Janine Starks with a tale of hi-tech hijinx and a reminder to be hyper vigilant when it comes to internet banking transactions. Do you have a story to share?

By Janine  Starks*

Fraud.  It’s a grubby word.  It conjures up visions of low life crooks and high flying business people entangled in everything from Ponzi investment schemes to money laundering, Nigerian internet scams and emails promising you’ve won millions in some far fetched foreign lottery.  

But fraudsters these days are getting cleverer and cleverer.  Knowing about simple scams isn’t enough any more.  The game is being raised in terms of their sheer cheek and ability to target unsuspecting ordinary people.   

One such fraud attempt came to my attention recently, involving a BNZ customer carrying out a standard foreign exchange transaction with her local branch in the Canterbury town of Akaroa.  This is a quaint little spot where you can knock on the policeman’s door and give him a lost dog to look after.  The average financial transaction involves an over-sized American from a cruise ship spending a few notes in the fudge shop.  It is not the sort of place where you’d expect an international hacker to target a branch of the BNZ and attempt to run off with half a million dollars.  But blow me down, that’s exactly what has happened and tongues will be wagging. 

So let’s outline how it occurred, because it really is unbelievable. 

Our BNZ customer decided to move from Akaroa to a village in Somerset in the UK (the earthquakes played a helping hand in that decision).  She sold up, made the move and put in an offer on a house in the UK.  As the settlement date arrived, she called BNZ and asked to sell her New Zealand dollars and buy Great British Pounds.  She and the bank officer corresponded over email - the most convenient thing to do given the time difference.  They set up a time to talk on the phone, as the foreign exchange transaction needed to happen ‘live’. Being a $500,000 sum, BNZ offered a competitive rate from their Treasury department.  The customer waited on the phone to agree the rate as soon as it was set.  This is all standard practice for larger transactions.  The customer emailed over her bank account details for the BNZ to pay the Pounds into her UK account.

What the customer and the bank officer didn’t expect was a computer hacker lurking in the shadows.  The hacker was watching their emails to-and-fro.  They knew the time of the phone call to set the exchange rate and could see the UK payment instructions.  All of this has a large ‘So What’ factor.  How could they possibly interfere with this transaction? 

The hacker waited for the confirmation email back from BNZ a few minutes after the call.  They then took control of the customer’s computer and tried to change the payment instructions.  An email was sent back to BNZ basically saying, “whoopsie-daisy, I gave you the wrong UK bank account to pay the pounds into.  Please make payment to Citibank NY Strand London Branch”.  The email looked genuine.  It was in the right type font.  The hellos and goodbyes were written in the same style the customer used. 

Had the BNZ bank officer not been so diligent, the money could have shot off to the fraudsters account.  Fortunately, and bless the BNZ for having such good staff, the fraud was uncovered.  They re-read the email, pondering over the words.  There was a small grammatical error.  That error was repeated a second time.  Knowing the customer well, it set off alarm bells, as she was usually accurate in all her correspondence.  So to play it safe, the bank officer called the UK, interrupting the customers evening bath and queried why her bank account details had changed.  After much gasping and horror, the pair deduced the email was a scam.  It was a blatant attempt to defraud a New Zealand bank and an unsuspecting individual of a large sum of money.   

The audacity of this attempted fraud was such a shock it was worth posing a few questions to BNZ. 

1. What are the chances of a hacker coming across a private individual transferring such a large amount of money between countries?  Surely they would improve their chances of finding these people by first hacking into the email accounts of bank staff?  BNZ were keen to provide reassurance this is not the case and they say they looked into this possibility.  There are rigorous processes to prevent attacks on their internal systems and they have dedicated fraud teams in New Zealand and Australia that alert customers who have been subject to a malicious attack.  They believe this could be a case of “phishing” where a customer receives an email from a seemingly legitimate company encouraging them to click on a link.  This installs malicious software onto the computer giving the scammer access to the email account.  They can then monitor the account for search terms such as “money” or “transfer”. 
    
2. What would have happened if the fraud were successful – would the customer be blamed as the email had come from their account?  Would BNZ repay the customer?  BNZ were again reassuring and said after an investigation it would have become obvious the customer was not the person who made the request and the bank would have refunded the amount in full.
    
3. Who should call the police – the BNZ or the customer?  In this case, the big surprise is that no one has called the police.  The customer is in the UK and assumed BNZ would inform the police.  BNZ tell me its common practice to advise the customer to complain to the police.  That seems very odd.  A fraudster tried to convince a BNZ staff member to pay half a million dollars to the wrong account and they haven’t reported it.  They say where possible, they tell the receiving bank that there was an attempt to use their account fraudulently (they obviously have no jurisdiction to force that bank to act).  You would think with all the skills contained in the fraud department, a little more would be done when a financial crime was attempted.  All we can conclude is that these fraudsters are so elusive and sophisticated, it isn’t worth the time involved in chasing shadows. 

*Janine Starks is Co-Managing Director of Liontamer Investments.  Opinions in this column represent her personal views and are not made on behalf of Liontamer.  These opinions are general in nature and are not a recommendation, opinion or guidance to any individuals in relation to acquiring or disposing of a financial product.  Readers should not rely on these opinions and should always seek specific independent financial advice appropriate to their own individual circumstances.