Online phishing scams have become more sophisticated, ombudsman says
Online phishing scams have become increasingly sophisticated, as highlighted by a recent case which saw a bank customer losing $60,000 after receiving an email from what he thought was the Inland Revenue Department.
According to the Banking Ombudsman Scheme, the customer received an email purportedly from the tax department and in an elaborate setup, asked him to log into his myIR page and verify his bank account details in order to receive a tax refund. The page contained a link to a fake website that looked very convincingly like his bank’s website where entered his banking details and an SMS code.
The SMS code had been generated by the bank when the scammer attempted to set up mobile banking on his device, but this failed to raise the customer’s suspicion as he thought the SMS was related to his internet banking log-in. The code was then used by the scammer to complete the mobile banking setup, and over subsequent days, made withdrawals totalling $60,000.
“Ordinarily, banks are liable for a customer’s losses as a result of an unauthorised transaction – typically a scam – if the customer has taken reasonable care to protect his or her banking,” Banking Ombudsman Nicola Sladden (pictured above) said. “In this case, such was the sophistication of the scam that we considered the customer had shown reasonable care in the circumstances.”
“We therefore found the bank should reimburse the customer the full $60,000.”
Sladden said it is, regrettably, just one of a mounting number of phishing cases, like the recent road toll text scam, involving customers who were tricked into disclosing their banking details, thereby enabling scammers to steal their money.
“We urge bank customers to be wary of any email or approach that asks them to carry out an online action via phone call or text,” she said. “A definite no-no is to click on a link or call a number from a text. Customers should always independently contact the organisation concerned to verify any activity they have not themselves initiated.”
Sladden said the bank had rejected the customer’s request to reimburse the loss, arguing that he was in breach of the terms and conditions of his account when he provided the scammer access to his internet banking, through his log-in details and the SMS code.
But the scheme found that the customer had acted reasonably in the circumstances. If the SMS had made it clear that the code was to set up mobile banking on a new device, the customer might have been alerted to the scam.
Sladden said scams accounted for an increasing proportion of complaints to the scheme, but this was just the tip of the iceberg, with bank data suggesting that Kiwis lose nearly $200 million a year to scams.
The scheme said banks are obliged to reimburse a customer’s fraud losses, where someone has accessed their banking without authority, so long as the customer wasn’t dishonest or negligent, complied with the terms and conditions of the account, and took reasonable steps to protect his or her banking.
Sladden encouraged scam victims to contact their bank directly for help in trying to recover their money. For victims experiencing problems dealing with their bank in such cases, the scheme could offer them independent advice and assistance.
Have any stories about sophisticated phishing scams? Tell us about it in the comments section below.