Dunedin pensioner Ray Johnson had nearly $100,000 siphoned from his Westpac online banking accounts. Photo / Peter McIntosh
Westpac Bank is analysing a pensioner’s personal electronic devices in a bid to identify how cyber criminals accessed his online accounts and drained them of $100,000.
Westpac’s online banking platform promises to refund customers in full if they are the victim of internet banking fraud, subject to “terms and conditions”.The bank told the Herald it will await the result of its forensic investigation before deciding whether to reimburse the elderly man.
A banking expert says in her view, and based on the money apparently being wired offshore, the man has likely been the victim of a scam and Westpac should refund the stolen money unless it has proof he has been “wilfully negligent”.
Dunedin 71-year-old Ray Johnson discovered the money had been siphoned from his savings in three unauthorised transactions over two days in June, and immediately alerted Westpac and police.
Though Westpac was able to “stop” the two latter transactions of $11,000 and $38,000, the first withdrawal of $48,839 could not be recovered and the bank has refused liability.
Johnson believes the thieves likely hacked his Westpac internet banking app. The lost cash represented a third of his retirement savings which he’d bequeathed to his grandnieces.
Westpac - which announced a $1.1 billion profit last week - wrote to Johnson in September saying there was no evidence the bank’s security systems had been breached and it would not reimburse him.
However, after questions from the Herald, the bank apologised to Johnson for its handling of the matter and promised to review the case.
On Tuesday, Johnson attended a meeting at his local Westpac branch with a bank manager and two tech experts. He was asked to sign waivers before handing over his mobile phone and laptop computer for forensic analysis.
Johnson said the meeting took over two hours. The experts eventually handed back his mobile phone but retained his laptop overnight for further investigation.
“They just said, ‘We’ve fiddled with your phone’. I said, ‘Did you get anything’, and they said, ‘It could take up to two weeks’.
“They just said, ‘We’ll try to get to the bottom of it’.”
Johnson did not believe he’d compromised his personal banking information and felt Westpac should refund his losses.
“I even said to the guy in the office, ‘I see you made a billion dollars in profit’. He said, ‘Not the bank, the shareholders’.
“I thought, ‘You get a billion dollar profit and all I’m after is just on fifty grand’.”
Under “Security Settings” on Westpac’s internet banking platform, the company says it is ”committed to protecting you from online fraud”.
“We are so confident in our systems and processes that, subject to our terms and conditions, we make you the following promise: ‘In the unlikely event that you fall victim to online fraud as a result of using Westpac New Zealand’s online banking services, we will always reimburse, in full, all money taken from your account’.”
Given this promise, the Herald asked Westpac whether it would now reimburse Johnson.
Westpac NZ general manager of consumer banking and wealth Ian Hankins said the bank was still investigating how payments were made from the retiree’s devices.
Information from his laptop and phone was being independently analysed to check if they had been compromised, Hankin said.
“We’ve asked the analysts to prioritise this work so we can get back to Ray as soon as possible.
“We will not make any decisions on reimbursement until after we have received the results of the investigation and discussed them with Ray.”
When the Herald pointed out Westpac’s online reimbursement promise, a spokesman sent a link to another part of its website titled “Our Online Banking Guarantee”, setting out the relevant terms and conditions.
It says if a customer falls victim to online banking fraud, “we will investigate your loss and the contributing circumstances and reimburse the fraud losses” if:
*the customer immediately notifies Westpac of the loss;
*has not “wilfully, fraudulently or negligently caused or contributed to the loss”;
*has complied with all applicable terms and conditions.
Massey University banking expert Associate Professor Claire Matthews said banks were required under the Code of Banking Practice to reimburse customers if they had not been “wilfully fraudulent or negligent”.
She said that on the information available, it was likely Johnson had inadvertently clicked on a link and downloaded a virus, giving scammers access to his accounts.
But in her view, this did not necessarily make him “wilfully” negligent and Matthews believed that due to banks’ obligations under the code, Westpac should reimburse him.
It was reasonable for Westpac to carry out an investigation to ascertain how the unauthorised transactions occurred and hopefully prevent other customers from becoming victims.
However, she said Westpac’s initial response to deny liability and refuse reimbursement seemed “inappropriate” given it did not appear to have evidence at that time that Johnson had been at fault.
The bank would be weighing the negative publicity with the risk of “opening the floodgates” if it agreed to refund Johnson.
Matthews said the case, along with that of a Southland pensioner who SBS Bank has refused to reimburse $134,000 stolen from his accounts, may indicate banks were taking a tougher stance in terms of liability towards online banking crime.