Bank liable for $48,000 loss through fake NZTA website

Categories:
Fraud and scams,
Summary:
In May 2024, Kobe received a letter from the NZ Transport Agency Waka Kotahi (NZTA) about overdue tolls. Shortly afterwards, he received a text message instructing him to pay the tolls. The text message directed him to what appeared to be the NZTA’s website, where he entered his debit card number to authorise payment of the tolls. He was sent a text message with a two-factor authentication code from his bank to register for Google Pay, and he entered this into the website.
Published:
May 2025

The text message supposedly from NZTA was a scam, as was the website. Kobe had unwittingly provided his card information to a scammer. The text message Kobe received with a code was really from his bank, but it wasn't to authorise a payment (as Kobe thought), but to set up his debit card to make payments on another device using Google Pay.

The scammer made payments totalling $48,000 before the bank's security systems flagged the activity as unusual. Kobe asked the bank to reimburse him for his loss, but it refused, saying he had acted negligently by entering his card details and breached the bank’s terms and conditions by sharing the code.

Our investigation

We did not think Kobe had acted negligently in falling for the scam for three reasons. First, he in fact owed NZTA money and had received a reminder letter from the agency about the debt, so the text message was not unexpected or out of the blue. Secondly, other government departments had contacted Kobe via text, so it did not seem unusual NZTA would do so. And thirdly, the fake website looked convincingly like NZTA’s website and contained nothing unusual or suspicious to suggest to a reasonable person that it was a scam. In these circumstances, it wasn’t negligent for Kobe to enter this card details into what appeared to be NZTA’s website to make a payment.

And as for the two-factor authentication code he received from the bank, Kobe did not know what Google Pay was, and the message accompanying the code did not explain what "registering Google Pay" meant (setting up access to his card on a new device) or where to enter the code (into the Google Wallet app). We therefore concluded Kobe had not acted negligently by entering the code into the website.

Outcome

We recommended the bank reimburse Kobe the full $48,000. Kobe accepted our recommendation, meaning the bank was obliged to reimburse him.

Print this page