At least 200 duped by email scam

At least 200 Westpac customers were tricked yesterday into giving up their online banking passwords, and the bank expects more victims of the international email scam to emerge.

At least 200 Westpac customers were tricked yesterday into giving up their online banking passwords, and the bank expects more victims of the international email scam to emerge. Many New Zealanders found the message waiting in their email inboxes yesterday morning. The email pretends to be from Westpac, saying the bank wants to check email addresses are valid and asking customers to confirm their address by providing their banking ID and password at the Westpac website. The email includes a link that appears to point at Westpac’s website, but actually directs browsers to a website in Russia. Westpac spokesman Paul Gregory says the bank hasn’t yet found any suspicious transactions, but will have a better idea today when the transactions summary is available. “Obviously we’ll be taking a pretty close look at their accounts over the next few days. Gregory urges Westpac customers who provided their login details to the bogus website to change their password as soon as possible, contact the bank, and keep a close eye on their online accounts. “All we can do it let people know it’s around. We would never, ever send out an email of that sort.” Because online money transfers to overseas accounts need to be specially set up, the bank will examine overseas transfers carefully, Gregory says. The scam involves websites in Naaru and Russia, he says, so he’s doubtful that the fraudsters have set up accounts in New Zealand. Many recipients of the email are not Westpac customers. The hoaxers apparently used one of the lists of email addresses available for purchase on the internet, and sent the messages indiscriminately to New Zealand email users. Craig Whitmore, a systems administrator at Orcon Internet, says the ISP’s mail logs show it had received about 100,000 copies of the scam email in a day. “It really is a massive trawling exercise,” commented Westpac’s Gregory. Although some were fooled by the bogus messages, others were alerted by flaws in the emails. The emails pretended to link to the domain, which is invalid — the correct address is — and did not convince some recipients. “There wasn’t a great deal of sophistication in the emails themselves,” says Gregory. Many of the emails never reached the recipients. Orcon’s mail servers rejected the messages because the sender address used the invalid domain, Whitmore says. “Most mail servers should actually block it,” he says. The bank posted a note on its banking login page yesterday, warning customers about the scam, and was planning to contact online customers directly. The police e-crime unit is investigating.

Spotting phoney internet links Internet links usually contain only the server name and sometimes page location: Sometimes, links can also contain username and password information: If the server doesn’t require authentication, it will ignore the username and password. Scam artists put the expected server name in the username field, and build links that actually point at a completely different server. To disguise it further, fraudsters will cloak the real server name with other characters, as the Westpac hoaxers did: Although that link appears to point at — actually an invalid address — it will instead direct browsers to the server, located after the @ symbol.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags hoax

More about WestpacWestpac

Show Comments