If a customer received a phone call from a "spoofed" caller ID and it appeared as though our bank was calling to confirm fraudulent charges, and the customer subsequently gave out her card number, CVV, and expiration date to have the caller "refund the $500 unauthorized charge" however, what ended up happening is the suspect charged $1,000 to the debit card.

The customer called the bank 2 hours after the event occurred to inquire if the refund had been processed and that's when we realized what had happened.

Is this covered under reg e - and we owe her the $1,000? Or because she gave out the card information willingly without realizing it was a scam, is this the customer's to bear?

Obviously, if it's not covered under Reg E the bank needs to weigh the reputational risk of the situation.

Thanks!

The customer authorized a refund and not a charge to their account. I am not sure how you can call that an authorized transaction.

That definitely qualifies as "access device obtained through robbery or fraud" as noted in the commentary to 1005.2(m).

Reg E covers it and the bank owes the customer the money. The bank also has to decide if it wants to issue a replacement card.

Thank you both very much!

Another way of looking at this is, if your customer gave the info to a "scammer" who said they'd remove a virus from the consumers PC for $300, and they logged on to that persons PC and did little or nothing that we know of, the card info was provided for a service to be rendered and arguably it was, even if it was a scam or appeared to be after the fact. We've no idea what real service was performed. Sometimes these are to clean a virus, and maintain the PC with driver updates and such. It is a scam, but legally it may not be.

There used to be a scam for tree trimming. A person would agree to $1.00 a branch. Well a branch can be a big limb where 10 make a tree much thinner. But cutting those 10 limbs piece by piece could lead to 50 "branches" on what the homeowner saw as one. It's a scam, but it's one to be decided on in the courts.

But if that tech person in the original scenario then made additional charges, those additionals were not authorized and there was no agreement. Those would be valid claims as they were not authorized.