Banking Ombudsman: accessing unsecured public Wi-Fi risky
People who store personal information, including bank account details and documents with signatures, on their email
accounts put themselves at risk if they access emails using unsecured public Wi-Fi, says Banking Ombudsman Deborah
Battell.
“In a recent case, an overseas couple put a six-figure sum on term deposit with a New Zealand bank only to have it
stolen from the account months later. Our investigation found the theft occurred due to an unfortunate combination of
the couple’s use of public Wi-Fi and because their bank’s security practices regarding emailed instructions were not
sufficiently robust.
“In this case, the couple accessed their emails via unsecured public Wi-Fi at an American airport. Unfortunately their
account was hacked and the fraudster found separate emails – one that included bank account details, and another with a
signed employment contract attached. This ultimately enabled the fraudster to pose as one of the customers and
successfully email instructions to the bank transferring funds out of the couple’s account.
“The fraudster was able to make the email look as though it had come from the couple’s address and fooled the bank into
thinking it was genuine.
However, scheme investigators found the signature copied from the employment agreement was not the same as the one held
by the bank. And, after surveying other New Zealand banks on their processes for emailed instructions, also found the
particular bank’s practice was out of step with the rest of the industry at the time.
Some banks simply do not accept email instructions, acknowledging the risk of email addresses being hacked. Other banks
accept emailed instructions, but only after verifying the request has come from their customer by, for example, calling
the customer back at a number held on file and asking a series of security questions.
“It is crucial banking best practice prevails to maintain customers’ confidence. Fortunately, our enquiries have shown
this to be an unusual case, and we were pleased the bank concerned moved quickly to enhance its security procedures
around emailed instructions,” Ms Battell said.
Customers need to know the risks of storing documents on email, and regularly clear out information that could be used
to verify their identity. It’s also a useful reminder that security questions (including those due to the new anti-money laundering requirements) and banks’ restrictions on how they accept instructions help to protect customers from fraud.
”We found in favour of the couple in this case and the bank has now reimbursed the amount fraudulently withdrawn, paid
the couple interest lost following the withdrawals, and placed their total funds back on term deposit,” Ms Battell said.
ENDS