Credit Card Fraud on Avant Money credit card

eddiew

Registered User
Messages
20
I have had a Credit Card from Avant Money (AM) for many years and have not had any major issue until now.

In July last, 3 separate unauthorised foreign currency payments were posted to my account on the same day with the same legend on each. The sum of the payments was €2,667.42.

I first became aware of an issue with my card the day after the transactions when I could not use the card in a local shop. I contacted AM who told me they had blocked the card on foot of these transactions and I was instructed to destroy it immediately and a new one would issue within days which it did. AM refunded the full cost of the payments pending an investigation.

In the week or so that followed, AM contacted me to ask if I had received any suspicious texts or emails recently. I don't open such texts or emails as a rule. I checked back but could find none. They had a particular focus on the period about 2 weeks before the payments, a time when I was adding the AM Card to my Google eWallet on my phone. This proved to be a drawn out (went on for days) and difficult process but I followed the instructions of AM representatives throughout. I recall at least one "One Time Passcode" (OTP) being issued to me as part of the process. Some time previously, I had added a bankers card to the same eWallet without issue. AM staff could not explain the difficulties encountered on this occasion.

In early September, I was notified by AM in a letter that it had concluded its investigation and had concluded that the OTP issued to me had been shared with the merchant identified on the legend associated with the transactions and accordingly, the payments were to be reapplied to my account which happened the following day with the legend "Adjustment for fraud transaction". The evidence underlying this decision has not been provided despite my requests to do so.

I have suffered a very significant loss. I am very disturbed by this outcome and its not clear what I can do to recover my money. I generally trust the licensed financial institutions of the State to protect customer' interests at all times.

I have made complaints to both the Financial Ombudsman and the Gardai but I am advised that neither process will be concluded quickly.
 
I have made complaints to both the Financial Ombudsman and the Gardai but I am advised that neither process will be concluded quickly.
Yes the ombudsman process doesn't start for about 8 weeks after you submit the request. I hope it goes well for you though when it starts.
 
This proved to be a drawn out (went on for days) and difficult process but I followed the instructions of AM representatives throughout. I recall at least one "One Time Passcode" (OTP) being issued to me as part of the process.

So the fraudsters hit it lucky.

You were defrauded by them and not by Avant Money.

I feel sorry for you, but I don't see that you have any complaint against AM as you gave a OTP to the fraudsters.

Brendan
 
AM in a letter that it had concluded its investigation and had concluded that the OTP issued to me had been shared with the merchant identified on the legend associated with the transactions and accordingly, the payments were to be reapplied to my account which happened the following day with the legend
Can you share the exact wording of the letter?

Do you use the Avant Money app?
 
This appears to be the same modus operandi as the multiple Revolut card issues we see reported. They all involved Google Pay. The whole idea of a OTP is it can only be used once. I suspect there is a compromised system in the chain between the financial institution and customer. From Google it's self to the customer's phone or any of multiple systems the data travels through in-between.
 
I followed the instructions of AM representatives throughout. I recall at least one "One Time Passcode" (OTP) being issued to me as part of the process.

You should put in a data access request for the recordings/transcripts to Avent, for all your interactions with their representatives. There is/was sample letters on the Data Protection Commissioners website.
 
In the week or so that followed, AM contacted me to ask if I had received any suspicious texts or emails recently. I don't open such texts or emails as a rule. I checked back but could find none. They had a particular focus on the period about 2 weeks before the payments, a time when I was adding the AM Card to my Google eWallet on my phone. This proved to be a drawn out (went on for days) and difficult process but I followed the instructions of AM representatives throughout. I recall at least one "One Time Passcode" (OTP) being issued to me as part of the process. Some time previously, I had added a bankers card to the same eWallet without issue. AM staff could not explain the difficulties encountered on this occasion.
This doesn't sound like you were talking to AM representatives at all, it sounds like you were dealing with the fraudsters. Did you read back your OTP to anyone at any point?
 
Last edited:
Can you share the exact wording of the letter?

Do you use the Avant Money app?
Yes I use the AM app.

