by

June 16, 2026

9 minutes

Read Time

Man lost S$3,800 in card phishing scam after clicking on TikTok ad; tribunal finds him liable, not bank

A tribunal found that the man had to bear the losses as he had ignored multiple warnings and notifications from the bank in a “sustained course of omissions” that constituted gross negligence on his part.

New: You can now listen to articles.

This audio is generated by an AI tool.

Lydia Lam

Read a summary of this article on FAST.

Get bite-sized news via a new
cards interface. Give it a try.

Click here to return to FAST
Tap here to return to FAST

FAST

SINGAPORE: A man who lost over S$3,800 (US$2,962) in a phishing scam while browsing TikTok managed to recover only S$355 and took his bank to the Small Claims Tribunal (SCT) seeking the rest.

However, the tribunal found that he had to bear the remaining losses of about S$3,455 as he had ignored multiple warnings and notifications from the bank in a “sustained course of omissions” that constituted gross negligence on his part.

In a judgment dated Jun 12, Tribunal Magistrate Joel Tan dismissed the man’s claim but said his loss from the scam “warrants sympathy”, while emphasising the importance of vigilance.

The name of the scam victim and the bank were anonymised in the judgment, as is usual for SCT judgments as such cases are heard in private.

THE CASE

According to the judgment, the scheme the man fell for involves scammers deceiving victims into divulging their credit card details, including the primary account numbers, expiry dates and security codes.

The scammer then inputs the details into a digital wallet application on their own mobile device, initiating a process known as tokenisation.

The security mechanism replaces the victim’s actual card details with a unique device account number that serves as a cryptographic substitute for the original credentials.

The tokenisation process typically requires authentication by the cardholder, with one common method via a one-time password sent by SMS to the cardholder.

Scammers often obtain these passwords through phishing, said the magistrate.

Once tokenisation is complete, the scammer possesses what amounts to a digital key to the victim’s credit card, which he can use to conduct fraudulent purchases and payments.

The issuing bank will seek payment from the victim for the fraudulent transactions. If the cardholder disputes the transactions as unauthorised, the credit card scheme typically provides a charge-back mechanism that may reverse the settlement process and result in merchants bearing the risk of loss.

However, merchants can shift this liability by demonstrating that the transactions were secured according to industry standards. If the merchants establish this, the loss falls on the issuing bank or the victim depending on the circumstances.

WHAT HAPPENED HERE

At around 11.15pm on Jun 4, 2024, the claimant’s credit card was added to the digital wallet of an Apple device without his initiation.

Despite receiving notification alerts by SMS that evening and further alerts on Jun 6 and Jun 12, he took no remedial action.

Between Jun 17 and Jun 23, 2024, 22 transactions were charged to the man’s credit card account.

They were executed through Apple Pay and in Japanese yen, processed by merchants within Japan’s stored-value electronic money ecosystem to load monetary value to prepaid wallet systems.

The total amount was 430,000 yen, which was S$3,811.72 at the prevailing exchange rates at the time.

The claimant did not receive notifications from the bank for these transactions, because they fell below S$200 and his account was configured to send alerts for purchases of S$500 and above.

On Jun 23, 2024, the bank flagged these transactions as suspicious and tried to contact the claimant via telephone to verify them, but was unsuccessful.

The bank then took the preemptive measure of blocking the credit card temporarily to prevent further transactions and sent an SMS to the claimant to inform him about the blocking.

The claimant later called back and confirmed that he had not authorised the transactions. The card was permanently blocked and the tokenisation undone.

The bank advised him to complete a dispute declaration form, which the man submitted on Jul 22, 2024. The credit card charges were paid via automatic deduction from his bank account balance in August 2024.

The 22 transactions with the merchants were secured transactions and there were no charge-back rights against the merchants.

The man tried to recover the money on a best-efforts basis, and succeeded for only two transactions amounting to S$355.34.

He felt the remaining loss of S$3,456.38 for 20 transactions should be borne by the bank, but the bank did not accede to his request for a refund.

