The CEOs of two major New Zealand banks say Facebook is rife with fraud – and that Meta is too busy making money from scam ads to try and stop them. Duncan Greive reports.
The story would have been dystopian a few years ago, but is now routine, almost unremarkable. A pensioner sees an advertisement starring prime minister Chris Luxon, encouraging investment in cryptocurrency. Within weeks she transfers over $200,000 through a series of accounts and exchanges. Only too late realising she’s been caught by sophisticated scammers, and that the money will never return.
It ran on the cover of the Herald on Sunday on October 20. The victim’s name is Jill Creasy, a Taranaki grandmother. The story was broken by Lane Nichols, who has spent much of the last year detailing the excruciating impacts of the scam economy. Creasy told Nichols, “first of all I felt angry and then I felt foolish, then I felt really ashamed.” The story mentions TSB, her bank, nine times. It mentions Facebook, the platform where it all began, just once.
This is a microcosm of how we view the issue as a country – it’s a problem for the person being defrauded, and for their bank. For Facebook, which ran the ads in question, it’s a profit centre. Running scams on Facebook featuring a fake celebrity has been a huge business for years – in 2018, it was often Facebook founder Mark Zuckerbeg himself with the favoured currency iTunes gift cards. Now it’s most often Elon Musk and crypto.
As Dylan Reeve reported for The Spinoff in August, the decaying but still widely used platform seems to make no real effort to pull down scam ads, even when users make repeated attempts to inform the company of its dangerous, fraudulent and defamatory advertising. Reeve details dozens of attempts to report clear scams, featuring impersonations of celebrities and news sites, only to be told “the page doesn’t go against our Community Standards”. This goes for regular users, but also for banks, at least one of which spent months reporting a scam ad featuring its logo, ultimately giving up due to a lack of response from Facebook.
It’s part of a vast scam ecosystem running in New Zealand, one which the government’s New Zealand Cyber Security Centre estimates costs us $3.8m per week, close to $200m per year. The rise of deepfakes, and the way generative AI has made technology far more accessible to scammers, has seen a sharp rise in both the volume and sophistication of scams. These range from simple Facebook Marketplace fraud, to elaborate cons run from offshore. And because Facebook is a place all major corporations and government departments show up for everything from advertising to customer experience, many users have trouble distinguishing advertising and legitimate communication from scammers.
Those running banks in New Zealand don’t dispute that they have a crucial role to play in stopping scams. They say they have doubled investment, and introduced significant new controls and reporting channels which have helped prevent the problem from growing further. But they feel strongly that Meta, the parent company of Facebook, is completely indifferent to the harm it’s visiting upon its own users and the banks’ customers. Their statements are unusually strong, for the normally mild language of corporations – particularly those which interact with one another, on advertising or as bank clients, every day.
“For a company that’s amongst the most valuable in the world, with an absolute black belt in creating algorithms that drive behaviour, I cannot for life of me understand how Meta wouldn’t be able to be amongst the most effective at blocking this type of thing,” says Kiwibank CEO Steve Jurkovich. Meta makes enormous investments in AR, VR and AI – yet banks say they cannot get a response from Meta, and claim no substantive engagement on solving scams.
Westpac CEO Catherine McGrath concurs. “They’re making money out of placing the fake ads, and with all the tools and expertise and cash that they’ve got, they’re not responding to try and find the needle in a haystack. To say, ‘how do we immediately close that down?’”
Meta refused to be interviewed for this story, but provided a statement. “The safety of our users is of utmost importance. We continue to invest in new ways to stop scammers and deepen our collaborative efforts with industry partners including the banks, the government and law enforcement on this important issue.” (Both CEOs I spoke to strongly reject this characterisation – they describe the relationship as essentially non-existent.)
Meta also provided various information around its efforts to prevent scams, including that it is testing new technology to detect when public figures are used in advertising, though that clearly has arrived too late for many victims. It says that advertisers now “may be asked” to provide a phone number before placing an ad.
The Meta spokesperson noted that it has invested US$20bn in “teams and technology to enhance safety”. It’s a large figure, but less impressive in context – since 2021, Meta has spent more than twice as much on creating its largely unused “metaverse”, and over US$90bn on stock buybacks, designed to inflate its share price. Its ability to spend on engineering to counter scams is essentially limitless – Meta’s sales increased 19% year-on-year, but profits leapt by 35% over the same period, to US$15bn for its most recent quarter. What the bank CEOs are saying is that failure to fix the issue is a choice. And that while their profits are highly scrutinised, they are dwarfed by those of Meta.
To this point, there has been little pressure on Facebook for its role in the scam chain. When a customer is defrauded, news media, politicians, agencies and the public typically focus on the banks. (This is starting to change in news media – recently Nichols diligently interrogated Facebook’s role in a follow up to the original story about Creasy’s losses.)
