A man who lost more than S$3,800 after clicking a TikTok ad and entering his credit card details will have to bear most of the loss himself after a Singapore tribunal found he failed to act on repeated bank alerts.
The man, whose name was anonymized in the judgment, took his bank to the Small Claims Tribunals after scammers used his card through Apple Pay to make unauthorized transactions in Japanese yen.
He recovered only S$355.34 and sought the remaining S$3,456.38 from the bank. Tribunal Magistrate Joel Tan dismissed the claim in a June 12 judgment, finding that the man’s inaction after multiple alerts amounted to gross negligence.
The case turned on tokenisation, a process that allowed scammers to add the man’s credit card to a digital wallet on their own Apple device. Once that happened, the tribunal said the scammers had what was effectively a digital key to the card.
Note: “S$” refers to Singapore dollars. The loss amount was reported in Singapore currency, not U.S. dollars.
The Scam Started With A TikTok Ad
The man told the tribunal he remembered trying to buy an item from an advertisement he saw while browsing TikTok, according to CNA. He was prompted to enter his credit card details.
He could not say for certain whether the ad led to a phishing scam, and he maintained that he did not disclose his one-time password to anyone.
The tribunal found it more probable than not that he had disclosed both his credit card details and the OTP after falling victim to a phishing operation. The judgment said the scammer would not have been able to add the card to an Apple device without both pieces of information.
At around 11:14 p.m. on June 4, 2024, the man’s credit card was successfully added to the digital wallet of an Apple device without his initiation.
The Card Was Used Through Apple Pay In Japan
Between June 17 and June 23, 2024, 22 transactions were charged to the man’s credit card account. The transactions were made through Apple Pay, denominated in Japanese yen, and processed by merchants in Japan’s stored-value electronic money system, including Suica, PASMO, ICOCA, and ANA Pay.
The total came to 430,000 yen, or S$3,811.72 at the exchange rates used by the bank.
The man did not receive transaction alerts for those purchases because each charge was below S$200. His account was configured to send transaction alerts only for purchases of S$500 and above, which the judgment described as the default threshold setting.
The Bank Alerts Became The Deciding Issue
The tribunal did not say every phishing victim is automatically grossly negligent. The judgment said modern phishing scams can be sophisticated enough to deceive reasonably cautious people.
The problem for the claimant was what happened after the first suspicious alerts arrived.
The bank sent an OTP message at 11:13 p.m. on June 4 to add the card to Apple Pay. The message told the cardholder not to share the OTP and to contact the bank if the action was unauthorized. Shortly afterward, another message confirmed that the card had been tokenised and could now be used for purchases.
Further alerts followed on June 6 and June 12. The man acknowledged receiving later notifications but said he ignored them because he did not use Apple Pay and assumed they had nothing to do with him.
The Tribunal Said The Delay Shifted The Loss
On June 23, the bank flagged the pattern as suspicious and tried to contact the man by phone. When that failed, the bank temporarily blocked the card and sent another SMS.
The man later called the bank and confirmed he had not authorized the transactions. The card was permanently blocked, and the tokenisation was undone.
The bank attempted to recover the money on a best-efforts basis but succeeded only for two ICOCA transactions totaling S$355.34. The man then sought to recover the remaining S$3,456.38 from the bank.
Under the credit card agreement, the cardholder’s liability for unauthorized transactions was generally limited to S$100 before notification to the bank, unless the cardholder acted fraudulently, was grossly negligent, or failed to inform the bank as soon as reasonably practicable.
Magistrate Tan accepted that the first late-night messages may not have been read carefully at that moment. But he found that reasonable care required the man to check the alerts the next morning and act after later warnings.
The judgment said the man’s inaction was not a momentary lapse, but a sustained course of omissions that fell far below reasonable care. That finding allowed the bank to hold him liable for the remaining loss.