Unauthorised transactions: What you need to know

Last updated on September 4th, 2025

When Queenie received a call from Paypal about an unauthorised transaction, she took quick action, unlinking her bank card as advised. Before she knew it, more than $1600 had vanished from her account. Realising she had been scammed, Queenie immediately alerted Westpac, never thinking she would soon join the thousands of Australians making financial complaints.

While banks should help you recover missing funds where possible, many are clearly not doing enough. The Australian Financial Complaints Authority (AFCA) received 12,505 complaints about unauthorised transactions for the second year in a row. This includes complaints about banks and other financial institutions, insurance companies and superannuation funds.

Customers usually turn to AFCA, an independent body that can make findings against financial institutions and award compensation for losses, when they are not getting anywhere with their bank.

We will see if the trend in financial complaints about unauthorised transactions has slowed when AFCA releases the full 2024-2025 review later this year. But everyone should know what to do if they see something suspicious in their account.

What counts as an unauthorised transaction?

As the name suggests, an unauthorised transaction is when money is taken out of your account without your permission.

 

 

An unauthorised transaction could be a simple slip-up, such as a company mistakenly debiting your account for the same amount in quick succession, or it could be someone acting fraudulently, including a bank employee or a scammer.

It is different from a mistaken transaction, which is when you accidentally pay the wrong person or company.

Either way, if your bank subscribes to the ePayments Code – and most banks, credit unions and financial institutions do – they must take steps to help get your money back. Administered by the Australian Securities and Investment Commission (ASIC), the code compels subscribers to consider all reasonable evidence and explanations provided for the disputed transaction.

How do I report unauthorised transactions?

Contact your bank as soon as possible. They not only have a better chance of getting your money back, but they can also prevent any further losses.

They must have a priority number for you to call. Tell them you have spotted an unauthorised transaction and ask them to put a ‘stop’ on your account. This could mean cancelling the card involved or even disabling internet banking temporarily. You should also change all passwords and PIN numbers.

 

 

Ask for a reference number and follow up the phone call with a formal letter. Include the reference number and the details you discussed on the phone. Send it as soon as possible (email is fine) and keep a copy. The bank should reply within 21 days advising of the outcome or telling you if they need more time to gather evidence.

Can I dispute a payment that went to the wrong account?

We often make payments in a hurry on our mobile app. It’s easy to hit send without realising we’ve mixed up a digit or two, particularly when the numbers are similar.

This happened to a Commonwealth Bank customer who accidentally made a payment to the wrong account. They thought they were paying into their own account but while the account number was the same, the BSB was different. As soon as they realised their error, they contacted the bank but were refused a refund because the funds had already gone to an existing account.

If the money is still in the recipient's account and you report the mistaken transaction within 10 business days, as this customer did, you should be able to get your money back. The longer you leave it, the harder it is to get back. After seven months, you will only get a refund if the recipient agrees.

 

 

What are my rights under the ePayments Code?

The code outlines rules for unauthorised transactions for consumers and subscribers. Generally, you will not be held accountable for an unauthorised transaction as long as you took reasonable steps to protect your account.

Unauthorised transactions exclude transactions you initiated or were conducted with your knowledge, which means if you have been the victim of a scam, it may be harder to get your money back.

The code also outlines procedures to get a refund for money mistakenly paid to the wrong person or company, as well as complaints handling processes for consumers dissatisfied with the way the bank has handled an issue. You can find the list of subscribers on ASIC’s website.

Can a bank refuse to refund an unauthorised transaction?

There are many reasons a bank might refuse a refund. You are not responsible for any losses that happen after you report the initial unauthorised transaction (which is another reason to ensure you keep hold of the reference number from that first conversation).

 

 

However, the bank may find you liable for some or all of the loss because you contributed in some way. This could be by:

• • Giving someone your card PIN or online password
  • Entering bank login details on a scam website
  • Saving security information without adequate password protection
  • Choosing a password with your birth date or name
  • Not telling the bank your card was lost or stolen in a reasonable time frame
  • Acting fraudulently

Even then, the ePayments Code limits the amount of liability, including that it not exceed the daily transaction limit for the account involved.

What can I do if the bank won’t refund my money?

If you do not agree with the decision about an unauthorised transaction or mistaken payment, or are upset about how it has been handled, follow up with a complaint to the bank.

Still not happy with the bank’s response? Lodge a formal complaint with AFCA or, better still, let us deal with it. We are experts in consumer advocacy and can guide you through the process to get a solution sooner. Find out more about how we can help with financial complaints.