Caught in the Web
Falling victim to a sophisticated scam begs the question: who pays?
By Sasha Borissenko
It was a Sunday in late February. I woke up early and managed to sweat off a week’s worth of cortisol at the gym — either that or it was the last of the pinot grigio I had consumed the evening before. Feeling saintly, I turned to Facebook Marketplace, where I’d put a mammoth-sized toaster up for sale, desperate to get rid of it. A few buyers had shown interest overnight — Jeff could only pick it up in a month, Jenny was a no-go as her profile looked dubious, and Mary could drive from Lower Hutt, but it would be much easier if she organised a courier. All I had to do was confirm receipt of payment. A no-brainer, I thought, choosing the latter.
The email I soon received from NZ Post looked official and took me to a POLi banking portal. The Kiwibank website required my access number, password, and answers to my KeepSafe security questions. For example, Where was I born? Given the number of boxes that matched my specific answers — San Fran, not San Francisco — the site seemed completely legitimate.
And so I continued to believe. For two days, the toaster sat in the postage-ready box by the front door of my apartment. Mary even reassured me at one point, saying I’d get a call from the courier shortly. Annoyingly, I missed the call at 5:27 p.m. on Tuesday, or so I thought. It was actually Kiwibank alerting me that something was amiss. Shortly after, a text from a four-digit number said I should give the bank a ring if I suspected anything was wrong. When I went online to check, I saw that all my Kiwibank accounts were at zero.
I was alarmed, but it was a mistake, surely? My blood ran cold when the Kiwibank representative told me the NZ Post, POLi-banking and Kiwibank sites I’d engaged with over the courier parcel were fake. It was a phishing scam and in nine minutes all of my tax, mortgage, student-loan and credit-card reserves were cleaned out. I’d lost $12,500.
I howled, dry-retched, and shed a lot of tears. Feeling ashamed, confused, violated and increasingly paranoid, I couldn’t understand how I could have been so stupid. Kiwibank, police, my friends, and even a legitimate NZ Post-pinned Facebook post would tell me it was common, however.
“Facebook Marketplace is considered a high-risk platform for sales and purchases, due to the ease with which profiles can be manipulated. This NZ Post scam is common and has been linked to overseas offenders on multiple occasions,” an email from police read. And yet in a 2023 survey, Netsafe found 17 per cent of Kiwis have lost an average of $3165 to scams, amounting to $2.05 billion. Combined data from New Zealand banks provided to the Ministry of Business, Innovation, and Employment (MBIE) suggests customers lost $198 million last year alone.
Same script, different scam
Jane* is one of those people. A small business owner based in the South Island, she had $300 stolen from her credit card in 2023. BNZ gave hera call via an unknown number and walked her through several easy steps before reimbursing the cash. Fast forward to June this year, Jane received another call, this time from her “local BNZ branch”. The representative — “William” — said there had been suspicious activity on her credit card. After asking to confirm contact details and Jane’s online account access number, William listed some legitimate transactions and one that wasn’t accounted for.
“Listening to this person use the same script, almost word for word, it never crossed my mind that it wasn’t BNZ. He spoke so fast, and I got swept up in the sense of urgency,” Jane said. Four hours and two BNZ alerts later, Jane learned $40,000 had been transferred, not from her credit card, but from a separate business account. William had free range to access Jane’s staff wages, GST, and other business funds. She said she had no idea how the scammer knew all her contact details. “It took me a couple of minutes to realise what had happened, and then I felt completely nauseous. It was awful. I really felt like I was going to throw up.”
A BNZ spokesperson said it could not discuss Jane’s case without a privacy waiver but could confirm there had been no breaches of BNZ’s systems or data in 2023 and 2024. “We have worked with New Zealand’s three largest telecommunication companies — 2Degrees, Spark, and One New Zealand — to stop scammers based overseas from spoofing our 0800 number [and] other published BNZ telephone numbers.” The spokesperson said banks were required to promptly notify regulators if there was a cyber interference or data breach, including remedial actions and potential impacts to customers. “The safety and security of our customer information is our utmost priority, and we strongly refute any suggestion that our BNZ systems have been compromised. “Every year, we invest tens of millions of dollars in cyber security and scam and fraud protection measures. We continuously monitor, audit, and inspect our security systems, equipment and online banking transactions for suspicious activity.”
All stressed out, nowhere to go
In my case, a police complaint proved fruitless. Official police correspondence would tell me that due to “investigative demands and prioritisation, we regret to advise you that it will not be investigated further”. For Jane — who also lodged a police complaint — the decision whether police would investigate was ongoing, she said. Speaking generally, Detective Superintendent Dave Lynch said although scams had no legal definition per se, they tended to fall under “fraud”, which carried a maximum sentence of up to seven years imprisonment under the Crimes Act. Police figures suggest there were 488,000 fraud and cyber offences between November 2022 and 2023, affecting 11 per cent of New Zealanders. Police had no datasets capable of providing readily retrievable information specific to online banking, Lynch said.
It seems the issue is widespread. The Independent Police Conduct Authority reviewed the situation after receiving 52 complaints about police responses between 2018 and 2022. Police acknowledged in their findings that they struggled to assess the scope of fraud offending and that many reports were not recorded correctly in the police database. The authority highlighted that cases were often complex, police lacked specialist fraud squads, and investigations varied between regions. The problem isn’t unique to New Zealand. In the UK, a 2018 Police Foundation report estimated that of the 3.24 million fraud offences in the year ending March 2018, just 638,882 frauds were recorded by police and industry bodies.