Kelly Keating thought she had just been rescued from the jaws of a scam. The fraud department from her bank, HSBC, had called after detecting a strange iPad being used on her online banking account.

A young teller with a British accent worked to remove the device before any crime could take place, giving Keating, then 26 weeks pregnant, a lecture on how to avoid sophisticated online scams targeting Australians.

“Don’t click on any links that you might get in unsolicited text messages,” said the man, who said his name was Simon Adams. “Don’t open any suspicious emails.”

But the man wasn’t “Simon Adams” from the bank at all. There is no suggestion that anyone at HSBC was involved in scamming Keating. That was all fake. Instead, “Simon”, or one of his associates, was siphoning $50,000 from Keating’s home loan offset account.

By the time the call caught Keating off guard last November, in between meetings at her job as a project engineer, this signature scam targeting HSBC customers had been running for at least six months, ensnaring hundreds of victims, many of whom had lost their life savings.

An investigation by this masthead has uncovered evidence showing HSBC moved slowly to detect and respond to repeated red flags about the scam.

The saga is a stark example of how criminals have exploited weaknesses in scam protections in Australia’s banking system.

HSBC blames its clients – accusing some of “extreme carelessness” – even as this is rejected by consumer advocates and condemned by Financial Services Minister Stephen Jones.

“I think they were far too slow to respond, then I think their response was inadequate,” said Jones, who has “deep concerns” about the bank’s response.

The development comes as the federal government develops a new scams code framework that it says will raise the bar for banks, telcos and social media platforms when it comes to preventing scams.

Kyle, an engineer, received two text messages on a Saturday morning in late October, both purporting to be from his bank. They arrived in the same message chain, under the heading “HSBCAU”. One was a scam, the other a genuine message from the bank.

The Melbourne man, who did not want to share his surname for privacy reasons, had just dropped his son off at an art class when he received the first message, which told him a suspicious payment to Amazon had been stopped, and asked him to call a 1800-number.

The person who answered, a scammer with a distinct English accent, told Kyle the bank had recorded an iPhone login in Adelaide, and they needed his help to remove it.

This fictitious story had a dual purpose: to get Kyle to hand over several security codes, and also to deflect suspicion that might be raised by any genuine warnings from the bank.

When Kyle’s phone then pinged with an HSBC message alerting him that a device had been removed from his account, it seemingly confirmed the story he’d just heard. In reality, the phone that was being removed from the account was his own.

“The fraudster … he was sort of giving me an education over the phone, explaining how to verify what website is genuine, what text is genuine, all that stuff. It seemed pretty helpful,” the father of two recalled.

“I didn’t smell anything [suspicious] at all.”

Victoria Police detectives say that Kyle’s account “was compromised to steal a substantial amount of money”.

HSBC, however, used the findings of its own fraud investigation team to determine that Kyle should be held liable for all the money stolen for him – almost $50,000 – and instead sent him a “goodwill payment” of $5000, 10 per cent of what he lost.

“The bank did not detect unusual activity during the scam event,” an HSBC representative said in a letter in May.

But records obtained by this masthead show that in these cases, HSBC had evidence that something was awry.

On that October day, as Kyle was tricked into believing he was speaking to a bank teller, consecutive logins were being made on his HSBC account in Melbourne and in Finland, from where it was impossible that they could have been made by the same person.

It then took just a few minutes for the bulk of Kyle’s stolen funds to be shifted to a Queensland-based Bitcoin exchange.

Eighteen other victims of the scam told this masthead they had also been advised their accounts had been accessed from overseas, mostly from Finland, Dubai, Scotland, Sweden and the United Kingdom.

This was one of the red flags that cybercrime forensic investigator Simon Smith said the bank should have detected in real time.

He said Kyle’s logs show evidence of a second person simultaneously accessing the account, setting up Face ID and performing other activities related to stealing someone’s identity.

“The bank was in a more powerful position than the customer was because they knew something he didn’t,” Smith said. “They knew the person he was talking to on the other end of the line was 9000 miles away. I think [the bank] should be liable for everything in this case.”

Cybercrime expert Ken Gamble, from IFW Global, agreed that HSBC should have had the capacity to detect logins from multiple locations at the same time.

“I’m surprised that the banks haven’t picked that up because they actually do have that technology,” he said.

Smith, whose business SCAMAssist helps victims with complaints against banks, was also surprised that HSBC didn’t have a 24-hour holding period for transfers to new payees. Without such a safeguard, stolen money can become irretrievable within minutes.

For several years, Commonwealth Bank of Australia has had delays for first-time payees of up to 24 hours.

HSBC said it was working towards implementing the Australian Banking Association’s new Scam-Safe Accord, which promises more “questions, warning and delays” for transfers to new payees by December.

The victim pays

One of the unusual things about Kelly Keating’s experience is that she got to confront her fraudster. The day after he first contacted her, he called again, in a shameless attempt to regain access to the now-frozen account.

“You have scammed me,” Keating told him, as colleagues in her open-plan office whispered encouragement. “And you have scammed a pregnant lady, so I don’t really know how you sleep at night.”

