SINGAPORE – A victim of a credit card phishing scam failed to recover his $3,456 loss from his bank after the court found that he was grossly negligent by not taking action after receiving multiple notification alerts.The Small Claims Tribunals (SCT) dismissed the man’s claim against the bank, ruling that his failure to respond to repeated warnings about activity on his credit card over more than a week shifted the loss entirely to him under the terms of his credit card agreement.In written grounds of decision issued on June 12, tribunal magistrate Joel Tan said the man’s inaction “fell significantly below the standard of reasonable care” and amounted to gross negligence.The identities of both the victim and the bank were anonymised in the judgment.The case stemmed from a phishing scam in June 2024.The man had seen an advertisement while browsing TikTok and attempted to buy an item. He entered his credit card details on the site, although he later said he could not be certain if it was a phishing website.At about 11.13pm on June 4, 2024, he received a text message from the bank containing a one-time password (OTP) for adding his credit card to Apple Pay.The message warned him not to share the OTP and instructed him to contact the bank if the request was unauthorised.Shortly after, he received another message confirming that his card had been successfully added to Apple Pay.The man said he did not share the OTP with anyone and claimed he would have been preparing for bed at the time, with his mobile phone left in the living room.He also admitted receiving the bank’s alerts but ignored them because he did not use Apple Pay and assumed the messages did not concern him.Additional alerts were sent on June 6 and June 12, again informing him that his card had been added to Apple Pay and advising him to contact the bank if the activity was unauthorised.Again, the man took no action.Between June 17 and June 23, scammers used the credit card to make 22 unauthorised transactions worth 430,000 yen, or $3,811.72.The transactions – each below $200 – were used to top up Japanese electronic wallets and payment systems, including Suica, PASMO, ICOCA and ANA Pay.Because the man’s credit card was set to send transaction alerts only for purchases above $500 – the bank’s default setting – none of the transactions triggered notifications.The bank detected the suspicious pattern on June 23 and attempted to call the man.When it could not reach him, it temporarily blocked the card and sent him an SMS informing him of the block.The man then contacted the bank and confirmed that he had not authorised the transactions. The card was permanently blocked and removed from the scammer’s digital wallet.The bank later managed to recover $355.34 from two transactions, but the remaining $3,456.38 could not be recovered.The bank declined to bear the loss, prompting the man to bring the dispute first to the Financial Industry Disputes Resolution Centre (FIDReC).Its decision in July 2025 did not go in his favour. He rejected the outcome and filed a claim with the SCT in November 2025.The key issue before the tribunal was whether the man had been grossly negligent.Under the bank’s credit card agreement, customers are generally liable for up to $100 for unauthorised transactions made before they notify the bank.However, customers become fully liable if they act fraudulently, are grossly negligent or fail to report the loss or theft of a card as soon as reasonably practicable.The bank argued that the man had been grossly negligent because he disclosed his credit card details and OTP to scammers, and later ignored multiple warnings from the bank.The tribunal found it was more likely than not that the man had inadvertently disclosed both his card details and OTP in a phishing scam.The magistrate noted: “I considered this to be more likely than the alternative scenario – that is, his mobile device had otherwise been compromised in some fashion – which would itself raise serious concerns about his digital security practices.”But he said disclosure of credit card details and a one-time password when falling for a phishing scam does not automatically amount to gross negligence.“(Phishing) scams have grown increasingly sophisticated in recent years, employing techniques that may deceive even reasonably cautious individuals,” he noted. “Their risks and dangers may not always be readily apparent – even to a person exercising reasonable care.”Instead, the magistrate said the decisive factor was the man’s failure to act after receiving repeated alerts.The first message, which stated that an OTP had been requested to add his card to Apple Pay and instructed him to contact the bank if the request was unauthorised, should have “sounded the loudest of alarm bells”, he said.The subsequent confirmation that the card had been added to Apple Pay, followed by two more alerts over the ensuing week, gave the man multiple opportunities to investigate and stop further misuse.The magistrate accepted that the first alerts arrived late at night and that the man might not have read them carefully at the time.But he said reasonable care required him to review the messages and contact the bank the next day, or after receiving the subsequent alerts.“(His) pattern of inaction cannot be characterised as a mere oversight or momentary lapse in judgment,” the magistrate said. “Rather, it represented a sustained course of omissions that fell significantly below the standard of reasonable care as to constitute gross negligence.”The tribunal dismissed the victim’s claim against the bank.Even so, the magistrate said the man’s loss “warrants sympathy”, noting that ordinary consumers face a relentless pace of technological changes within a complex financial landscape and increasingly sophisticated scams.He added that consumers should remain vigilant not only in protecting their financial information, but also in paying attention to alerts from banks and financial institutions.He said: “When one encounters alerts whose significance remains unclear or mysterious, the prudent course invariably lies in seeking immediate clarification from the relevant institution rather than simply ignoring such communications and hoping for the best.”