Scammers stole almost $50,000 from Katrina. Her bank offered her ‘goodwill’ instead of getting it back

“I am so sorry that this is happening to you,” said the HSBC call taker.

It was the Thursday before Easter in 2023, the same morning Katrina Qian was woken by a scammer masquerading as a government official.

Qian had called her bank’s hotline, hoping for reassurance that her money was safe. Instead, she was met with life-altering news.

“The money has been taken out from your account,” the teller told her.

“What’s that?” replied Qian, who was still learning how to speak English.

“The money has been taken out from your account by a fraudster,” the bank teller said.

Back then, Qian said she thought only she “was stupid” enough to fall for the con that stripped her of almost $50,000. But in the years since, evidence has mounted that HSBC’s security shortcomings made its customers a more attractive target for criminals. Hundreds fell victim to sophisticated scams.

It is hoped Australia’s new federal scam laws, passed early this year but not yet operational, will make it easier for victims to claim compensation from big businesses that are shown to have not taken reasonable steps to protect their customers. The reforms, however, are not retrospective, and it’s unclear when they will come into force.

Reported scam losses are up almost 30 per cent in the first five months of this year, compared with the same period in 2024, according to Scamwatch data.

Left behind is a mountain of victims such as Qian who feel failed by their banks, or other large businesses involved in scam transactions, in a seemingly hopeless battle to recoup devastating losses.

Qian had only recently moved to Sydney when she got a call from a man who told her he was from the government. He told her he urgently needed details of her bank accounts to stop a series of suspicious transactions.

The 44-year-old Mandarin speaker said she had accounts with four different banks: three Australian and one Chinese. But fraudsters had breached only her HSBC account.

“He asked me which bank card you have,” Qian recalled. “I told him HSBC, ANZ, Commonwealth Bank and Bank of China. He said, ‘[Let’s go with] HSBC first. Tell me your HSBC mobile app name, user ID and password.’ Then I told him.”

The criminals were then allegedly able to use a new HSBC Everyday Global Account to exchange almost $50,000 of her money into British pounds, and then send that money to an overseas recipient without raising alarm bells at the bank.

HSBC initially refused to provide any compensation to Qian, arguing that the bank was not liable for any of her losses as she had provided her passwords to the scammer.

HSBC also claimed in correspondence to Qian that IP data showed the new account used to funnel the stolen funds was opened at a location “consistent with the addresses held on our records for you by HSBC at the time”, though the bank has refused to provide Qian with these records.

Since Qian was scammed, the Australian Financial Complaints Authority (AFCA) has ruled against the bank in a landmark case that found HSBC was liable for a customer’s $47,000 scam loss, even though the victim disclosed two passcodes to a scammer.

The nation’s corporate regulator is also suing HSBC’s Australian subsidiary for “widespread and systemic” failures to protect its customers from scams. Many of the claims made by the Australian Securities and Investments Commission in the ongoing court case, which include that HSBC had major gaps in its fraud interception capacities, HSBC denies.

When Qian complained again this year, seeking full reimbursement of her losses, HSBC once more denied liability, instead offering a $9500 “goodwill” payment to resolve the matter.

“They said you only have 14 days to receive this offer. Otherwise, we can’t give you anything,” Qian said.

Qian decided to accept it, worried she could be left with nothing.

HSBC Australia customers lost $18 million via impersonation scams in the 2023 financial year, and $24 million in the first nine months of 2024, according to court documents. About 950 reports of unauthorised transactions were made to HSBC Australia between January 2020 and August last year.

HSBC has refused to comment on how many of these affected customers had been fully reimbursed. However, as a result of complaints to AFCA, almost $8.7 million has been paid to about 400 HSBC impersonation scam victims, meaning there could be many more such as Qian who remain significantly out of pocket.

David Niven, a consumer lawyer with more than four decades of experience, is concerned that many of the HSBC customers had settled their cases for modest sums.

Many victims were initially offered a “goodwill” payment of a few thousands dollars to finalise their claims for losses in the tens of thousands of dollars.

“The bank played it very hard in the dispute resolution space. It was combative,” Niven said.

He argued the bank should be apologising to those affected and compensating them fully.

Stephanie Tonkin, chief executive of Consumer Action Law Centre, said Australian banks typically reimbursed only a small percentage of scam losses, often making “lowball” offers and requiring victims sign non-disclosure agreements to settle a case.

Tonkin said she was even aware of a case in which someone was required to retract comments they had made to the media as part of a settlement.

Australia’s “world-first” scam legislation passed federal parliament in February, but it is yet to come into effect. This week, the office of Australia’s financial services minister, Daniel Mulino, declined to detail when the new laws would come into force.

Tonkin said it was initially expected the laws would begin to roll out from the middle of this year, and that AFCA would be able to consider a wider range of compensation claims from early next year.

“Given the complexity of the framework and the new legislation … the laws look like they may not come into force until 2027, [or] even later,” she said. “So we have this much-lauded set of laws, the Scam Prevention Framework, sitting on a shelf.

“I am deeply concerned that scam protections have fallen down [the] government’s list of priorities.”

A spokesperson from AFCA, which manages disputes between banks and scam victims, said that Australia’s promised mandatory industry codes were urgently needed, but industry should not wait to take action.

“The use of confirmation of payee technology is a good example,” the spokesperson said. “We’re still seeing scams that could have been prevented if all banks used this technology.

“Mule accounts is another example. We know some banks were allowing accounts to be opened without confirming that the person providing the identification documents was the owner of those documents. In these cases, we have been unable to investigate because there is no relationship between the customer and the bank.”

In 2022, HSBC was also the bank of choice for a scammer who targeted Jane Wallace’s elderly father, telling the 92-year-old that he could help him to hide his money from hackers. She said the fraudster coached her father through setting up an HSBC Everyday Global Account, which was then used to funnel about $75,000 overseas.

Approached by family members acting on Wallace’s behalf, HSBC denied liability, arguing that because the account was opened without the victim’s consent, it didn’t consider him a customer, nor “consider that we have any liability to him”.

When the family explained he had been coached by a fraudster to open the account, thinking it would keep his money safe, HSBC again wiped its hands of any responsibility and offered no compensation.

“Somebody else was actually operating that account,” Wallace said.

“It really affected him psychologically … he felt really embarrassed and asked us to manage all his finances after that.”

In response to questions about the scam cases and compensation to victims, an HSBC spokesperson said “we are unable to comment on an ongoing legal matter”.