Janine Starks with a tale of hi-tech hijinx and a reminder to be hyper vigilant when it comes to internet banking transactions. Do you have a story to share?

Janine Starks with a tale of hi-tech hijinx and a reminder to be hyper vigilant when it comes to internet banking transactions. Do you have a story to share?

By Janine  Starks*

Fraud.  It’s a grubby word.  It conjures up visions of low life crooks and high flying business people entangled in everything from Ponzi investment schemes to money laundering, Nigerian internet scams and emails promising you’ve won millions in some far fetched foreign lottery.  

But fraudsters these days are getting cleverer and cleverer.  Knowing about simple scams isn’t enough any more.  The game is being raised in terms of their sheer cheek and ability to target unsuspecting ordinary people.   

One such fraud attempt came to my attention recently, involving a BNZ customer carrying out a standard foreign exchange transaction with her local branch in the Canterbury town of Akaroa.  This is a quaint little spot where you can knock on the policeman’s door and give him a lost dog to look after.  The average financial transaction involves an over-sized American from a cruise ship spending a few notes in the fudge shop.  It is not the sort of place where you’d expect an international hacker to target a branch of the BNZ and attempt to run off with half a million dollars.  But blow me down, that’s exactly what has happened and tongues will be wagging. 

So let’s outline how it occurred, because it really is unbelievable. 

Our BNZ customer decided to move from Akaroa to a village in Somerset in the UK (the earthquakes played a helping hand in that decision).  She sold up, made the move and put in an offer on a house in the UK.  As the settlement date arrived, she called BNZ and asked to sell her New Zealand dollars and buy Great British Pounds.  She and the bank officer corresponded over email - the most convenient thing to do given the time difference.  They set up a time to talk on the phone, as the foreign exchange transaction needed to happen ‘live’. Being a $500,000 sum, BNZ offered a competitive rate from their Treasury department.  The customer waited on the phone to agree the rate as soon as it was set.  This is all standard practice for larger transactions.  The customer emailed over her bank account details for the BNZ to pay the Pounds into her UK account.

Do you have a question for Janine? You can email her directly at starkadvice@gmail.com, subject line: Financial Agony Aunt.  Anonymity is guaranteed. 

What the customer and the bank officer didn’t expect was a computer hacker lurking in the shadows.  The hacker was watching their emails to-and-fro.  They knew the time of the phone call to set the exchange rate and could see the UK payment instructions.  All of this has a large ‘So What’ factor.  How could they possibly interfere with this transaction? 

The hacker waited for the confirmation email back from BNZ a few minutes after the call.  They then took control of the customer’s computer and tried to change the payment instructions.  An email was sent back to BNZ basically saying, “whoopsie-daisy, I gave you the wrong UK bank account to pay the pounds into.  Please make payment to Citibank NY Strand London Branch”.  The email looked genuine.  It was in the right type font.  The hellos and goodbyes were written in the same style the customer used. 

Had the BNZ bank officer not been so diligent, the money could have shot off to the fraudsters account.  Fortunately, and bless the BNZ for having such good staff, the fraud was uncovered.  They re-read the email, pondering over the words.  There was a small grammatical error.  That error was repeated a second time.  Knowing the customer well, it set off alarm bells, as she was usually accurate in all her correspondence.  So to play it safe, the bank officer called the UK, interrupting the customers evening bath and queried why her bank account details had changed.  After much gasping and horror, the pair deduced the email was a scam.  It was a blatant attempt to defraud a New Zealand bank and an unsuspecting individual of a large sum of money.   

The audacity of this attempted fraud was such a shock it was worth posing a few questions to BNZ. 

  1. What are the chances of a hacker coming across a private individual transferring such a large amount of money between countries?  Surely they would improve their chances of finding these people by first hacking into the email accounts of bank staff?  BNZ were keen to provide reassurance this is not the case and they say they looked into this possibility.  There are rigorous processes to prevent attacks on their internal systems and they have dedicated fraud teams in New Zealand and Australia that alert customers who have been subject to a malicious attack.  They believe this could be a case of “phishing” where a customer receives an email from a seemingly legitimate company encouraging them to click on a link.  This installs malicious software onto the computer giving the scammer access to the email account.  They can then monitor the account for search terms such as “money” or “transfer”. 
  2. What would have happened if the fraud were successful – would the customer be blamed as the email had come from their account?  Would BNZ repay the customer?  BNZ were again reassuring and said after an investigation it would have become obvious the customer was not the person who made the request and the bank would have refunded the amount in full.
  3. Who should call the police – the BNZ or the customer?  In this case, the big surprise is that no one has called the police.  The customer is in the UK and assumed BNZ would inform the police.  BNZ tell me its common practice to advise the customer to complain to the police.  That seems very odd.  A fraudster tried to convince a BNZ staff member to pay half a million dollars to the wrong account and they haven’t reported it.  They say where possible, they tell the receiving bank that there was an attempt to use their account fraudulently (they obviously have no jurisdiction to force that bank to act).  You would think with all the skills contained in the fraud department, a little more would be done when a financial crime was attempted.  All we can conclude is that these fraudsters are so elusive and sophisticated, it isn’t worth the time involved in chasing shadows. 

*Janine Starks is Co-Managing Director of Liontamer Investments.  Opinions in this column represent her personal views and are not made on behalf of Liontamer.  These opinions are general in nature and are not a recommendation, opinion or guidance to any individuals in relation to acquiring or disposing of a financial product.  Readers should not rely on these opinions and should always seek specific independent financial advice appropriate to their own individual circumstances.



We welcome your comments below. If you are not already registered, please register to comment.

Remember we welcome robust, respectful and insightful debate. We don't welcome abusive or defamatory comments and will de-register those repeatedly making such comments. Our current comment policy is here.


To an extend you can protect yourself,
1) Keep the computer patched. Microsoft releases patches monthly, always do them...
2) Use firefox with WOT add on. (web of trust).  Use adblock as it stops malicious adverts (sorry BH/DC), ad servers have been hacked before now.
3) Use and keep up to date an Anti-virus checker.
4) Use thunderbirf and not outlook.
5) Use a Mac or Linux operating system computer.
6) Dont bookmark any URL of financial importance, make sure on exit firefox clears its cookies/caches etc.
7) Dont go to sites you dont know.
8) If web browsing and something expectedly pops up or takes you somewhere it shouldnt shutdown the web browser.  Go to your virus checker and make sure its up to date and do a scan.
9) If your broadband router doesnt have a firewall in-built get one, or second best get a software one for your PC.
10) Consider using a different account for and only for Internet banking.
11) Unless you need it dont install flash or java.

12) Setup a separate admin user, with a password. Don't use this day-to-day or browse the internet as this user. Turn admin permissions off for your day-to-day login.
(When you want to install something, you download it then do a run-as or login as admin and install it, then log out).

Email has never been a secure way to transfer information and was never designed to be so.
Assume anybody could read the contents of your emails.
Never put your bank or credit card details into an email.
Better to fill out all the normal details then ring with account information.

This is rather unusual, I have made several requests to transfer our money over from my BNZ account to my bank account here in Australia - not as much as 500K though.  All emails were done through the the BNZ internet banking email facility and not through our normal Outlook. Infact BNZ insisted that we made the request through their internet banking email system which is way more safer than normal email.

Thanks for comments made by steven!. Though he wrote them almost a year ago, they are still relevant, and the article itself is also not outdated. More and more a small country like us is being targeted by international cyber criminals. They create highly localised versions of ransomware viruses with fake NZ police warning. I want to share an article about one such virus.