Westpac's clients target of email con

By RENEE KIRIONA

More than 100 people who bank with Westpac have been stung in the country's biggest internet banking scam.

A spam email was randomly sent out at the weekend asking Westpac New Zealand customers to confirm their email address by following a link to a fake website that resembled that of the bank.

Having followed the link, the customers were then asked to reveal their login name and password.

Such details would allow a fraudster to access a customer's accounts online and transfer funds using an internet cheque or loading new bill payments.

While similar scams have occurred overseas, it is the first time one has been seen in New Zealand.

Westpac spokesman Paul Gregory said the bank became aware of the scam early on Monday morning and by 10am yesterday had posted a warning on its website.

"We've had hundreds of calls and at present we're checking to see if the accounts of those 100 customers who did give details have been tampered with," he said.

The bank was working with those customers to immediately change their details.

Mr Gregory said Westpac would never ask customers to reveal their login and password details either verbally, by fax or email.

All other banks in New Zealand carried a similar privacy policy.

"We don't need to know those details and our advice, as simple as it sounds, is for customers never to give them out."

Most of those who did not fall for the scam were alerted by a glitch in the name of the fake website westpac.com.nz, he said.

"Anyone who knows how websites work in New Zealand will know that there is no such thing as a com.nz."

An investigation into the scam was being undertaken by the Electronic Crime Laboratory, a division of the New Zealand Police.

ECL national manager Martin Kleintjes said banks and online bankers in this country should prepare for more scams of this nature.

"I'm sure we'll see more of it happening here now.

"The people behind these scams are very cleaver. They play a numbers game by sending these emails out to hundreds of thousands of people and in most cases manage to sting at least a couple of hundred."

The email addresses of those who received the spam mail were most probably derived from databases and directories that could easily be accessed on the internet, he said.

So far the inquiry had found that the email was sent out from the Netherlands, the link was traced to a website in Russia and the pop-up box (in which customers were asked to enter their details into) was administered from a site in Britain.

"At first glance it appears as though the pop-up box stemmed from a site in Nauru but when we looked closer it was in fact the UK. Whoever is doing this is very cleaver," Mr Kleintjes said.

Consumers' Institute chief executive David Russell described the scam as an exploitation of trusting New Zealanders.

"This scam was very sophisticated and I'm not surprised if it fooled even the most sceptical of people.

"I think our problem as New Zealanders is that we can be too trusting sometimes."

A similar email scam this year hit customers of the Commonwealth Bank, which owns Westpac New Zealand, and ASB Bank in Australia.

In the United States, online scams, half of them auctions, cost 10,000 Americans US$18 million ($40.7 million) last year. Other scams included non-delivery of promised merchandise, credit-card fraud and a letter fraud originating from Nigeria.

Online safety

The most secure way to enter a site is by typing in the URL.

Never follow a link from an email to a secure website.

Change your passwords regularly.

Don't use the same passwords on different sites.

Don't share or write down your passwords or save them on the computer.

Install a basic firewall and an anti-virus programme.

Don't leave your computer unattended when engaged in an online transaction.

Always log out when ending a secure transaction.

Look for the padlock in the bottom right of your screen (which denotes a secure, encrypted session). Learn about padlock certificates and what they should show.

(Source: NetSafe)