Keating became suspicious of so-called Simon Adams at the end of their first conversation.

“He said something funny,” she remembered. “He said, ‘Just don’t touch your account for the next day or so, just keep it clean’ … I thought, ‘Why would it matter if I went and bought a coffee this afternoon?’”

A concerned Keating immediately hung up and rang HSBC, reaching a real call taker at 2.20pm, only 10 minutes after the final sum of stolen money left her account.

The offenders were faster. They moved $49,800 from a local HSBC mule account – an account used by criminals to move stolen money – and into Bitcoin all within a single minute, at 2.13pm.

In contrast, the bank’s correspondence shows that it took HSBC a month to ask for the stolen money back from the institution that received it (a process known as a recall request).

Almost 300 complaints about HSBC’s handling of the impersonation scam have been received by the Australian Financial Complaints Authority, an external dispute resolution service for financial services company customers. About 180 cases remain unresolved, while HSBC has settled some directly with customers.

The authority is set to soon make a ruling on multiple cases, which will inform how it handles similar complaints.

Keating is among those waiting for a determination, although she has low expectations.

In a recent submission, the authority said that under the current laws victims generally only succeed in getting compensation from their bank in a narrow set of circumstances, including when they have “not voluntarily disclosed the majority of the passcodes required to perform the transaction”.

In Keating’s case, the conman asked her to generate and provide one-time passwords, claiming he needed them to remove a suspicious iPad from her account, and then to halt bad transactions.

“You’ve given them the code, and then you’re screwed,” Keating said. “The proportionality is way off. The bank is claiming I’m 100 per cent liable for this when they have failed in so many ways.”

This masthead surveyed 44 victims of the HSBC impersonation scam, who reported losing between $10,700 and about $200,000 each.

A few said the bank was able to retrieve a significant amount of their money. All but one said the bank had refused to accept any liability for their losses, generally offering small “goodwill” payments of between $1000 and $8000.

HSBC, a British multinational bank, recently announced a profit of more than $36 billion, while HSBC Bank Australia, its Australian subsidiary, posted a profit of $409.8 million in 2023.

In 2022, HSBC’s banks in the UK reimbursed 73 per cent of its customers when they were tricked by fraudsters into sending a payment to an account outside their control.

HSBC would not disclose what proportion of scam losses it reimburses for its Australian customers, but for those who had a complaint accepted by the financial complaints authority, just 19 per cent of claimed losses were paid back in the three years to December last year.

The Consumer Action Law Centre has helped more than 50 Australian victims of the HSBC impersonation scam. The law centre’s chief executive, Stephanie Tonkin, said the similarities in their stories were striking.

Repeatedly, fraudsters increased people’s daily transfer limits – often from $5000 to $50,000 – then transferred the maximum amount to accounts the customer had never interacted with before.

‘You have scammed me. And you have scammed a pregnant lady, so I don’t really know how you sleep at night.’

Kelly Keating confronting her scammer

“That should be setting off alarm bells for the bank,” Tonkin said. The stolen money was also often first sent to another HSBC Australia account – a mule account – then onwards into other accounts or cryptocurrency.

Tonkin argues the bank “grossly failed to identify” the stolen money washing in and out of HSBC’s own accounts.

“The bank is the only player in control in that equation who can see transfers going in between all of those accounts,” she said. “The consumer has no insight into any of this, and yet it’s the consumer’s fault somehow. It’s just immoral and doesn’t pass the pub test.”

Stephen Jones, the minister leading the government’s scam protection reforms, has promised that the new industry codes will raise expectations of Australian banks, including an obligation to detect and shut down thousands of mule accounts.

It’s expected new legislation will be introduced this year.

However, the new laws won’t be retrospective, and the minister has so far rejected calls from victims and consumer groups to introduce laws similar to those to be introduced in the UK, that will largely force banks to fully reimburse their customers for scam losses.

He said he doesn’t see a good argument for making banks fully liable for scams when social media platforms or telecommunications companies may have played a bigger role in the facilitation of the crime. That position is also held by the Australian Banking Association.

In the HSBC impersonation scam, Jones said the telecommunication company that allowed scammers to impersonate the bank in text messages also had some questions to answer.

Tonkin is concerned that unless a single complaint pathway is established, the new rules could leave victims struggling to navigate three separate dispute resolution bodies for banks, telcos and digital platforms.

“A presumption of bank reimbursement would make the process clearer, simpler and more effective for consumers and industry,” she argued.

“It sounded like they already knew about this.”

By last summer, one of the things that struck new victims of the HSBC impersonation scam was that the real bank staff they spoke to appeared wholly unsurprised by their stories.

On January 31, Mary Yu was at an HSBC bank branch in Melbourne’s eastern suburbs listening to the clacking of keyboards and anxiously waiting to discover how much had been stolen from her.

Perhaps it was $20,000, perhaps it was $100,000, Yu recalls being told by a teller, as the woman stared at the terminal in front of her.

