Where can a scam be stopped?

By Ruairi O'Shea

Former Investigative Writer | Kaituhi Mātoro

When we’re scammed, we tend to look to our bank to recover our money. But if telecommunications companies are involved, should they share the responsibility? And can scammers be stopped from reaching consumers in the first place?

You’re at the supermarket checkout when your phone vibrates. You’ve received a text from your bank saying your account has been blocked and that you need to click the enclosed link to unblock it. You panic, worried that someone has accessed your account, so you click the link provided and quickly enter your details so you can pay for your groceries.

A scam can happen that quickly, and from one moment to the next, you could lose everything.

The liability for these losses often falls between a consumer and their bank. Whether your bank reimburses you or not is likely to depend on whether it considers you to have acted irresponsibly or breached its terms and conditions.

Yet, in our scam scenario, there are more than two parties involved. A telco provider was used to send the text – or SMS – message. Another telco – possibly the same one – was used to receive it. Clearly, the victim (you) played a role, with the urgency of the situation causing them to overlook the signs of a scam. Then there are the banks, with the victim’s bank, and the bank used by the criminal party, playing a key role in the financial transfer.

With the prevalence of scams on the rise, Consumer NZ has taken an in-depth look at scams, and the three key phases where a scam can be stopped.

Can scammers be stopped from reaching consumers in the first place? Failing that, how can consumers avoid falling victim to scams? And if a consumer lets their guard down, can the funds be stopped from reaching the scammers?

Stopping scammers reaching consumers: the telcos

We asked Brislen if there were barriers that prevent telcos identifying whether messages sent on their networks were scams. He said, “mobile service providers in New Zealand work hard to strike the appropriate balance between privacy, security, and fraud prevention, and our customers’ expectations”.

In Singapore, telcos have been required to apply anti-scam filtering since October 2022. These filters analyse the content of messages, looking for malicious URLs or suspicious keywords, phrases or message formats typically used in scams.

In Australia, telco Telstra has launched an optional SMS filter on its network. The filter is on by default, but users can opt out.

Back in Aotearoa, Spark announced it would be introducing a firewall on its networks to automatically detect and block fraudulent content, including scams, before it reaches the receiver. Customers should be able to start using the service in June 2024.

We’ve also heard that 2Degrees implemented SMS filtering earlier this year.

Dolla, a New Zealand-based payments platform currently has SMS filtering. iPhone users can have scam text messages automatically filtered into a junk folder like with an e-mail inbox, while both iPhone and Android users can submit screenshots to Dolla for analysis on the likelihood that a message is a scam.

Ben Lynch, the founder of Dolla, said the SMS filter has been “really effective … 99.99% of the time we block scams and they go in the spam folder.”

There are valid privacy concerns around using SMS filters, but for Lynch, the filter offers consumers a choice between privacy and protection.

“It is completely up to users whether they opt into using the scam filter. The only messages that are filtered through Dolla, are messages from senders that are not saved as the user's contacts, and are not interacted with frequently.”

While these filters are a welcome development, in New Zealand telcos have no legal requirement to implement the filters.

Avoiding becoming the victim: the consumers

Consumer education is often offered by companies as the best solution for stopping scams.

We think companies do this to shift responsibility onto their customers. But there are benefits to wising up about scams. Being scammed is a horrible, stressful experience, even if you get your money back.

Here are some simple approaches to help keep yourself safe.

Be suspicious of spontaneous contact: If a business, or your bank, calls you out of the blue, it’s better to be safe than sorry. If you’re suspicious, put the phone down, find the number independently and call them back yourself.
Resist urgency: Scammers use urgency to stop people making thoughtful decisions. If you receive a text that requires you to take urgent action, try to pause and contact the person at their normal number.
Protect your personal information: Be careful when being asked for personal information, particularly if you have not initiated a call. Legitimate businesses will never ask for your password, and security checks should only be seeking enough information to confirm your identity. If someone calls and asks a large number of questions about your personal information, this is a reason to be suspicious. If in doubt, hang up, find the number yourself, and call back.
Do not give remote access to your device: Unless you have directly sought out the service and you are certain about who you are dealing with, never give anyone remote access to your device.
If it’s too good to be true, it is: If something seems too good to be true, it is. The distant relative you’ve never heard of did not bequeath you $1 million. The lover you have met online but never in person does not need $200 to make it to payday. You do not need to give your online cryptocurrency friend $100 to unlock the opportunity of a lifetime. I’m sorry.

Stopping funds reaching scammers: the banks

Banks in New Zealand use a number of measures to prevent the wrong person from gaining access to our bank accounts, from passwords and two-factor authentication, to face, voice or fingerprint recognition.

Then, if someone does access our account, there are a range of analytics taking place behind the scenes that aim to identify patterns of behaviour associated with scams.

Ashley Kai Fong, head of financial crime at BNZ, explained, “There are certain things we look for where we know the typologies of a scam … we have rules and things that we’re looking for in the back end.”

BNZ is “as effective as we can be”, says Kai Fong, but the difficulty is that as quickly as banks identify these patterns and block scams, the scammers evolve to evade detection.

“We try to adapt as we see the typology adapt. As the typologies of scams change, we’re manipulating those rules. We’ve got a team that’s working on this 24/7, 365 days a year.”

