While it is unclear exactly how much money has been taken, NZME understands more than $2m has been transferred out of several Wellington-based firms' trust accounts and that the funds have been sent offshore.
The bank’s head of customer protection, Alan Thomsen, said the businesses being targeted receive calls from scammers impersonating the ANZ Fraud team or other bank staff.
“The scammers appear to already have some banking information, which may have previously been obtained from a phishing email, text or website.
“Those that are impacted may have been tricked into granting remote access to their computer systems or devices and digital banking and disclosing authentication codes, believing they are securing the accounts or reversing fraudulent transactions.”
‘Thanks for calling ANZ’
Wellington-based criminal lawyer Chris Nicholls said he received a call on Monday morning from someone claiming to be from the bank.
“Immediately I was suspicious ... I’m not an ANZ customer,” he said.
“He was calling about an unusual payment that had been attempted for $18,000 for some company.”
Nicholls said that while he has a trust account, it’s not with ANZ and he doesn’t do any conveyancing work.
A voice message left with another law firm purported to be from a woman calling from ANZ’s business banking team and asked them to call back citing a reference number and a New Zealand landline.
NZME called this number and was greeted with ANZ’s hold music, followed by a message that says “Thanks for calling ANZ’s Business Banking team”.
A man answered, also with an English accent, purporting to be an adviser with ANZ calling himself “David Haines”. He maintained throughout the call that he was an employee of the bank.
“Why would I need to lie about my job?” the man said in response to questions about whether he really worked for ANZ.
ANZ has since confirmed that the Auckland-coded number is not associated with its business. The phone number has also stopped working.
‘Impersonation scams’
Thomsen said the bank said it had experienced a spike in “impersonation scams” and although the scammers are casting a wide net, the actual number of affected law firms is still very small.
“Most businesses contacted did not progress to making a payment or had their payments blocked.”
However, he confirmed that a small number of businesses had “suffered financial losses”.
Thomsen said scammers were constantly looking for new ways to try to fool people.
“What all these scams have in common is they try to get customers to take action, by clicking on a link or divulging personal and banking information like payment authentication codes.”
Thomsen reminded its customers that the bank will never:
• Ask for banking passwords, PINS or security authentication codes (like Online Codes or Visa Secure Codes).
• Ask for full credit card details.
• Tell you to transfer money to a “safe” account.
• Tell you to download software or remotely access your device.
• Send you a security authentication code to “reverse” a transaction.
Warnings
Earlier this month, the National Cyber Security Centre, a division of the Government Communications Security Bureau, said it had noted a spike in reports from law firms whose emails had been compromised.
“Cyber criminals are gaining unauthorised access to law firms’ emails and targeting their customers and clients with fake invoices,” its advisory noted.
“If an attacker gains access to your email account, they can send invoices to your clients with altered invoice account numbers. Customers think they are paying your firm or depositing money into your account but are actually sending it into the criminal’s account.”
The centre said scammers were targeting law firms in particular because their transactions ordinarily involve large sums of money.
The New Zealand Law Society would not confirm whether any of its members had lost money in thefts by scammers, only that it was aware some firms had been targeted.
“We expect that lawyers will be contacting their banks and their insurers with any concerns.”
It said the Law Society’s fidelity fund, which is a pool of money set up to reimburse clients who have had money stolen by their lawyers, would not cover any client money lost as a result of negligence or other misconduct.
The police said they had received two reports from law firms targeted by the scammers.
“Police have received at least two reports of a scam where the caller claims to be a trusted government agency and requests access to their bank, providing a website to access and a number they claim to be an employee identification number, they then claim to attempt to fix the account before the money is transferred out of the account,” they said in a statement.
“As with many scams of this nature, the bank account is believed to belong to an overseas source.”
- Jeremy Wilkinson, Open Justice reporter
