Bank of Ireland will reimburse a total of about €800,000 to as many as 300 customers who have fallen victim to a text "smishing" scam, marking a U-turn on previous policy as it dealt with a public backlash and potential clashes with regulators.
The customers had been tricked into supplying their bank details to official-looking mobile phone texts.
The scam – known as “smishing”, as it involves an SMS text – often claims a customer’s bank card has been blocked and asks people to click on a link.
But the link directs customers to a phishing website where they are invited to input personal information, including their Bank of Ireland Banking 365 PIN numbers, their bank card numbers and their four-digit card PIN.
The bank told several affected customers in recent weeks that they were effectively liable for the losses, as they had voluntarily supplied the account details, amid a surge in smishing attempts by fraudsters. Dozens of customers took to RTÉ Radio’s Liveline programme to complain about their treatment by the bank, whose chief executive, Francesca McDonagh, compared the victims’ actions to handing over the keys of a car to criminals.
However, in a statement on Monday the bank said affected customers would be reimbursed. A spokesman said that in future, while there was “always a risk of financial loss” to customers who divulge certain details, the bank “will strive to be as sympathetic and understanding as possible to the customers’ predicament”.
It is understood that Central Bank of Ireland officials had been engaging with the bank on the issue and that some individuals had made initial complaints to the Financial Services and Pensions Ombudsman. Banking sources said regulators would have pressed home that Bank of Ireland could not reasonably claim in this instance that the customers were grossly negligent, which would allow the bank, under EU payment services rules, to avoid reimbursement.
Melanie Sheridan, who was one of those affected by the scam, said she was happy the bank had performed an about-turn. “I am so relieved and delighted that Bank of Ireland reversed its position for all of us who were impacted by the highly sophisticated smishing scam,” she said. “Our collective voice was becoming increasingly difficult to ignore.”
As part of a new fraud-awareness campaign, Bank of Ireland said it wanted to highlight the tactics deployed by criminals to trick customers into providing their banking details.
"Smishing has been around for a long time, but there has been a spike in attacks since Covid-19, with fraudsters clearly recognising an opportunity to target consumers as we spent more time using phones and computers," said Gavin Kelly, chief executive of Bank of Ireland's retail division.
“We have carried out a review into a recent smishing attack which has managed to defraud a number of customers. These cases have involved criminals inserting a fraudulent text into a thread containing genuine text messages from the bank.
“This tricked customers into divulging their confidential banking details. However, we also acknowledge that fraudsters have been particularly active during this period and, as consumers, we have had many other pressing concerns to deal with through Covid-19,” he said.
It is not clear how the customers’ mobile numbers in this case were obtained.
A spokesman for Bank of Ireland said: “Smishing texts are typically sent indiscriminately to large volumes of mobile numbers as fraudsters will be aware that some will be customers of Bank of Ireland and will click the link.
“There has been no issue or breach of any Bank of Ireland databases. Unfortunately, a number of recent publicised data breaches in other organisations have included mobile phone numbers that could potentially be used by fraudsters,” he said.
Permanent TSB said it had been dealing with a "small handful" of smishing cases in recent times, but that it refunded any losses to "genuine victims of frauds such as this".
“We are continuing to communicate with our customers so that they are aware to be vigilant of such fraud threats,” a spokesman for Permanent TSB said.
An Garda Síochána also warned last month that AIB customers were being targeted by bogus texts. “Where customers have been scammed through no fault of their own, we will deal sympathetically with them on a case-by-case basis,” a bank spokesman said. “To date, we have a strong record in protecting our customers from fraud. However, we must all remain vigilant.”