsman. This case underscores the importance of external dispute resolution mechanisms in addressing such incidents. 

Cryptopia cryptocurrency exchange hack

In 2019, Christchurch-based cryptocurrency exchange Cryptopia suffered a significant security breach, resulting in the theft of approximately NZ$24 million worth of digital assets. After a prolonged liquidation process, by December 2024, over 10,000 verified account holders received refunds totaling NZ$400 million in cryptocurrency, marking a substantial reimbursement effort in the digital asset domain.

TSB Bank and the $ 1 million scam loss

Steven Fan, a Northland retiree, lost $1 million to scammers. TSB Bank declined to waive the $500,000 threshold required for the Banking Ombudsman to investigate, effectively limiting Fan’s recourse to costly legal proceedings. Critics argue that the bank leveraged the victim’s financial hardship to avoid potential liability. 

ANZ staff assisted in $ 250,000 scam transfer

An incident involving ANZ staff inadvertently assisting a customer in transferring $250,000 to a known “money mule” has raised concerns. Despite prior warnings about such scams, the bank’s internal communications failed to prevent the transaction, leading to calls for compensation and improved preventive measures. 

Japan

The following is an overview of WhatsApp-based scams and other issues in Japan.

Recruitment impersonation scams

Scammers have been impersonating recruiters from reputable firms like Robert Walters Japan and Kadence International, contacting individuals via WhatsApp with fraudulent job offers. These messages often request personal information or upfront fees under the guise of processing applications. Both companies have issued warnings about these deceptive practices. 

Tech support fraud targeting Japanese citizens

Between April and July 2024, Japanese citizens were targeted by tech support scams originating from illegal call centres in India. Victims received pop-up alerts on their computers, prompting them to call numbers where scammers posed as Microsoft or Apple support staff, leading to financial exploitation. 

Credit card fraud in Hokkaido

A woman in her 60s from Hokkaido fell victim to a phishing scam after receiving an email resembling a credit card statement. Upon clicking the link and entering her card details on a fraudulent site, unauthorised charges totalling approximately $ 1,700 were made via Apple Pay, even after she cancelled her card. Despite the continued fraudulent use, her credit card company eventually reimbursed her for the losses. 

Gaica prepaid card fraud

A user of the Gaica prepaid card reported unauthorised USD transactions totalling around ¥ 60,000. After filing a complaint, Gaica conducted a 3–4 month investigation, culminating in a confirmation of fraud and a full refund to the victim. The user also took proactive measures by blocking the old card, obtaining a replacement, and adjusting account settings to prevent future incidents. 

MUFG debit card fraud

A customer of MUFG Bank experienced unauthorised withdrawals amounting to ¥60,000. Upon reporting the incident and providing a police report, the bank processed the claim and reimbursed the full amount within approximately two months. This case highlights the role of standard fraud insurance and the necessity of official documentation in facilitating reimbursements. 

Japan Post Bank e-payment scam

In 2020, Japan Post Bank acknowledged that approximately ¥60 million was stolen from customer accounts through vulnerabilities in electronic payment services. The bank publicly apologised and committed to compensating affected customers, although some cases remained unresolved. This incident prompted a review of security protocols and reimbursement policies. 

Central Bank et al

While yet overseas on holiday, I nevertheless invested time for research for this second article, given the compelling national level imperative for us in Sri Lanka, to identify a progressive jurisdiction such as the United Kingdom and even India as a possible benchmark. Our Central Bank, the banking system, dedicated institutions legally and otherwise responsible for cyber security or computer emergency response initiatives and indeed IT, legal and accounting professionals must get to the drawing board. We yet have a relatively safe banking system. Let’s risk manage and protect it and the individual customers, banks, institutions and regulators that sustain it.

(The writer has served on the following regulatory bodies: As Chairman of the Securities and Exchange Commission of Sri Lanka; Member of the Sri-Lanka Accounting and Auditing Standards Monitoring Board, and Member of the first Consumer Affairs Council of the Consumer Affairs Authority of Sri Lanka. As a passionate proponent of the notion that a robust regulator is a fundamental ingredient in a sustainable market economy, he has attended an executive development program on the topic “Strategic Management of Regulatory and Enforcement Agencies” at the Kennedy School of Government of the Harvard University.)