The New Zealand Banking Association has announced a range of measures that it hopes can reduce the damage caused by scams in New Zealand.

One of these measures is for banks to no longer send links in SMS messages. Yet, while links will be removed, many banks will continue to use SMS technology to communicate important information – such as two-factor authentication codes – to their customers.

A report by the Australian Securities and Investments Commission outlining banking security methods has highlighted the work of two Australian banks in replacing their SMS communication with secure messaging through their banking app. If a scammer decides to follow up a text message with a call, one Australian bank has also introduced a feature in its banking app for customers to verify whether a call is legitimate or from a scammer.

When money is lost to a scammer, the losses generally fall either at the feet of the consumer or their bank. But in the case of email or text-based scams – otherwise known as phishing – telecommunications networks are being used by scammers to steal from their consumer victims. So, shouldn’t the telco share some responsibility?

The Singaporean government thinks so and consulted on a shared-responsibility framework between October and December 2023. As part of this process, the Singaporean government recognised, “that responsibility for preventing scams should not lie solely with consumers, but also with industry stakeholders such as financial institutions and telcos.”

The proposed framework will apply to scams that result in unauthorised transfers and will adopt a “waterfall” approach. This means the bank will be first in line, in terms of responsibility for scams, and “expected to bear the full losses if any of its duties have been breached”.

If the bank has fulfilled its duties to its customer and the telco has not – including failing to implement an anti-scam filter – the telco is expected to bear the full losses. If both the bank and the telco have carried out their duties, the consumer will bear the full losses.

The proposed legislation offers consumers a secondary layer of protection, while more accurately reflecting the role played by telcos in scams taking place on their networks.

Yet, the shared-responsibility framework is about more than just who is liable for scam losses. The Singaporean government states that the framework “incentivises financial institutions and telcos to strictly uphold the desired standards of anti-scam controls”.

A similar shift is taking place in the UK, where banking-and-lending-industry regulator, the Lending Standings Board, told a parliamentary committee that there is a lack of incentives for telcos to implement anti-scam measures.

“To stop these kinds of attacks, they need to invest, and that does not bring in additional revenue, so there is a misalignment of incentives,” the board said.

In response, the parliamentary committee recommended that the UK government, “establish a mechanism by which fraud-enabling sectors – in addition to the outgoing and recipient payment service provider – are required to contribute to the costs of reimbursement where their platforms and services helped to facilitate the fraud”.

What New Zealand needs

In both 2022 and 2023, New Zealanders lost almost $200 million to scammers – figures that have led to increased scrutiny of the businesses involved, and particularly the banks.

There is also an emerging consensus in New Zealand that more must be done across the chain of a scam to prevent scammers reaching consumers in the first place.

Roger Beaumont, chief executive of the New Zealand Banking Association, said “banks are often at the end of the chain of events that makes up a scam. Any effective approach to reducing the incidence of fraud should include all parties involved, including for example global tech companies like Google and Meta, telcos, internet service providers, and government agencies.”

Nicola Sladden, the banking ombudsman, agrees. “There’s no doubt that there’s more that a number of agencies can do in this space including banks, telcos, social media platforms, the police and other government agencies.”

And it’s a position shared by Sam Leggett of CERT NZ. “There’s a chain of events and there’s different parties involved in that chain. The truth is that every part of that chain has some level of responsibility to do what they can to prevent these things from happening.

“We can’t point to one part of the chain and say, ‘it’s your responsibility and yours’ alone’. Everyone that is part of that chain has responsibility.”

Consumer thinks a framework that reflects the breadth of responsibility, across other fraud-enabling parties in addition to the banks, would better protect consumers, while providing an incentive for telcos (in this instance) to up their game. If the businesses involved do not take on the responsibility, the government should compel them to.

The New Zealand Banking Association has stated its support for the development of a cross-sector anti-scam centre. Telcos would be fundamental to any such scheme. Yet while the sector acknowledges it has a role to play in stopping scams, it’s clear it does not feel responsible for compensating consumers who are scammed via its networks.

Asked if New Zealand’s telcos should take on greater responsibility for fraud orchestrated on their networks, Paul Brislen from the NZ Telecommunications Forum said, “our role is to block scam messages where we can identify them and that is where we’re focussing our efforts. We don’t think mobile service providers should be responsible for compensating victims of SMS scams, in the same way as we don’t think postal agencies should be responsible for letter scams”.

Consumer NZ Chief Executive Jon Duffy believes that this is not good enough.

“Consumers in Aotearoa have been too vulnerable for too long when it comes to scams. Scrutiny on the banks is showing early signs of a shift toward better protection for consumers. Now is the time to question whether other fraud-enabling sectors are doing their fair share.”

Stamp out scams

Scams are on the rise, with over a million households in NZ targeted by scammers in the past year. Help us put pressure on the government to introduce a national scam framework that holds businesses to account.

Learn more

Comments

Get access to comment

Join Consumer

Was this page helpful?

When is your bank liable for scam losses?

Updated 9 July 2024

Scams and how to avoid them

Image of passwords written down on a sticky note

How to choose the best password manager

Updated 10 February 2025

POLi Payments: How it affects and breaches your banking security

7 May 2024