The case was referred to the Financial Industry Disputes Resolution Centre but the adjudication held in July 2025 did not result in the claimant’s favour.

Dissatisfied with the outcome, he took the bank to the SCT.

BEFORE THE TRIBUNAL

The magistrate, Mr Tan, said the claim arose from the contractual relationship between the man and his bank for credit card services.

It was undisputed that the 20 transactions were unauthorised and carried out by an unknown scammer via tokenisation.

The credit card agreement between the man and his bank states that the cardholder will not be liable for any unauthorised card transactions made after notification to the bank. Liability will be limited to S$100 for any unauthorised transactions made before notification.

However, if it is found that the cardholder has acted fraudulently, was grossly negligent or failed to inform the bank of the lost or stolen card as soon as reasonably practicable, then the cardholder will be liable for all unauthorised transactions or amounts up to the credit limit, whichever is lower.

This includes any additional interest, charges or late fees.

The bank contended that the man had acted with gross negligence and should bear the full burden of the losses, saying he had disclosed his credit card details to the scammer, provided the one-time password enabling tokenisation and failing to take action despite the bank’s multiple SMS notifications.

In response, the man said he recalled trying to buy an item he saw on an advertisement while browsing TikTok. He was prompted to enter his credit card details.

He could not say with certainty whether this constituted a phishing scam but maintained that he had not disclosed his one-time password to anyone.

He said the SMS containing the password arrived at 11.13pm on Jun 4, 2024, when he would have been preparing for sleep with his phone in the living room.

He acknowledged receiving the bank’s subsequent notifications but ignored them entirely as he thought they had no relevance to his circumstances since he was not a user of Apple Pay.

The magistrate, Mr Tan, found it more probable than not that the claimant had disclosed both his credit card details and one-time password in a phishing scam.

However, he said the mere disclosure of credit card details and a one-time password in this manner did not necessarily constitute gross negligence in every case.

Still, Mr Tan said a reasonable person in that position would have monitored bank alerts in a timely manner, reported any unauthorised activity as soon as practicable and taken immediate steps to block further unauthorised access.

Mr Tan pointed to the notifications sent to the man, first the provision of a one-time password and a message saying he had tokenised his credit card.

Further alerts followed about the tokenisation of his card to Apple Pay, with one emphasising that if the card addition was unauthorised, he should contact the bank.

Mr Tan said the alerts served a critical function, signalling that someone unauthorised had obtained a digital key to the claimant’s details and was ready to use it for transactions.

While he accepted the claimant’s explanation for the initial messages which arrived late at night, prudence and reasonable care “demanded that he monitor these critical communications” and took the appropriate action the following morning.

“In my judgment, the claimant had failed to attend to these obvious and significant risks across multiple opportunities, and to take steps to mitigate them in a timely manner despite having been alerted to such suspicious activity,” said Mr Tan.

“Absent any reasonable explanation by the claimant, his pattern of inaction cannot be characterised as a mere oversight or momentary lapse in judgment. Rather, it represented a sustained course of omissions that fell significantly below the standard of reasonable care as to constitute gross negligence.”

He said the man’s prolonged inaction enabled the scammer to use his tokenised credit card and execute the unauthorised transactions.

He found that the bank was fully entitled to hold the claimant liable for the complete extent of losses from the transactions, in accordance with the terms of their credit card agreement.

Mr Tan stressed the importance of vigilance by lay users attempting to navigate a landscape with a “relentless pace of technological evolution within an already complex industry of financial services”, and the ever-increasing sophistication of financial scams.

He cited different forms of vigilance:

In monitoring and exercising appropriate care in online transactions,
in protecting one’s personal financial information from those who would misuse it
in monitoring notification alerts from banks and financial institutions so that early intervention remains a viable possibility when suspicious activity occurs.

“When one encounters alerts whose significance remains unclear or mysterious, the prudent course invariably lies in seeking immediate clarification from the relevant institution rather than simply ignoring such communications and hoping for the best,” said the magistrate.