S'pore man loses S$3,800 after credit card scam, bank refunds him S$355, he takes them to court, loses

After a man's credit card was fraudulently added to an unknown party's Apple Pay, charges totalling S$3,811.72 were made to the card.

The bank was only able to recover and refund the man S$355.34.

The man later filed a small claims case, arguing that the bank is liable to refund the remainder of the amount to him.

The Tribunal Magistrate presiding over the case dismissed the man's claim in a judgment on Jun. 12, 2026, arguing that the man had failed to respond appropriately to the bank's multiple alerts warning him of potential unauthorised activity on his card.

Unauthorised activities

According to the grounds of decision on the case, on Jun. 4, 2024, at around 11:14pm, the man's credit card was successfully added to the digital wallet of an Apple device.

The man did not initiate this.

The man later received two more SMS notifications about this addition, warning him to report it to the bank if this action was unauthorised.

The man took no remedial action in response to the warnings.

Between Jun. 17 and 23, a series of 22 transactions were charged to the man's credit card.

These transactions were conducted through Apple Pay, denominated in Japanese yen, and processed by merchants such as Suica, Pasmo, Icoca and ANA Pay.

The transactions loaded money into prepaid wallet systems.

The amount charged totalled 430,000 Japanese yen, or S$3,811.72.

The man did not receive notifications from the bank for these transactions as they amounted to S$200 or below, less than the S$500 or more threshold setting to trigger alerts.

Bank attempted to contact man

On Jun. 23, the bank flagged these transactions as suspicious and attempted to contact the man via telephone to verify whether he had made them.

This attempt was unsuccessful.

The bank then pre-emptively blocked the man's credit card temporarily to prevent further transactions.

The bank then sent an SMS that same day to the man to inform him about the blocking of the card for security reasons.

The man later phoned the bank to confirm that he did not authorise the transactions.

The card was then permanently blocked, and the Apple Pay authorisation was removed.

The man then filed a dispute declaration form on Jul. 22, 2024, after being advised by the bank to do so.

The charges were later paid for by the man via automatic deduction from his bank on Aug. 5, 2024.

Dispute over liability

Of the 22 transactions, the bank was only able to successfully recover two of them, amounting to S$355.34, from the merchants.

The dispute between the man and the bank was therefore over who should bear responsibility for the remaining S$3,456.38.

The man and the bank sought mediation via the Financial Industry Disputes Resolution Centre on Jul. 23, 2025, but the man chose not to accept the outcome of the mediation.

He then brought the case to the Small Claims Tribunal.

Bank argued man had been negligent

Under the relevant clause of the credit card agreement, the bank and the cardholder typically share liability for unauthorised transactions made prior to the bank being notified, with the cardholder bearing responsibility for a maximum of S$100 in total.

However, if the cardholder is found to have “acted fraudulently, was grossly negligent or failed to inform the bank of the lost or stolen card as soon as reasonably practicable”, then the cardholder bears the burden of liability.

The bank's case was that the man had acted with gross negligence and he should therefore bear the full burden of the losses.

The bank argued that the man had disclosed his credit card details to the scammer and that he had facilitated the addition of his credit card to the scammer's digital wallet by disclosing his one-time password (OTP).

The bank also argued that he had failed to take remedial action despite multiple alerts about potential unauthorised activity on his card.

Man said he did not see the initial OTP message

In response, the man "maintained steadfastly" that he had not disclosed his OTP to anyone.

The man, however, did recall an attempt to purchase an item through a TikTok advertisement, which prompted him to enter his credit card details.

The man also argued that the SMS containing the OTP arrived at 11:13pm. This would have been when he was preparing for sleep in the bedroom, with his mobile phone in the living room.

Regarding the bank's subsequent alerts, the man acknowledged receiving them, but explained that he ignored them as he was not an Apple Pay user and therefore assumed there was no relevance to him.

Likely a victim of a phishing scam

Laying out his decision, Tan wrote that he found it "more probable than not" that the man did disclose his credit card details and OTP to the scammer, likely having fallen victim to a phishing scam.

"Without both the credit card details and the OTP, the scammer would have been unable to successfully tokenise the claimant’s credit card onto their Apple device," Tan said.

This inadvertent disclosure was more likely than the alternative scenario, which is that the man's mobile device had been compromised.

Failed to take remedial steps across multiple opportunities

However, Tan noted that the disclosure of the credit card details and OTP and falling victim to a phishing scam was not enough to constitute gross negligence on the man's part.

Examining the man's actions, Tan found that "a reasonable person" in the man's position would have undertaken "three essential steps" upon receiving the bank's notification alerts.

He would monitor the alerts "in a timely manner", " report any unauthorised activity as soon as possible and take steps to block further unauthorised access.

Tan also found that the bank's initial notification containing the OTP should have "sounded the loudest of alarm bells", given that the man did not initiate the process to add his card to Apple Pay.

The subsequent alerts also made it clear that the man should contact the bank if the addition was unauthorised, Tan wrote.

Addressing the man's point that he did not notice or read the bank's alert on Jun. 4, Tan accepted the man's explanation but said:

"Prudence and reasonable care demanded that he monitor these critical communications and take appropriate remedial action the following morning. He had not done so then, nor did he act upon the two subsequent opportunities that presented themselves to him over the following days."

Tan found that the man had failed to take remedial steps "across multiple opportunities" and his pattern of inaction "cannot be characterised as a mere oversight or momentary lapse in judgment".

"Rather, it represented a sustained course of omissions that fell significantly below the standard of reasonable care as to constitute gross negligence," Tan wrote.

On these grounds, Tan dismissed the man's claims and found him liable for the remaining S$3,456.38 that was lost to the scam.

However, Tan also noted in conclusion that it was "understandable" how the man was confused about what happened, given the pace of technological change and the increasing sophistication of scam methods.