Plenty of Kiwis lose large sums of money to online fraudsters.

Rarely, however, is it due to their bank account being hacked like many people think.

More likely your personal computer has been accessed by fraudsters or you've succumbed to social engineering and given the money away to a con artist.

Here's how they do it:


Your credit card is used fraudulently

Commonly, a fraudster will get hold of your credit card details and use them to buy online.

Or you may be conned into buying something non-existant on eBay, Alibaba or other website.

It might be a new laptop or the latest phone being sold for three quarters of the usual price, says Netsafe's chief technology officer Sean Lyons.

The seller hijacks an innocent person's account and takes a large number of payments, but never delivers the items.

In this sort of situation, where you're an innocent victim, the bank/credit card company will usually reimburse you.

They want you to remain comfortable using credit cards. If it happens every few months they might decide they don't want you as a customer, says Lyons.

You've fallen for social engineering

Humans are hardwired to want to help others, says Lyons.

The classic Nigerian scam where you believe you'll be paid handsomely if you help some other person move some money is a classic social-engineering scam.


So is the romance scam, where you're sending money to someone you've fallen in love with online to help them in some way.

If you send it through Western Union or similar companies there isn't much that can be done to stop the fraud or get the money back.

Banks have increasingly intelligent systems to help insulate customers from loss, says Lyons.

Your bank has been hacked

Never say never when it comes to your bank being hacked, but they are very risk averse around technology.

"If the bank gets hacked I doubt very much [customers] would know," says Lyons.

The bank would pay the money back to the customer as quietly as possible. It's not a good look.

Any criminal hacking into a bank is more likely to transfer huge sums of money out of the country and disappear on the proceeds for life, says Lyons.

They're not going to after Joe Smith's account in New Zealand with a paltry $10,000 in it.

Banking Ombudsman Nicola Sladden says that banks must act with reasonable skill and care when providing internet banking.

Your bank account has been accessed

Maybe you use the same password for everything and fraudsters got hold of it.

Or you have clicked on a dodgy link that looks like it's from your bank but isn't.

Often the fraudsters load key-logging software onto your PC and capture your passwords that way.

If you are an innocent party and report it in time to your bank, your losses will usually be reimbursed.

Not so, however, if you've given your PIN or passwords to someone knowingly, such as a carer.

I'm very careful about doing something to compromise my bank accounts.

I'm forever changing passwords and have so many PINs it often takes several attempts to pay for anything.

I often wonder, when will a bank will refund and when won't it? I've seen cases on the Banking Ombudsman's site when the bank hasn't refunded until forced to.

Sladden says the latest Code of Banking Practice, which came into effect on June 1, promises banks will reimburse victims of fraud, unless they have acted dishonestly, negligently, breached their terms and conditions or didn't take reasonable steps to protect their banking.

"A bank's terms and conditions will often state that the bank is not liable for unauthorised transactions where it believes the customer has contributed to the unauthorised use of their card," says Sladden.

Each case is different and has to be investigated.

Some examples where you might not be reimbursed include:

• Selecting 1234, your birthday or phone number as a PIN.
• Keeping your card somewhere unsafe.
• Writing down your PIN.
• Giving your card or disclosing your PIN to someone else.

I was pleased to hear from Sladden that not changing passwords frequently or using the same PIN for different cards does not necessarily mean you have failed to take reasonable steps to protect your banking.

"The password or PIN you've used is only one of many factors that get taken into account when someone is the victim of fraud," she says.

That's a relief.

Even so, says Sladden, it is sensible to refresh your password frequently, and if possible use a unique password that is just for your banking.