Claudia Lee was travelling in the Central American nation of El Salvador in 2024 when she checked her Australian bank account and realised something was terribly wrong.

The then-26-year-old Darwin woman’s ING account had been accessed by a phishing scammer, and the bank failed to alert her that anything was possibly amiss.

“I checked my savings account, and it’d been fully drained — $48,000 had been taken out of it, and I was left with 39 cents,” she said.

After facing tech troubles accessing her ING app, Ms Lee had inadvertently clicked a text message link that took her to a fake ING website, where she entered her details.

Claudia Lee smiling in a travel photo

Claudia Lee was travelling in Central America when her ING bank account was drained by a scammer. (Supplied: Claudia Lee)

“It was devastating, it was crazy, because it was the sort of thing I would’ve thought could never happen to me,” she said.

“I’m a young person, I’ve got relatively good digital literacy and this still happened.”

What followed was an anxiety-inducing 18-month saga to try to get ING to take responsibility and reimburse her the money she lost after she said the bank missed a series of red flags.

Her solicitor, Tom Hutton, said that within 48 hours of Ms Lee clicking on the link, the scammer had changed her personal contact details and withdrawn her funds, with ING doing nothing to stop them.

Monitors displaying global cyber threats

Cybersecurity experts say the longer a breach goes undetected, the more time attackers have to steal victims’ data. (ABC News: Aiden Daly)

“All of Claudia’s contact details had been changed, a joint account had been opened in her name, the transaction limit had been raised from $5,000 to above $20,000, all of her savings had been withdrawn,” he said.

“All of that happened without the bank having spoken to Claudia.”

Ms Lee had previously notified ING that she would be travelling abroad at that time.

A woman looks at a banking app on her phone

Claudia Lee says if scammers can fool someone her age, older people and those with lower tech literacy could be at even greater risk. (ABC News: Michael Franchi)

She was luckily at the tail end of a months-long trip when she was hit by the scammer, and her return tickets to Australia were already booked.

“I had next to no money left, and that was drained very quickly because I had to travel from El Salvador back to Guatemala, and then I was flying through the US to come back to Australia,” she said.

“So by the time I got back, I had pretty much nothing and needed to start from scratch.”

However, ING refused to admit fault and would not pay up.

A man in a white shirt and blue tie sits at a desk

Tom Hutton says his client “lost the entirety of her savings, through really very little fault of her own”. (ABC News: Marcus Kennedy)

“They were a very difficult entity to deal with,” Mr Hutton said.

“They were unresponsive and adversarial, right until the end.

“Which in these circumstances was particularly disappointing — a young woman who has lost the entirety of her savings, through really very little fault of her own, we thought.”

Authority rules against ING

After months of inaction from ING, Ms Lee took the case to the industry regulator, the Australian Financial Complaints Authority (AFCA).

In November last year, AFCA ruled in her favour, and ING was forced to reimburse her the full amount of her losses, plus compensation.

“The bank has not been able to show, on balance of probabilities, the complainant voluntarily disclosed her pass code or acted with extreme carelessness in failing to protect her pass codes,” ombudsman Nay Sharafeldin wrote.

A woman leans against a post in a public park

Claudia Lee argued ING missed red flags that should have alerted the bank that she had been the victim of a scam. (ABC News: Michael Franchi)

“In addition, I consider the complainant suffered stress and inconvenience by the bank’s unclear communication about the progress of the recall requests.”

Ms Lee is no longer an ING customer and is now calling on ING and other banks to work towards improving their scam protection policies.

“I think about all the groups out there that are more vulnerable than I am,” she said.

“Whether it’s older Australians, people with lower tech literacy, or people who speak English as a second language.

Monitors displaying global cyber threats

Australian Signals Directorate data shows a cybercrime report is made about every six minutes. (ABC News: Aiden Daly)

“As these scams are becoming more sophisticated, it doesn’t feel like the protections are becoming better for everyday people.”

In a statement, an ING spokesperson said: “While confidentiality prevents us from commenting on the specifics of this case, we take responsibility when we get things wrong.”

“Our review found that our communications with the customer did not meet our standards and we should have engaged differently,” they said.

“We apologise for this.”

People walking through a central business district on a sunny day with a bank savings account advertisement in the centre.

ING says it is “increasingly difficult to identify and resolve matters where a customer is a victim of a scam that has involved phishing”. (AAP: Bianca de Marchi)

When asked whether ING had done anything to strengthen its security processes since Ms Lee’s complaint, the spokesperson said it was becoming “increasingly difficult to identify and resolve matters where a customer is a victim of a scam that has involved phishing”.

“Banks, telecommunications providers and digital platforms are increasingly working together to prevent crime through a combination of consumer education and technology solutions,” the bank said.

Regulators ‘should come down hard’

Charles Darwin University cybersecurity expert Bharanidharan Shanmugam said there needed to be greater onus on Australian banks to protect customers from phishing scams.

“I would suggest the regulators should come down hard on banks,” he said.

“Making sure that if there are any moneys being lost, the banks should be made accountable for that.

A man in a polo shirt looks at the camera

Bharanidharan Shanmugam says “regulators should come down hard on banks” who fail to protect their customers from scammers. (ABC News: Dane Hirst)

“The banks could come back and argue that ‘oh, it’s a customer’s mistake and we don’t have any control over those mistakes by the clients’ — but it is not the case.

“There could be more controls so that the account is being safeguarded from any of the malicious activities.”

Warning against romance scammers

WA authorities urge people to be vigilant against online romance scammers, with dozens of West Australians collectively losing almost $4 million to the practice last year. 

Dr Shanmugam also called on the federal government to strengthen existing consumer banking laws to ensure the banks were legally responsible for money scammed from customers.

In a statement, Assistant Treasurer Daniel Mulino said the Commonwealth was working to address the “serious harm scams can cause Australians, including when they are travelling overseas”.

Mr Mulino said the government’s Scams Prevention Framework would commence later this year and would place more “responsibility on banks and other sectors to do more to prevent, detect and respond to scams through mandatory, enforceable obligations”.

He said the framework would apply to Australian banking customers at home and overseas.