A retiree has lost $134,000 after cybercriminals hacked into his online bank accounts, convinced staff to change his phone number, and then siphoned off his money in an elaborate scam.
And although the man claims that SBS Bank’s security checks have failed, the bank is refusing to pay him back his lost pension money.
The thieves gained access to the online accounts of the man at the end of June, whose name the Herald has promised not to name.
The fraudsters impersonated the man and used a secure messaging feature to contact the bank and change the man’s mobile phone number to evade SBS’s two-factor authentication check.
They then added several new beneficiaries before moving large amounts of money into six different accounts at four different banks in 11 transactions over five days.
The man, who is from Invercargill, learned that the money had not been debited until he logged into his online banking system to pay bills on July 20 and discovered that his revolving mortgage account had been deflated to the limit of $134,000.
The man believes he has taken appropriate precautions and says he has no idea how the fraudsters got his password for internet banking. He said he believes the unusual pattern of transactions should have raised red flags at the bank.
He claims that SBS is refusing to reimburse him for the missing money, suggesting that he may be responsible for the theft.
“The immediate response was, ‘It’s your fault – you gave someone your password,'” he claimed.
In a statement, Michael Oliver, managing director of SBS, said the bank was unable to comment while the matter was under investigation by police.
SBS took numerous precautions to protect the privacy and personal information of customers. “This includes routine security assessments and the use of New Zealand government security advice and best practices to protect our systems.”
The victim suffered a massive heart attack this month and is now in hospital recovering from triple bypass surgery, which he attributes to the stress of the ordeal.
The police have launched a criminal investigation, but the man accepts that the money is probably long gone. He said the theft would hurt him financially and affect his retirement.
He believes the case has wider implications for other banking customers who assume their money is safe when held in online accounts.
“The internet banking system has failed. It’s not secure. Their excuse is that someone changed your phone number online. That shouldn’t happen,” he told the Herald.
“There were 11 bloody trades in five days, trades I wouldn’t make. Red flags should have gone off again and again.”
Police now have details of the banks and account numbers to which the stolen money was forwarded – one related to a 36-year-old woman living in Christchurch.
But investigators had to apply for a court order to force the banks to provide the names of the account holders to track down the missing funds.
The man has lodged complaints with SBS and the Banking Ombudsman.
An email from SBS last month, seen by the Herald, said the bank wasn’t sure how the fraudsters gained access to the man’s internet banking password.
“The fraud team has worked with the counterparty’s banks and confirmed that there are no funds available to refund.
“Any recovery of money will be something that is achieved by the police.
“Frankly, SBS can’t do much at this point and you now need to work with the New Zealand Police to assist in their investigation, both into the person of interest in Christchurch and any account holders at the other banks, if one of these persons may be known to you, which is why they may have obtained your login details.”
Police told the Herald they had regular contact with the victim and appreciated how disturbing the case was.
They declined to comment on details of the case, but were following “positive lines of inquiry”.
A spokeswoman for the Banks Ombudsman said the agency had “tremendous sympathy” for customers caught cheating because of the significant financial and psychological consequences.
The Code of Banking Practice requires banks to refund unauthorized transactions, provided that customers have complied with the bank’s terms and conditions and have taken reasonable steps to protect their banking business.
“Banks also have a duty to provide banking services with reasonable skill and care, including reasonably robust security systems.
“If an unauthorized payment has been made, the bank should try to recover the money from the person who received it.
“Unfortunately, recovery is often not possible.”
Massey University banking expert, associate professor Claire Matthews, wondered how the fraudsters got the man’s password and whether someone close to him was responsible for the theft.
But if the victim hadn’t done anything wrong, the bank should have compensated him, she said.
The Commission for Financial Capability (CFFC) says scams are becoming more sophisticated, causing devastating losses to unsuspecting Kiwis.
Netsafe estimates New Zealand could lose up to $500 million a year from cybercrime.
Don’t get scammed
• Never disclose or store PINs or passwords in any way, including in your internet browser settings or disguised.
• Research recipients to make sure they are genuine before sending money.
• Never accept money in your account for later transfer to others.
• Check your accounts regularly to make sure the money is going to the right place.