The bank was ordered to pay back the lost money after it could not be proven how the scammer came to obtain a code. File photo. Photo: RNZ / Rebekah Parsons-King
A bank customer has been reimbursed $6000 she lost to scammers after the Banking Ombudsman intervened.
In February, the woman received a call from someone claiming to work for her bank.
They told her someone had got access to her credit card and tried to make a purchase.
A payment of $6000 was processed at this time, authorised with a two-factor authentication code sent to her mobile.
When the caller told her she needed to move her money to a safe account, she became suspicious and hung up. She rang her bank to check, and staff told her it had not called.
The bank was unable to recover the money and did not reimburse because it said she had authorised the payment with the authentication code on her phone. Sharing this information was against its terms and conditions.
But the woman said while she received the code, she did not share it. She tried to get her phone checked to work out whether spyware or malware was used, but this could not be confirmed.
She complained to the ombudsman.
It said banks had to reimburse unauthorised payments unless the customer had acted fraudulently, dishonestly or negligently, failed to take reasonable steps to protect his or her banking, or breached the bank's terms and conditions.
"We were not able to determine how the scammer came to obtain the code. But we considered whether it was fair and reasonable for the bank to decline to reimburse [the customer] based on its belief that she shared the code with someone she believed to be from the bank. We did not consider it reasonable because banks have a practice of asking customers for codes to verify certain actions.
"Granted, those actions are relatively limited, but we thought it unreasonable to expect customers to know the difference between a legitimate situation where a bank would request a code and an illegitimate - but nonetheless convincing - situation where it would not request a code."
The ombudsman scheme decided it was reasonable for the woman to believe the call had come from her bank.
The scammer had used a means called spoofing to make it appear legitimate, it said, and had personal information about her that might have come from a data breach or phishing scam.
The bank agreed to reimburse her.
Sarah Brooks, deputy banking ombudsman for prevention, said there had been a massive increase in reports of spoofing and bank impersonation.
"We continue to see a rise in fraud and scam cases. Phishing and information-harvesting remain the most common complaints and continue to rise. Bank impersonation scams accounted for 23 per cent of the fraud and scam complaints we received last quarter, with many of these involving spoofing.
"The majority of spoofing cases relate to call from a spoofed bank phone number regarding unauthorised payments. The scammers impersonate bank staff, including fraud teams, and have access to large amounts of personal information, which may have been obtained from a previous phishing attack. We see many victims tricked into sharing banking credentials including secure codes, in the belief they are speaking to their bank. "
Sign up for Ngā Pitopito Kōrero, a daily newsletter curated by our editors and delivered straight to your inbox every weekday.