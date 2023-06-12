A new scam has already costs Kiwis millions in two weeks, Cert NZ's incident response manager tell you how to avoid becoming a victim. (First published February 2023)

There’s a warning from the Banking Ombudsman that online phishing scams are becoming increasingly sophisticated.

It recently ruled that a customer should be reimbursed the full $60,000 he lost when he responded to an email he thought was from Inland Revenue.

He entered his banking details and an SMS code into a fake website because he thought he was dealing with IR and his bank but ended up losing the money.

"Ordinarily, banks are liable for a customer’s losses as a result of an unauthorised transaction - typically a scam - if the customer has taken reasonable care to protect his or her banking. In this case, such was the sophistication of the scam that we considered the customer had shown reasonable care in the circumstances,” Banking Ombudsman Nicola Sladden said.

"Regrettably, it is but one of a growing number of phishing cases, like the recent road toll text scam, involving customers who are duped into disclosing their banking details and thereby enable scammers to steal their money."

Unsplash Nicola Sladden says people should be very wary about being asked to call or text.

She said customers should be wary of any approach that asked them to call or text.

“A definite no-no is to click on a link or call a number from a text. Customers should always independently contact the organisation concerned to verify any activity they have not themselves initiated."

In the IR fraud case, the entire interaction, with the exception of the bank’s SMS code, was an elaborate front.

Sladden said the SMS code had been generated by the bank when the scammer had attempted to set up mobile banking on his device. The customer thought the SMS was related to his internet banking login and it therefore failed to raise suspicion. The scammer then used the code to complete the mobile banking setup, and over subsequent days made withdrawals totalling $60,000.

She said the bank had rejected the customer’s request to be reimbursed because he had breached the terms and conditions of his account by giving the scammer information to access his internet banking, in particular his log-in details and the SMS code.

But her office found the customer had acted reasonably in the circumstances. The scheme said the customer might have been alerted to the scam if the SMS message had made clear the purpose of the code - to set up mobile banking on a new device, not, as he thought, to log in on his internet banking.

Bank data suggests nearly $200 million is lost each year to scams.