International Fraud Awareness Week
International Fraud Awareness Week
13 Nov 2017
This week is International Fraud Awareness week. The theme is– how to spot a scam. The Banking Ombudsman Scheme is about resolving and preventing problems to improve banking for customers and banks. We are passionate about working collaboratively to fight fraud and minimise consumer losses.
“Scams cost New Zealanders, banks and the economy millions of dollars each year. In addition to the financial cost, significant emotional damage is suffered by victims and their families”, says Banking Ombudsman, Nicola Sladden.
“We all need to play our part to spot scams. The banking industry can intercept and disrupt some scams through effective scam prevention systems. Most banks have robust fraud prevention systems and policies, dedicated fraud teams and well trained front-line staff. Customers also need to be scam-savvy, and think carefully about their security practices.
“We tend to be very trusting in New Zealand. We all need to be on the look-out for:
• romance scams – when people pose as potential romantic partners, usually overseas
• investment and lottery scams – when a scammer offers to pay out winnings if you pay a processing fee or upfront investment
• money mules - when a scammer asks a bank customer to accept and forward on money stolen from another victim’s bank account
• phishing scams – often calls or emails purporting to be from internet services providers or other legitimate companies. And these are getting more sophisticated, like the case below.
Some practical tips for avoiding scams:
o Be suspicious of unsolicited phone calls and emails telling you something is wrong. Don’t let them panic you –call your normal provider to check, especially before you download anything.
o Anyone calling or emailing to ask for personal information, PINs and passwords is likely trying to scam you.
o Password lock all your devices and banking apps, use different passwords, and change your passwords every six weeks. Don’t use the same security prompt (eg mother’s maiden name) for everything.
o Install software to fight against malware and keep it up to date – it’s your responsibility if you use online banking.
o Put text authentication on money transfers and don’t share the verification codes with anyone.
o Don’t rush in to help – if you get an email purporting to come from a friend in distress overseas, check with their family first.
o Be very careful with online gambling (including Facebook gambling). You could be giving out information to scammers.
o Don’t carry out payments or financial transactions on a public internet connection (like free wifi spots)
For more information
see our guide on scams Common scams targeting bank customers or
www.consumerprotection.govt.nz.
Cyber-shouldering
Daniel’s* computer and internet were running slowly. He received a call from someone who said they worked for his internet service provider (ISP). The caller said work was being conducted in Daniel’s area which was affecting his internet.
The caller offered to assist Daniel with installing virus detection software, which would help with his internet connection. The caller directed Daniel to particular software and stayed on the line while he downloaded it.
The caller then asked Daniel to check the security of various websites, including his internet banking. The caller asked Daniel to log in and check whether his internet banking had two padlocks in the corner. When Daniel said it only had one padlock, the caller said Daniel needed to call his bank and ask for international money transfers, as this would trigger greater security measures and enable the second padlock. When he called the bank, Daniel didn’t say he was setting up international payments for security purposes – instead he said he wanted to send around $10,000 overseas.
Daniel was on the phone with the caller for a long time. Eventually, he became frustrated and called his ISP, which told him they were not doing any works in the area. Daniel realised he had been the victim of a scam and called his bank, which suspended his internet banking. However by this point, $50,000 had been transferred out of Daniel’s bank account to international accounts. The anti-virus software was in fact remote-access software, and the caller had been able to observe Daniel’s internet banking username and password when he logged into internet banking.
His bank was able to recover $10,000 but the rest was unrecoverable. Daniel wanted his bank to compensate him the other $40,000 but the bank said he had been negligent by following the caller’s instructions and declined to reimburse. Daniel said the bank should have required him to have two factor authentication for international transfers, and his loss would have been prevented if it had done so. (Two factor authentication is the system where the bank will send a text message to confirm before funds are transferred. Daniel had de-activated the two factor authentication two years earlier because he lived in an area with patchy cell phone coverage).
We had to consider whether:
1. Daniel had acted negligently and not followed a reasonable standard of care in protecting his banking information
2. The bank should have allowed the transfers without two factor authentication.
The caller’s explanation was compelling. Scams can be very sophisticated and involve a high level of social engineering. We had a lot of sympathy for Daniel but there were some warning signs that should reasonably have alerted Daniel that this was a scam. We were also concerned that he hadn’t been transparent with the bank when he set up the international payment facility. However we also queried why the bank hadn’t reminded Daniel that his two-factor authentication was turned off.
We shared these observations with Daniel and the bank, and they agreed to resolve the matter between them. A formal Ombudsman decision was therefore not required on this occasion. It is, however, a salutary reminder of the increasing sophistication of online scams and to be very suspicious of unsolicited calls offering help with banking or security.
*Fictitious names