South Island pensioner loses $134,000 after his online bank accounts were hacked

A pensioner has lost $134,000 after cybercriminals hacked into his online bank accounts, convinced staff to change his phone number, then embezzled his money in an elaborate scam.

And although the man claims SBS Bank security checks have failed, the bank is refusing to reimburse him for his lost pension money, saying it has strict safeguards in place to protect customers, but that the stolen funds are now unrecoverable.

The thieves gained access to the online accounts of the man, whom the Herald agreed not to name, in late June.

Impersonating the man, the fraudsters used a secure messaging feature to contact the bank and change the man’s mobile number to bypass SBS’s two-factor authentication security check.

They then added several new beneficiaries before transferring large sums of money to six different accounts at four separate banks in 11 transactions over five days.

The man, from Invercargill, learned the money had only been taken when he logged on to his online bank on July 20 to pay his bills and found his revolving mortgage account had reached its limit of $134,000.

The man believes he took the proper precautions and says he has no idea how the scammers obtained his internet banking password. He said he thought the unusual pattern of transactions should have alerted the bank.

He claims SBS refuses to compensate him for the missing money, suggesting he may be responsible for the theft.

“The immediate response was, ‘It’s your fault – you gave someone your password,'” he claimed.

In a statement, SBS Retail chief executive Michael Oliver said the bank could not comment while the matter was under police investigation.

SBS has taken many precautions to protect the privacy and personal information of customers. “This includes routine security assessments and the use of New Zealand Government security advisories and best practices to protect our systems.”

The victim suffered a major heart attack this month and is now in hospital recovering from triple heart bypass surgery, which he attributes to the stress of the ordeal.

The police have launched a criminal investigation, but the man is resigned to the fact that the money is probably long gone. He said the theft would hurt him financially and affect his retirement.

He thinks the case has wider implications for other bank customers who assume their money is safe when locked up in online accounts.

“The online banking system has failed. It’s not secure. Their excuse is that someone changed your phone number online. That shouldn’t be able to happen,” he told the Herald.

“There were 11 bloody deals in five days, deals I wouldn’t do. The red flags should have been going off again and again.”

Police now have details of the banks and account numbers the stolen money was transferred to – one linked to a 36-year-old woman living in Christchurch.

But investigators had to seek a court order to compel the banks to provide the names of account holders to find the missing money.

The man filed a complaint with SBS and the Banking Ombudsman.

An email from SBS last month, seen by the Herald, said the bank did not know how the fraudsters gained access to the man’s online banking password.

“The fraud team has worked with the counterparty banks and confirmed that no funds are available to be returned.

“Any recovery of funds will be something that will be carried out by the police.

“Respectfully, there is not much more SBS can do at this stage and you must now work with New Zealand Police to assist them in their investigations, both of the person of interest in Christchurch and all of the incumbents. accounts at other banks, as one of these people may be known to you and this may be how they gleaned your login information.”

Police told the Herald they were in regular contact with the victim and appreciated how heartbreaking the case was.

They would not comment on the details of the case but were following “positive lines of inquiry”.

A spokeswoman for the banking ombudsman said the agency had “tremendous sympathy” for customers caught up in scams because of the significant financial and psychological impacts.

The Code of Banking Practice required banks to refund unauthorized transactions, provided that customers complied with the bank’s terms and conditions and took reasonable steps to protect their banking transactions.

“Banks also have a duty to provide banking services with reasonable skill and care, including having reasonably robust security systems.

“In the event of an unauthorized payment, the bank should attempt to recover the funds from the person who received them.

“Unfortunately, recovery is often not possible.”

Claire Matthews, a banking expert at Massey University, asked how the fraudsters got the man’s password and whether someone close to him was responsible for the theft.

But if the victim had done nothing wrong, the bank should compensate him, she said.

The Financial Capability Commission (CFFC) says scams are becoming more sophisticated and causing devastating losses to unsuspecting Kiwis.

Netsafe estimates that New Zealand could lose up to $500 million every year due to cybercrime.

Don’t get scammed

• Never give out PINs or passwords or save them in any way, including in your Internet browser settings or in a disguised way.

• Investigate recipients to ensure they are genuine before sending funds.

• Never accept money into your account for later transfer to others.

• Check your accounts regularly to make sure the money is going to the right place.