Kiwi doctor's horror as $51,000 drained from bank account in text scam

"The message will use social engineering triggers of urgency, fear, and opportunity to illicit a response."
"The message will use social engineering triggers of urgency, fear, and opportunity to illicit a response." Photo credit: Image - CERT NZ & Getty Images

A doctor who received a text saying $2000 would be deducted from her bank account lost $51,000 within seconds in a highly effective phishing scam. 

Baswati, whose last name we've agreed not to share, had just finished a long day at a hospital several weeks ago when she received a text that read: "I have to make a payment of $2,000 - to view or cancel this payment please click this link." 

Baswati inspected the link with the suspicion it could be scam - but the link had her bank's name listed in the URL, so she thought it was legitimate. 

"So I clicked on it."

The link took the doctor to what looked like her bank's home page, where it asked for her internet banking access code. Baswati entered her access code and within seconds lost all of her life savings. 

"Something funny started happening with my mobile and I could see some numbers flashing," she said. "It took me a minute to realise that something was wrong."

Baswati left the fake bank website and checked her internet banking app. 

"All my money was gone - $51,000, it was all gone, gone! It was devastating."

She said the scammers hadn't just taken the money from her account, but had also withdrawn money from her credit card too. 

The doctor reported the scam to her bank's fraud office and the police straight away, while they worked to figure out what happened to Baswati's money.

 The three weeks that followed were horrible. 

"I couldn't sleep," she said.

She told Newshub an investigation by her bank found the money had been transferred to an unknown account in Australia, but the bank could only retrieve $123. 

Luckily for Baswati, her bank refunded her money in full.

She told Newshub she felt lucky to be on a salary that makes living comfortable - but said if she didn't, she would have struggled.

"I was just thinking of people who don't actually have that security, it'll be a very sad situation for them."

Baswati considers herself to be tech-savvy and said what happened to her "can happen to anybody". She told Newshub the experience has left her traumatised.  

"I have become so careful, I do not click on anything that gets sent to me now."

She is urging Kiwis to be extra vigilant so they don't end up in the same boat as her. 

"Don't click any links, I have learnt it the hard way... We need to stop these messages - delete them when you receive them."

Phishing scams increasing at 'alarming rate'

Acting Manager response at CERT NZ, Jordan Heersping, told Newshub phishing, also known as 'smishing', has increased at an "alarming rate". 

"Users are sent a short message and a link. The message will use social engineering triggers of urgency, fear, and opportunity to illicit a response."

Heersping urges Kiwis to access their bank via regular means instead of clicking on links that arrive via SMS.

He added those who receive phishing messages to forward them to the Department of Internal Affairs on 7726 free of charge. 

CERT NZ director Rob Pope said phishing is a "major concern". 

"It's simple to do, from a technical perspective, and it's a gateway to other kinds of incidents."

At the end of 2021, CERT NZ recorded $31.5 million in losses from phishing attacks. 

In CERT NZ's latest cyber security insights, it found more than 2000 incidents are reported per quarter with an average loss of $4 million. 

CERT NZ's advice on phishing attacks:

  • Go direct. Type the URL into the address bar or use bookmarks to access websites rather than clicking links in emails or texts.
  • Just ask. If you’re unsure about an email or text you’ve received, it’s a good idea to check in with the sender via another method like phone or text, or run it past a colleague, friend or family member.