A man who lost more than S$3,800 after clicking a TikTok ad and entering his credit card details will have to bear most of the loss himself after a Singapore tribunal found he failed to act on repeated bank alerts.
The man, whose name was anonymized in the judgment, took his bank to the Small Claims Tribunals after scammers used his card through Apple Pay to make unauthorized transactions in Japanese yen.
He recovered only S$355.34 and sought the remaining S$3,456.38 from the bank. Tribunal Magistrate Joel Tan dismissed the claim in a June 12 judgment, finding that the man's inaction after multiple alerts amounted to gross negligence.
The case turned on tokenisation, a process that allowed scammers to add the man's credit card to a digital wallet on their own Apple device. Once that happened, the tribunal said the scammers had what was effectively a digital key to the card.
Note: "S$" refers to Singapore dollars. The loss amount was reported in Singapore currency, not U.S. dollars.
The man told the tribunal he remembered trying to buy an item from an advertisement he saw while browsing TikTok, according to CNA. He was prompted to enter his credit card details.
He could not say for certain whether the ad led to a phishing scam, and he maintained that he did not disclose his one-time password to anyone.
The tribunal found it more probable than not that he had disclosed both his credit card details and the OTP after falling victim to a phishing operation. The judgment said the scammer would not have been able to add the card to an Apple device without both pieces of information.
At around 11:14 p.m. on June 4, 2024, the man's credit card was successfully added to the digital wallet of an Apple device without his initiation.
The Card Was Used Through Apple Pay In Japan
Between June 17 and June 23, 2024, 22 transactions were charged to the man's credit card account. The transactions were made through Apple Pay, denominated in Japanese yen, and processed by merchants in Japan's stored-value electronic money system, including Suica, PASMO, ICOCA, and ANA Pay.
The total came to 430,000 yen, or S$3,811.72 at the exchange rates used by the bank.
The man did not receive transaction alerts for those purchases because each charge was below S$200. His account was configured to send transaction alerts only for purchases of S$500 and above, which the judgment described as the default threshold setting.
The Bank Alerts Became The Deciding Issue
The tribunal did not say every phishing victim is automatically grossly negligent. The judgment said modern phishing scams can be sophisticated enough to deceive reasonably cautious people.