One Question Quiz
a red brick wall with a computer inside and a phone. like a jail for phones
Will locking away our devices keep ussafe online? (This isnot proposed in the new document) (Image: Tina Tiller)

PartnersJuly 29, 2022

How to spot an online scam

a red brick wall with a computer inside and a phone. like a jail for phones
Will locking away our devices keep ussafe online? (This isnot proposed in the new document) (Image: Tina Tiller)

As our lives become more and more digital, online scams are getting more frequent and sophisticated. We spoke to victims of three common scams to learn what to look out for.

This content was created in paid partnership with Kiwibank. The names of the people who shared their stories have been changed.

Michael classifies himself as digitally savvy and security conscious. He’s on his computer and phone at work and at home, but he doesn’t save his credit card number or passwords online and he’s careful to protect his pin number from prying eyes. But that wasn’t enough to protect him from becoming the victim of a spoofing scam, where someone pretending to work for Kiwibank tricked him into giving away information to help unfreeze his son’s bank account. 

“I do all the right things, but he was just so convincing. Any doubts or questions I had, he had all the answers. They knew about my son, they knew his name, they knew my name, and they knew he was having trouble with his account. They used that parent’s concern for their kids and the desire to fix things for them to get the information out of me.”

And it’s easy to see how he fell for it: scammers are able to imitate legitimate call centre numbers (hence “spoof”) to look like it is the bank. The caller had a New Zealand accent and the script was very realistic. They sent codes to his phone from “Kiwibank” for him to verify.

Michael originally questioned the caller when they asked him for the access code for his online banking, but they eventually convinced him to give it to them so that they could fix the problem. Soon after, $10,000 was taken from his account and Kiwibank quickly got in touch to tell him he was a suspected victim of fraud. 

Cyber criminals don’t discriminate (Illustration: Joseph Carrington)

Family ties

Like Michael, Bronwyn’s desire to help her family was used against her in a WhatsApp scam. The scammers sent her a message purporting to be from her son saying he had broken his phone. As a result, he had a new number and wasn’t able to pay some urgent bills. The first request was for a small amount of money, but the amounts and the requests for more information kept increasing.

Eventually, they asked her to hand over the account details so they could make the payments themselves. Still thinking it was her son, she gave it to them, and they were able to log into her online banking. 

When her husband raised some concerns and said it was out of character, she asked for a birth date. No answer. Then she tried to call the number. No answer again. 

“Then I rang my son’s old number and he told me it wasn’t him I’d been messaging with, but by that stage it was too late. Everything had gone out of our bank. It was heart-wrenching. And it was devastating for my son too, because he was part of it without knowing.”

In the end, the scammers had extracted $53,000 from her account. 

Young and old alike

Despite being a “normal person who grew up with the internet”, Grace was also taken in by a spoofing scam when someone masquerading as a member of Kiwibank’s fraud team called her about some fraudulent Apple transactions that had appeared on her account a few months before. The card had been blocked and a replacement card was issued at the time, but when she received a call from someone who knew all those amounts and dates, she thought it was legitimate and gave them the information they asked for. 

“Obviously, they were involved in the earlier scam, so they knew those details. They had been baiting the hook.”

She didn’t think she was the kind of person who would get sucked in, but the phone call came from Kiwibank’s own 0800 number. The scammer even told her to check the number on the website. He then sent a series of verification texts with codes to verify. It was only later that Grace realised that the wording in these text messages stated that the codes were to reset her online banking password and approve payments. 

When the scammer got access to Grace’s internet banking, they changed her contact details and transferred $16,000 out of her account.

Kiwibank’s senior external fraud investigator Sareta Fraser (Image: Supplied)

Love hurts

Romance scams are another growing area of concern. Similar to the WhatsApp scam above, but playing out over a longer timeframe, they prey on loneliness and the desire for connection, with scammers setting up fake dating profiles, starting an online relationship and then asking for money for various made-up reasons or to deal with emergencies.

A Stuff investigation this year told the stories of three women who had lost more than $2 million between them in long-running swindles, and Kiwibank’s senior external fraud investigator Sareta Fraser says these can be very challenging cases to try and alert victims to because they simply don’t believe such a long-running relationship couldn’t be real. Patience is a virtue when it comes to scams.

Fraser says scammers have also been known to use their victims as unwitting “money mules” for laundering purposes by getting them to send money to other accounts. If they do that, they unwittingly become part of a complex web of payments and other scams that are harder to track – and they also put themselves at risk of prosecution. 

Investment scams also offer the lure of massive returns or early access, but instead just separate investors from their money, and there are plenty more scams to be aware of that can come at you via text, social media or even glossy brochures. 

Don’t be an ass

Money mules enable scammers. Many online scams involve asking the victim to receive money to “look after” and then transfer it to another account, usually offshore. In most cases the money has been scammed from someone else, and is destined to fund more scams and the criminals behind them.

Mules fall into one of three categories: unwitting, witting or complicit. Unwitting mules may be involved in an online scam romance or fake online job, and trust their contact when asked to use their bank account to transfer funds. Witting mules ignore warning signs and continue to move money for people they think they know online, opening multiple bank accounts and possibly keeping a share of the funds. Complicit mules serially open bank accounts to receive money from a variety of unknown individuals or businesses for criminal reasons, keeping a percentage of the money they move.