On 3rd Sept, AM stated the following:
"We have now reviewed the transactions in question, and can confirm that these were made via electronic wallet (E-Wallet), which required an additional level of authentication to link your card to the W-wallet. In order for this to happen, a one-time passcode (OTP) was generated to the phone you registered with us.
This OTP is unique and could only be used for linking your credit card to the E-wallet and is designed exclusively for your use. We send OTPs so that you and only you can complete the additional level of authentication. The message which contains the OTP clearly states the importance of not sharing the code with anyone:
"Do not share your Google/Apple Pay activation code with anyone, even Avant Money staff. Code is (OTP). Valid for 5 minutes. Didn't request this? Contact us now".
We also follow this OTP message with a message to confirm the E-wallet has been activated successfully and to contact us immediately if you didn't register for the service.
Our Terms and Conditions (extract included below) highlight the importance of safeguarding all security features associated with your account. As a result of the OTP being used to authorise the addition of your credit card details to the E-Wallet which allowed the transactions to take place, we have made the decision to reapply these transactions to your account"

A subsequent clarification states the following:
"Please be aware that as your card number was added to a 3rd party's eWallet, they then used your card in a merchant named xxxx on 26th July 2024 spending a total of €2,667.42"
 
It’s very sad but it reads like either the calls to Avant Money were actually to/from fraudsters or the calls took place somewhere public and someone heard/saw the code and then got the card number.

In the UK, criminal gangs have put associates into banks as employees. Could there be criminals working for the likes of Avant Money or Revolut? Why couldn’t there be? Presumably anyone can get a job in one of their call centres? No doubt they’re crying out for staff.
 

That seems wildly different from the following, or at least a much altered wording, and I don't see the monetary value mentioned...

https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32015L2366

(70)

In order to reduce the risks and consequences of unauthorised or incorrectly executed payment transactions, the payment service user should inform the payment service provider as soon as possible about any contestations concerning allegedly unauthorised or incorrectly executed payment transactions, provided that the payment service provider has fulfilled its information obligations under this Directive. If the notification deadline is met by the payment service user, the payment service user should be able to pursue those claims subject to national limitation periods. This Directive should not affect other claims between payment service users and payment service providers.

(71)

In the case of an unauthorised payment transaction, the payment service provider should immediately refund the amount of that transaction to the payer. However, where there is a high suspicion of an unauthorised transaction resulting from fraudulent behaviour by the payment service user and where that suspicion is based on objective grounds which are communicated to the relevant national authority, the payment service provider should be able to conduct, within a reasonable time, an investigation before refunding the payer. In order to protect the payer from any disadvantages, the credit value date of the refund should not be later than the date when the amount has been debited. In order to provide an incentive for the payment service user to notify, without undue delay, the payment service provider of any theft or loss of a payment instrument and thus to reduce the risk of unauthorised payment transactions, the user should be liable only for a very limited amount, unless the payment service user has acted fraudulently or with gross negligence. In that context, an amount of EUR 50 seems to be adequate in order to ensure a harmonised and high-level user protection within the Union. There should be no liability where the payer is not in a position to become aware of the loss, theft or misappropriation of the payment instrument. Moreover, once users have notified a payment service provider that their payment instrument may have been compromised, payment service users should not be required to cover any further losses stemming from unauthorised use of that instrument. This Directive should be without prejudice to payment service providers’ responsibility for technical security of their own products.

(72)

In order to assess possible negligence or gross negligence on the part of the payment service user, account should be taken of all of the circumstances. The evidence and degree of alleged negligence should generally be evaluated according to national law. However, while the concept of negligence implies a breach of a duty of care, gross negligence should mean more than mere negligence, involving conduct exhibiting a significant degree of carelessness; for example, keeping the credentials used to authorise a payment transaction beside the payment instrument in a format that is open and easily detectable by third parties. Contractual terms and conditions relating to the provision and use of a payment instrument, the effect of which would be to increase the burden of proof on the consumer or to reduce the burden of proof on the issuer should be considered to be null and void. Moreover, in specific situations and in particular where the payment instrument is not present at the point of sale, such as in the case of online payments, it is appropriate that the payment service provider be required to provide evidence of alleged negligence since the payer’s means to do so are very limited in such cases.
 
That seems wildly different from the following, or at least a much altered wording, and I don't see the monetary value mentioned...
You’re confusing the recitals with the articles of the legislation. EU directives have recitals first, articles next. The numbers don’t correspond.
 
They had a particular focus on the period about 2 weeks before the payments, a time when I was adding the AM Card to my Google eWallet on my phone. This proved to be a drawn out (went on for days) and difficult process but I followed the instructions of AM representatives throughout. I recall at least one "One Time Passcode" (OTP) being issued to me as part of the process. Some time previously, I had added a bankers card to the same eWallet without issue. AM staff could not explain the difficulties encountered on this occasion.

@eddiew - have you reviewed what devices you have been signed into with your Google Account? For me this shows e.g. older phones I've used:
https://myaccount.google.com/device-activity
 
Back
Top