Man lost S$3,800 in card phishing scam after clicking on TikTok ad; tribunal finds him liable, not bank

The claimant did not receive notifications from the bank for these transactions, because they fell below S$200 and his account was configured to send alerts for purchases of S$500 and above.

On Jun 23, 2024, the bank flagged these transactions as suspicious and tried to contact the claimant via telephone to verify them, but was unsuccessful.

The bank then took the preemptive measure of blocking the credit card temporarily to prevent further transactions and sent an SMS to the claimant to inform him about the blocking.

The claimant later called back and confirmed that he had not authorised the transactions. The card was permanently blocked and the tokenisation undone.

The bank advised him to complete a dispute declaration form, which the man submitted on Jul 22, 2024. The credit  card charges were paid via automatic deduction from his bank account balance in August 2024.

The 22 transactions with the merchants were secured transactions and there were no charge-back rights against the merchants.

The man tried to recover the money on a best-efforts basis, and succeeded for only two transactions amounting to S$355.34.

He felt the remaining loss of S$3,456.38 for 20 transactions should be borne by the bank, but the bank did not accede to his request for a refund.

The case was referred to the Financial Industry Disputes Resolution Centre but the adjudication held in July 2025 did not result in the claimant’s favour.

Dissatisfied with the outcome, he took the bank to the SCT.

BEFORE THE TRIBUNAL

The magistrate, Mr Tan, said the claim arose from the contractual relationship between the man and his bank for credit card services.

It was undisputed that the 20 transactions were unauthorised and carried out by an unknown scammer via tokenisation.

The credit card agreement between the man and his bank states that the cardholder will not be liable for any unauthorised card transactions made after notification to the bank. Liability will be limited to S$100 for any unauthorised transactions made before notification.

However, if it is found that the cardholder has acted fraudulently, was grossly negligent or failed to inform the bank of the lost or stolen card as soon as reasonably practicable, then the cardholder will be liable for all unauthorised transactions or amounts up to the credit limit, whichever is lower.

This includes any additional interest, charges or late fees.

The bank contended that the man had acted with gross negligence and should bear the full burden of the losses, saying he had disclosed his credit card details to the scammer, provided the one-time password enabling tokenisation and failing to take action despite the bank’s multiple SMS notifications.

In response, the man said he recalled trying to buy an item he saw on an advertisement while browsing TikTok. He was prompted to enter his credit card details.

He could not say with certainty whether this constituted a phishing scam but maintained that he had not disclosed his one-time password to anyone.

He said the SMS containing the password arrived at 11.13pm on Jun 4, 2024, when he would have been preparing for sleep with his phone in the living room.

He acknowledged receiving the bank’s subsequent notifications but ignored them entirely as he thought they had no relevance to his circumstances since he was not a user of Apple Pay.

The magistrate, Mr Tan, found it more probable than not that the claimant had disclosed both his credit card details and one-time password in a phishing scam.

However, he said the mere disclosure of credit card details and a one-time password in this manner did not necessarily constitute gross negligence in every case.

Still, Mr Tan said a reasonable person in that position would have monitored bank alerts in a timely manner, reported any unauthorised activity as soon as practicable and taken immediate steps to block further unauthorised access.

Mr Tan pointed to the notifications sent to the man, first the provision of a one-time password and a message saying he had tokenised his credit card.

Further alerts followed about the tokenisation of his card to Apple Pay, with one emphasising that if the card addition was unauthorised, he should contact the bank.

Mr Tan said the alerts served a critical function, signalling that someone unauthorised had obtained a digital key to the claimant’s details and was ready to use it for transactions.

While he accepted the claimant’s explanation for the initial messages which arrived late at night, prudence and reasonable care “demanded that he monitor these critical communications” and took the appropriate action the following morning.

“In my judgment, the claimant had failed to attend to these obvious and significant risks across multiple opportunities, and to take steps to mitigate them in a timely manner despite having been alerted to such suspicious activity,” said Mr Tan.

“Absent any reasonable explanation by the claimant, his pattern of inaction cannot be characterised as a mere oversight or momentary lapse in judgment. Rather, it represented a sustained course of omissions that fell significantly below the standard of reasonable care as to constitute gross negligence.”

He said the man’s prolonged inaction enabled the scammer to use his tokenised credit card and execute the unauthorised transactions.

He found that the bank was fully entitled to hold the claimant liable for the complete extent of losses from the transactions, in accordance with the terms of their credit card agreement.

Mr Tan stressed the importance of vigilance by lay users attempting to navigate a landscape with a “relentless pace of technological evolution within an already complex industry of financial services”, and the ever-increasing sophistication of financial scams.

He cited different forms of vigilance: 

• In monitoring and exercising appropriate care in online transactions, 
• in protecting one’s personal financial information from those who would misuse it
• in monitoring notification alerts from banks and financial institutions so that early intervention remains a viable possibility when suspicious activity occurs.

“When one encounters alerts whose significance remains unclear or mysterious, the prudent course invariably lies in seeking immediate clarification from the relevant institution rather than simply ignoring such communications and hoping for the best,” said the magistrate.