Sometimes mules are shocked to discover they may be off-boarded by their bank, and charged with money laundering, facing imprisonment of up to seven years. They can also be held liable for debt to repay the victim.

Kiwibank senior customer protection manager Veronica Solomon says she once had to give evidence in court on a romance scam where the victim was charged and found guilty of money laundering. “The consequences are high, so if someone you’ve met online asks you to look after or transfer money on their behalf, don’t do it,” she says. 

Kiwibank senior customer protection manager Veronica Solomon (Image: Supplied)


Kiwibank’s customer protection team has seen a major increase in scam cases in recent months, and has hired additional staff to help deal with the uplift. 

This is backed up by numbers shared by banking ombudsman Nicola Sladden, who told a finance and expenditure committee that complaints about scams have increased by over 400% in the last seven years. 

Government cybersecurity department CERT NZ says scams have cost New Zealanders nearly $70 million since March 2017, but that number is believed to be much higher due to the number going unreported as a result of shame or embarrassment. 

The banks have 24/7 robust fraud detection technology that flags suspicious activity on cards and online banking. In a few cases, they can stop money being transferred if action is taken early enough. Kiwibank says keeping detection rules up-to-date is a bit like whack-a-mole.

“Once a spoof number is reported and blocked, they’ll simply try again using a different number, with the same script used on other unsuspecting victims until they find someone who takes the bait,” says Solomon. 

Across the ditch, the Australian Communication and Media Authority (ACMA) has recently rolled out new rules for telcos to protect Australians from text message and spoofing scams.  

Prevention is much better than a cure when it comes to online fraud, and there is collaboration between telecommunications companies, police and banks. But Sladden believes it will require a multi-faceted approach. 

“We consider there’s a need for urgent collaboration between a much wider range of stakeholders, including other industries, telcos, social media platforms as well as government agencies, law enforcement, [and] the privacy commissioner to try to do better and to keep ahead of these very sophisticated frauds.”

The UK has launched the Action Fraud taskforce, which is along those lines, and she also believes there should be a joined up policy to incentivise banks to invest in better fraud detection and fund recovery programmes. An investigation by Australia’s Spotlight and the Reply All podcast episode Long Distance revealed a lot of the scam activity is run by organised crime networks in India. But Kiwibank’s fraud team says it is increasingly being done from New Zealand as well. 

Cyber criminals don’t discriminate, and anyone is open to being a potential target (Illustration: Joseph Carrington)

Trust fall

When Michael, Bronwyn, and Grace look back, they can all see the red flags and realise that a few simple decisions could have stopped the scams in their tracks. In Grace and Michael’s case, not giving away their access codes over the phone, and for Bronwyn, actually talking to her son before sending any money. 

“I do feel like it was my fault. But they were so convincing,” says Michael. 

Bronwyn says the experience has been hugely stressful – and embarrassing. “With hindsight, I was just so stupid. I just gave too much information that I shouldn’t have given. But you just don’t think about it. He said he needed money. We wanted to give it to him. That was it.”

And just as a home break-in feels like a major violation, so does being scammed. “I was quite anxious about getting back on online banking again,” says Michael. 

Grace has had lots of contact with Kiwibank and the police about her case and says she has developed trust issues. “Every time, I have to confess, I have this PTSD reaction that this person is lying to me. How do you verify who you are on a phone call? It’s so hard because so many of our administrative tasks these days are done without face-to-face meetings.” 

She says now she won’t engage with a bank unless she’s the one calling them – if you’re ever in doubt, just hang up and call your bank back. Grace has told all her friends and family about her own saga as a cautionary tale. “I tell them to be less trusting of everyone and everything.” 

They’re right to remain vigilant: Fraser and Solomon believe that once someone is scammed, they get put on a target list and are seen as viable targets for other scams in the future. In particular, when customers lose money (and aren’t reimbursed) they may be re-victimised weeks, months or even years later, contacted by an “international investigator” who claims they can help get their money back – for a fee – or even by accepting someone else’s scammed money and becoming a money mule. 

Payback time 

Fortunately, the three victims were all able to get their money back through a combination of transfers being stopped in time, recovery from other banks or reimbursement from Kiwibank. 

“The bank did right by me,” says Grace. “They returned it all to me and I know they didn’t get it all back from the scammers so that’s fantastic, otherwise it would have been a horrifying, life-destroying amount of money for me to lose.” 

Bronwyn felt so guilty about losing their retirement savings and didn’t expect to get it back. So seeing all the money back in their account was like a twisted version of winning Lotto. “We couldn’t believe it. It was like a whole weight was lifted off our shoulders. I’m sorry I was so gullible, but we couldn’t be more praising of the bank’s response.”  

Banks distinguish between authorised and unauthorised payments as a starting point for investigations. Reimbursement is assessed on a case-by-case basis, with regard paid to the customer’s own knowledge and circumstances. However, if they send money of their own volition, or ignore warnings from the bank, that may be considered an authorised payment, and will possibly be ineligible for a refund. 

As Malcolm Gladwell said in his book Talking to Strangers, it’s almost impossible to get through modern life without trusting people we don’t know. Being able to share resources and have faith that people weren’t going to rip you off has been a crucial component of human evolution. But that trust makes us vulnerable to the small minority of people who want to take advantage of that. 

As Michael summarises: “Be careful.”

Find more ways to keep yourself safe here.

This content was created in paid partnership with Kiwibank.

Keep going!