A pensioner has lost $134,000 after cyber criminals hacked his online bank accounts, convinced staff to change his phone number, then siphoned his money in an elaborate scam.
And though the man claims SBS Bank's security checks have failed, the bank is refusing to reimburse him for his lost retirement money, saying it has stringent safeguards to protect customers but the stolen funds are now unrecoverable.
The thieves gained access to the online accounts of the man, who the Herald has agreed not to name, in late June.
Posing as the man, the fraudsters used a secure messaging function to contact the bank and change the man's listed cellphone number to circumvent SBS's two-factor authentication security check.
They then added several new payees before moving large amounts of money to six different accounts at four separate banks in 11 transactions over five days.
The man, who is from Invercargill, learned the money had been taken only when he logged in to his internet banking on July 20 to pay bills and found his revolving mortgage account had been drained to its $134,000 limit.
The man believes he took appropriate precautions and says he has no idea how the fraudsters obtained his internet banking password. He said he believes the unusual pattern of transactions should have raised red flags with the bank.
He claims SBS is refusing to compensate him for the missing money, suggesting he may be responsible for the theft.
"The immediate response was, 'It's your fault — you've given someone your password'," he claimed.
In a statement, SBS retail general manager Michael Oliver said the bank could not comment while the matter was under police investigation.
SBS took numerous precautions to safeguard the privacy and personal information of customers. "This includes routine security assessments and using NZ government security advisories and best practices to protect our systems."
The victim suffered a major heart attack this month and is now in hospital recovering from triple heart bypass surgery, which he attributes to stress from the ordeal.
Police have launched a criminal investigation but the man is resigned to the fact the money is likely long gone. He said the theft would hurt him financially and affect his retirement.
He believes the case has wider implications for other banking customers who assume their money is safe when locked away in online accounts.
"The internet banking system has failed. It's not secure. Their excuse is that someone changed your phone number online. That should not be able to happen," he told the Herald.
"There were 11 bloody transactions over five days, transactions that I wouldn't do. Red flags should have been going off over and over again."
Police now have details of the banks and account numbers the stolen money was forwarded to — one linked to a 36-year-old woman living in Christchurch.
But investigators had to apply for a court order to compel the banks to provide the account holders' names to track the missing money.
The man has filed complaints with SBS and the Banking Ombudsman.
An email from SBS last month, seen by the Herald, said the bank was unsure how the fraudsters accessed the man's internet banking password.
"The fraud team have worked with the counter party banks and confirmed that no funds are available to be returned.
"Any retrieval of funds will be something that is achieved by the police.
"Respectfully there isn't much more SBS can do at this juncture and you now need to work with the NZ police to assist with their inquiries, both into the person of interest in Christchurch and into any account owners at the other banks, as one of these persons may be known to you which is possibly how they have gleaned your login details."
Police told the Herald they were in regular contact with the victim and appreciated how upsetting the matter was.
They would not comment on specifics about the case but were following "positive lines of inquiry".
A Banking Ombudsman spokeswoman said the agency had "tremendous sympathy" for customers caught in scams due to the significant financial and psychological impacts.
The Code of Banking Practice required banks to reimburse unauthorised transactions, provided customers had complied with the bank's terms and conditions, and taken reasonable steps to protect their banking.
"Banks also have a duty to provide banking services with reasonable skill and care — including having reasonably robust security systems.
"Where there has been an unauthorised payment, the bank should try and recover the funds from the person who received them.
"Unfortunately, recovery is often not possible.''
Massey University banking expert Associate Professor Claire Matthews questioned how the fraudsters had obtained the man's password and if someone close to him was responsible for the theft.
But if the victim had done nothing wrong, the bank should compensate him, she said.
The Commission for Financial Capability (CFFC) says scams are becoming increasingly sophisticated and causing devastating losses to unsuspecting Kiwis.
Netsafe estimates New Zealand may be losing up to $500 million each year to cybercrime.
Don't be scammed
• Never disclose PINs or passwords or save them in any way – including in your internet browser settings or in disguise.
• Investigate recipients to ensure they are genuine before sending funds.
• Never accept money into your account for subsequent transfer to others.
• Check your accounts regularly to ensure money is going to the right places.