Later, the bank manager told her the money was probably not recoverable, as sophisticated criminals quickly convert the funds into cryptocurrency. Just under $100,000 was gone.

“It sounded like they already knew about this,” Yu reflected later. “So what had they done?”

In Yu’s case, the scammers easily manipulated daily transaction limits, she believes, raising the ceiling on her account from about $5000 or $10,000 to $50,000.

In March, at least 10 months into the scam and two months after Yu was targeted, the bank stopped allowing any adjustments to daily payment limits using online banking.

After that, it appears the swindle may have finally come to an end. Of the 44 victims this masthead surveyed, only one reported being scammed after March 2024. Plenty of damage remains.

Like dozens of others, Yu’s scammers used an SMS that appeared in the same message chain as genuine messages from the bank, a criminal technique known as spoofing.

The money stolen from Yu was meant for her six-year-old son’s education.

‘It sounded like they already knew about this. So what had they done?’

Mary Yu ob being told by HSBC the money she lost wasn’t recoverable

The fact that she has professional expertise in IT added to her deep sense of shame and embarrassment after falling for the con.

While the bank has offered her a $2000 “confidential” goodwill payment, it has otherwise denied any liability for Yu’s losses, claiming that she handed over three one-time passwords, an allegation she denies.

“It feels like HSBC has not a single care in the world … Their demeanour has been like, ‘Oh no, the money’s gone, don’t expect us to recover any of it’,” she said.

“That’s just devastating.”

‘I feel like no one is listening’

Despite being one of Australia’s smaller banks, with a market share of 1.2 per cent for Australian household deposits, data collected by Scamwatch suggests that HSBC Australia customers were heavily targeted by fraudsters in 2023.

Of the roughly $18 million in reported losses to potential bank impersonation scams in Australia in 2023, about half related to HSBC.

This masthead sent HSBC Australia a detailed list of questions, including why its customers appeared to be a soft target for scammers, when it first detected the impersonation scam in Australia, and what were the total losses reported.

The bank did not directly answer most of those questions. But an HSBC spokesperson maintained that “in all cases, we have endeavoured to support our customers and work with them and other institutions to recover funds”.

The spokesperson said the bank had also improved its fraud and scam prevention systems, including improving SMS warnings for customers making payments of more than $500, limiting payments to some cryptocurrency platforms, and adding 70 people to the bank’s scams and fraud education teams.

“Our industry has continued to work together to disrupt scams but we acknowledge there is more to be done,” the spokesperson said.

“We ask our customers and remind the broader public to never give out bank codes or passwords.”

Australia’s corporate regulator, the Australian Securities and Investments Commission, recently signalled it was investigating HSBC’s conduct through the scam.

However, this masthead found no evidence of a co-ordinated attempt by Australian law enforcement agencies to catch the criminals responsible for the ruse.

When this masthead contacted the Australian Federal Police, it referred the inquiry to the National Anti-Scam Centre at the Australian Competition and Consumer Commission (ACCC), as did the federal attorney-general’s department. The ACCC said criminal investigations were a matter for police.

While some state police have assigned detectives to the fraud reports, these investigations do not appear to be widely co-ordinated.

An email recently sent by one state-based police officer to a complainant said they still didn’t have all the paperwork they needed from HSBC, which was “making my job very difficult”. HSBC, however, insists it thoroughly investigates each incident of fraud with police and others.

In desperation, scam victims have been trying to recruit their federal MPs to advocate to the bank on their behalf, with varying success.

Sunni Wan, a 35-year-old Sydney woman, had almost $50,000 stolen from her in early December, money she had been saving to pay for a knee operation for her 75-year-old mother, and to help her weather a sharp rise in interest rates.

Wan, who is now unable to keep up with her mortgage, twice reported the crime to the AFP, but it emailed her back advising “no further action will be taken at this time by this agency”.

“I feel so frustrated, and I feel like no one is listening,” Wan said. “I’ve tried every single avenue and it’s not getting me anywhere.”

Wan even took her story to her local MP, Prime Minister Anthony Albanese.

Albanese’s office referred her case to Jones, the financial services minister, who said it was likely multiple overseas criminal gangs were behind the scam.

“They purchase stolen data and operate a boiler room, which is like a call centre operation,” Jones said.

Victims have been receiving contradictory messages from HSBC, with the bank telling them that “scams are growing ever more complex and sophisticated” but at the same time also saying that they had been extremely careless in falling victim to one.

Trevor Withane, the founder of law firm Ironbridge Legal, which specialises in representing victims in large fraud cases, said that in the vast majority of scam cases he deals with, the victim’s bank had information that should have made them suspect a fraud was in train.

Withane believes that banks – and also social media and telecommunications companies – need to do more to protect their users and customers.

“We’re all forced to use the banking system. And it has great advantages,” Withane said.

“But there is a pandemic in global scams, and the people who are best placed to detect this are those with the financial resources to invest in the technology – that is the banks. ”

Start the day with a summary of the day’s most important and interesting stories, analysis and insights. Sign up for our Morning Edition newsletter.