More action needed to fight online scams
The exact amount lost to scammers is not known, but it must be large: estimates range from around $200m to $2bn a year:
· A Ministry of Business, Innovation and Employment (MBIE) survey, drawing on data from New Zealand’s 11 largest financial institutions, says Kiwis lost $198 million to online scams in the year to September 2023, or at least those directly involving banks.
· Extrapolating a survey of 1000 New Zealand adults by the Global Anti-Scam Alliance, Netsafe estimates that Kiwis lost a total of $2.05 billion to online fraud in the same period.
A common fraud is scammers, often calling or emailing their victims, impersonate organisations that could have a legitimate reason to call and to charge for a service. Once the victim agrees to pay, the money will be directed into an account the scammer can access. These names will generally not match. A key protection for consumers could be to disclose the name of the payee bank account to the payer.
Australia is introducing requirements for banks to help protect consumers from scammers.
Should NZ follow suit? Some basic measures to combat scammers (e.g. name and account number matching Consumer watchdog says NZ banks must from now reimburse all scam victims | interest.co.nz) have still to be implemented here, though work is progressing.
The New Zealand Banking Association announced they would implement name and account number matching, but the latest news we could find says more details will be released in April:
"We are currently looking at technical options and extensive work is underway to ensure compliance with existing privacy laws. This will enable a timeline for the initiatives, including implementation of a confirmation of payee service, which will allow people making an online payment from one bank account to another to check the name of the account they are paying. We expect to provide more detail by the end of April," says Beaumont in this piece: Banks progressing anti-scam initiatives, lobby group NZBA says | interest.co.nz.
So, it’s in the works, just happening very slowly – and we can understand why. Although core banking systems are typically common between the Australian parent and the New Zealand subsidiary there are differences in customer data and mobile applications. Each of these systems has to comply with local legislation and conventions about how we work. Each step that makes it more secure to make a payment also tends to make it a little bit more difficult to make a payment. It is easy for you to see that a payment to “Garry’s Gardening Limited” probably can go to an account named “Garry M Smith Gardening Limited”, but it is harder for systems to tolerate such ‘near-matches’.
Scammers will take advantage of near matches, much as they do with email addresses that sound similar to the organisations they are impersonating. When that happens, the game of cat and mouse will begin all over again. Nevertheless, it is still worth making it as hard as possible for them. It is also, perhaps, a question of prioritisation and will. Innovators like Akahu have been able to deliver a form of confirmation of payee – allowing them to claim that in this respect they are doing a better job of securing systems than much bigger organisations. That is worth saluting. Netsafe teams up with Akahu, Dolla for payee confirmation as banks linger - NZ Herald
Another area, probably for a separate post, is that banking apps should as standard avoid some of the accessibility features inherent in technology such as smartphones, which reduce the security of the accounts.