An Alberta woman says she has to repay almost $10,000 — plus interest — after her line of credit was drained and the money transferred out of her Bank of Montreal account without her permission.
Charlene MacNeil, 37, said she panicked when she received a credit limit alert email on the evening of Aug. 28, notifying her she had just $33 of available credit left on her $15,000 line of credit at BMO.
She checked her account, noticed a lot of money was missing, and immediately called the bank's corporate hotline to report it.
The next morning at her local branch in Tofield, Alta., she learned that $10,300 had been transferred from her line of credit to her chequing account. Then, $9,702 was sent from her chequing account to a bill payee she didn't recognize.
BMO investigated the transactions but will not reimburse her for the missing amount. MacNeil is now responsible for paying back the money, plus 10.8 per cent interest.
"It's a huge hit to our family," MacNeil told CBC News.
She said the incident has taken a mental toll on her, shaken her trust in banks and made her feel like a criminal despite doing nothing wrong.
MacNeil lives on a farm near the central Alberta town of Tofield and has been a BMO customer since she was a kid. She said she never worried about the money in her accounts because she thought she was careful with her personal information.
MacNeil said a few days after first reporting what happened, she spoke by phone to a bank employee who told her BMO had decided not to reimburse her for the amount but she could escalate her case to the customer complaint appeal office.
At the bank's recommendation, she reported what happened to RCMP and had her phone wiped in case it had a virus. She provided proof of both steps to the bank.
RCMP spokesperson Cpl. Troy Savinkoff said Camrose RCMP continues to investigate a Sept. 1 report of fraud between $5,000 and $10,000.
BMO spokesperson Jeff Roman said the bank is unable to disclose details of the customer's incident due to the priority the bank places on customer confidentiality. He encouraged CBC News to examine an investigation outcome letter the bank sent to the customer.
"It contains important information regarding the facts of this situation," Roman said in an emailed statement.
MacNeil shared the Oct. 10 letter with CBC News. It said that the device used to access her bank account triggered a one-time passcode, which was sent by text to her phone number, successfully retrieved and entered.
"If you were not the one who input your bank card number, secret online banking password and the one-time passcode, then either you somehow disclosed this information, or one of your devices (computer, cellphone) may have been compromised to allow someone to gain access to this information," wrote senior investigator Gary Jasper.
He said in the letter that safeguarding MacNeil's bank card number, passwords, passcodes and devices was her responsibility, not the bank's.
MacNeil said she only uses her phone to log into online banking. She does not remember receiving a two-factor authentication code that day, and had not shared her password with anyone, even her husband.
She said she wonders if her phone was compromised during a work trip to a conference in Las Vegas.
MacNeil said she tries not to use public Wi-Fi networks but may have done so during the Vegas trip.
Unsatisfied with the bank's response, MacNeil said she had a lengthy phone conversation with Jasper.
Subsequently, the BMO's branch manager in Tofield verbally offered to reimburse her $500.
MacNeil still hopes to recover the full amount and has filed a complaint with the Ombudsman for Banking Services and Investments (OBSI), a dispute resolution service.
What could have happened?
According to figures from the OBSI, nearly 500 fraud cases were opened between January and July of this year.
Fraud is the top banking issue reported to the industry ombudsman.
And as of June 30, more than $280 million was lost to fraud this year, according to the Canadian Anti-Fraud Centre.
John Zabiuk, chair of the cybersecurity program at the Northern Alberta Institute of Technology, said there are many ways bad actors can access others' bank accounts.
One common way is to impersonate a bank and trick users into giving away their login credentials or allowing remote access to their devices.
John Zabiuk, chair of NAIT's cybersecurity program, said there are many ways bad actors can access others' bank accounts and personal information. (Madeleine Cummings/CBC)
Other methods include obtaining passwords from a data breach and convincing people to download malware disguised as useful applications.
As for MacNeil's public Wi-Fi theory, Zabiuk said if a network is not secure, it is very easy for attackers to intercept a connection and watch everything that occurs on a device.
"Public Wi-Fi should be avoided at all costs," he said.
Zabiuk also recommends changing passwords every two months, signing up for multi-factor authentication, checking bank accounts regularly and researching applications before downloading them.