BNZ says it will stop using links in text messages sent to customers, after a spate of text scams targeting its customers.
Faked text messages purportedly from banks, or organisations like Waka Kotahi containing hyperlinks, are being used by criminals to induce people to give up their private information or log into their bank accounts, before money is taken.
Chief executive of the NZ Telecommunications Forum, Paul Brislen, has warned text messages should not be used for account verification or to send links as they are training customers “to do the wrong thing” and opening them up to criminal exploitation.
National Australia Bank, BNZ parent, announced it would stop using links in texts on June 7.
BNZ told Interest.co.nz a project was underway to stop using links in text messages sent to its customers in New Zealand.
The bank said in an emailed statement that it sent about 15 million texts to its customers each year, with the majority “system generated, typically triggered by specific customer activities, for example when a customer goes into overdraft”.
The bank said it was important to note it had never asked customers for their passwords, nor sent customers emails or text messages with a link asking them to log in.
Banks’ approach to fraud protection has been under a spotlight, with commentators claiming NZ is falling behind in protecting customers from increasingly sophisticated scams by failing to introduce new measures such as matching names and account numbers. The Banking Ombudsman chair Miriam Dean KC has called on all organisations involved in fraud protection to up their game, and suggested setting up a specialist anti-scam group similar to one running now in Singapore.
The toll of financial scams is rising; with the latest crime victim survey showing fraud and deception crimes are now the most common crime in the country, and reports that about 16 people had lost six-figures to scams in the first quarter of the year.
BNZ has been attached to a number of high-profile cases to hit the media where customers have been tricked into logging into their accounts from a faked text message.
The bank said it had a dedicated fraud protection team working 24-hours-a-day, 365-days-a-year to protect its customers.
“We invest heavily in fraud protection technology and are always looking for new and innovative ways to combat scams. For example, we’ve been working with New Zealand’s three largest telcos to stop scammers based overseas from spoofing our 0800 number. To date, through this work we’ve been able to reduce the cases of BNZ’s number being spoofed by 50%.”
The Department of Internal Affairs (DIA) annual report for 2021/22 showed it received more than 944,000 reports of email and text scam messages.
Complaints about text and email scams also rose year-on-year, with DIA receiving more than 1000 complaints in its 2021/22 annual report, compared with 394 for 2020/21.
DIA offers a text-scam reporting service, where people can forward a scam text to 7726. Mobile network operators get updates on scams reported through the 7726 text number as part of their scam-mitigation, and can then investigate and block mobile text numbers.
14 Comments
People aren't too clever.
It's easier to put a blanket rule that they will never send links via text than to explain that they will never send links that require users to log in.
Otherwise scams can mimic these texts and send the users to pretend login pages and people will enter their details.
I can't think of a single time that I've needed someone to send me a hyperlink in a text message. Maybe cell phone providers could have text messages containing links deleted automatically. Any genuine business that would like to use promotions in text message form can adapt.
I was recently surprised by an unsolicited email from BNZ offering a draw for some Women’s World Cup tickets. To be able to participate one needed to email back with credit card detail as proof of being a BNZ customer.
Forwarded the email to BNZ using address provided on their true website and they confirmed that the email was genuine.
Whatever the risk may have been, poor practice encouraging one to send any bank details at all in response to an unsolicited email.
Otherwise a great bank.
Blobbles
Do so; I'm not making up porkies and I think it really poor.
Unsolicited email from BNZ at https://webmail.xtra.co.nz/appsuite/#: Your chance to score VIP tickets to the FIFA Women’s World Cup 2023
To enter I had to enter my Visa credit card number in a link . . . and subsequently use my credit cad at least once to activate my entry.
I forwarded the email to <phishing@bnz.co.nz> (address from BNZ website)
Response from <phishing@bnz.co.nz>
" Hello,
Thank you for your report of a suspicious Email to this mailbox - I can confirm the Email you have reported to us is a genuine BNZ Email.
Regards
BNZ Cyber Defence"
With the amount of hassle imposed upon us normal people due to KYC, how is it even possible that a bank transfer can even happen without knowing to who it is going to?
If the transfer is going from me@BNZ to dayLightRobber@Wise, then how does Wise not know who dayLightRobber unless there KYC are not sufficient.
If an organizations KYC are not sufficient then they should be blacklisted.
In 2023 major NZ banks do not provide TOTP 2FA.
Yet I can use TOTP 2FA for a large number of websites in the world, wise.com included !
If the scammed woman had 2FA setup as a requirement for money transfer, the money would have never left her account in the first place.
Wrong im afraid, classic man-in-the-middle attack can be used to get the 2FA code and log in with it. The only defence is a physical key just like you use for you car or house. Look up FIDO security keys, yubikey being the most common. Now sit back and wait for another 100 years for the banks web sites to be FIDO compliant. They are either too lazy or too inept to enable this. They need to stop putting the burden of security on us, for the love of god just enable security key access like Microsoft, Google, Dropbox, LinkedIn, christ even Facebook has it now.
We welcome your comments below. If you are not already registered, please register to comment.
Remember we welcome robust, respectful and insightful debate. We don't welcome abusive or defamatory comments and will de-register those repeatedly making such comments. Our current comment policy is here.