People accessing sensitive information on their emails using unsecured public Wi-Fi could be putting themselves at risk of fraud, says the Banking Ombudsman.
The warning comes after an overseas couple put a six-figure sum on term deposit with a New Zealand bank only to have it stolen from the account months later.
The theft occurred due to an unfortunate combination of the couple's use of public Wi-Fi and because their bank's security practices regarding emailed instructions were not sufficiently robust, Banking Ombudsman Deborah Battell, said.
"Unfortunately their account was hacked and the fraudster found separate emails - one that included bank account details, and another with a signed employment contract attached."
"This ultimately enabled the fraudster to pose as one of the customers and successfully email instructions to the bank transferring funds out of the couple's account," Battell said.
Some banks do not accept email instructions, acknowledging the risk of email addresses being hacked. Other banks accept emailed instructions, but only after verifying the request has come from their customer by, for example, calling the customer back at a number held on file and asking a series of security questions.
The Banking Ombudsman investigation found that the particular bank's practice was out of step with the rest of the industry at the time and found the signature copied from the employment agreement was not the same as the one held by the bank.
"It is crucial banking best practice prevails to maintain customers' confidence... fortunately, our enquiries have shown this to be an unusual case," Battell said.
People need to know the risks of storing documents on email, and regularly clear out information that could be used to verify their identity, she said.
"We found in favour of the couple in this case and the bank has now reimbursed the amount fraudulently withdrawn, paid the couple interest lost following the withdrawals, and placed their total funds back on term deposit," Ms Battell said.