Politicians remain fixated on banks. Consumer affairs minister Andrew Bayly has largely targeted them during his first year in the portfolio. He has been withering in his criticism and firm in his expectations that they do more to prevent fraud. He wrote an open letter earlier this year, urging them “to take immediate and concerted action to enhance your processes and protections to better safeguard your customers from scams and fraud.”
The banks, fighting negative publicity on multiple fronts, have heard the message, says Jurkovich. Bayly says one of his requests – confirmation of payee, which matches account holder’s name to the account number – is now being rolled out, and should be system-wide by Easter (a representative for the Banking Association says this was already in motion when Bayly made his request). Jurkovich says the big banks’ leadership now meets weekly to share information about scams, and has made significant progress over the past year, with more attempts but lower losses as a result – Westpac says it recovers $9 for every $10 either stolen or attempted.
All this has come at a significant cost, according to Jurkovich. “[Kiwibank has] tripled our investment to try and lift our capabilities, from what I think were pretty good, to trying to be much better. Because, of course, the threat has gone up heaps… In terms of the dollars involved across the industry, I’ll be amazed if they haven’t doubled in the last six to 12 months.”
McGrath talks about fraud and scams in terms of an on ramp and an off ramp – in business terms, you might call it the difference between lead generation and sales. “How do customers get entangled in the first place? The on ramp would tend to be social media. It could be coming through your phone in terms of text. Less often now it’s somebody approaching you in person, because we’re all quite leery about somebody doing something like that.
“Banks, in my view, are the off ramp. with a payment mechanism and payment rails. The banks are doing a massive amount of work to try and find the needle in the haystack out of the millions of payments that we make every day.” What is the equivalent work being done on the social media side? It’s “almost nonexistent”, says McGrath.
The CEOs of major banks are not typically sympathetic characters within New Zealand. There is currently an inquiry into banking competition before the finance select committee, in part due to record profits which seem almost impervious to the economic cycle. The AFR reported that the big four Australian-owned banks generated $7.4bn in profits last financial year, for a return on equity of 13.4% – making ours by some measures amongst the most profitable banking sectors in the world.
Investment banker Andrew Body typifies the view of some that the banks are regulated into extreme conservatism and avoidance of true competition, describing the sector as an “oligopoly” mired in “stasis”. The thesis is that the status quo reduces the kind of risk tolerant lending our business sector needs, and slows the advance of competition through the likes of open banking. The fact the CEOs mention that open banking competitors would struggle to match their investment in scam detection might back up the view that they are resistant to more competition.
Banks are also hardly blameless in the scam ecosystem. Nichols’ superb reporting for the NZ Herald has revealed eye-watering failures from banks, including a Westpac customer who lost $200,000 after being wrongly assured an account was in his name, and a Kiwibank customer who lost $300,000 months after an FMA warning about this type of scam. All the major banks have experienced failures of process which have seen victims lose massive sums. Given they make enormous profits, their patchy record on reimbursement makes their claims to be victims too hard to square.
Still, the reason we have so much knowledge and visibility of banks’ business is that banking is one of the most regulated activities in New Zealand. Banks are overseen by the Reserve Bank at a top level, and by the Financial Markets Authority at a product level, with an Ombudsman who can be appealed to when the public is unsatisfied with the banks’ response.
This is because we recognise that holding money, loaning money, investing money and earning interest on your customers’ money are all activities which require extreme levels of caution. It’s a result of decades of careful thinking – and of them being born at a time when the government had a far more muscular sense of its role in business and society.
By contrast, search and social media arose during a global period in which regulation was a dirty word. There was a sincere belief that the nascent internet of the early 90s was a fragile, beautiful thing, which could be crushed by an excess of rules. Into that vacuum were born companies like Google, Amazon and Facebook. Starting small, they became leviathans. This was because they built incredible products, but also because there were no specific rules to restrain them. That remains largely true – particularly in New Zealand.
One example of this is advertising, the source of well over a billion dollars in combined annual revenue for Google and Meta. Where traditional media’s clients are highly vetted, and there are significant penalties and outcry when real or perceived violation of codes occurs, there is no similar oversight or consequence for search or social media advertising. All this helps explain why we have come to accept that frauds and scams which originate through Facebook posts and advertising are a problem for banks, but a profit centre for Facebook.
Last week, ASB chair Dame Therese Walsh sounded a warning during a select committee hearing on banking competition. “They are not required to fully participate in New Zealand society. Pay taxes, employ people, meet the rules and regulations, et cetera. That is actually a big concern of the way we’re going, that it’s going to be really difficult if we don’t create a level playing field.” She was talking, with some self-interest, about new entrants into the open banking sector. However what she says perfectly describes the operating conditions for giant social media companies too.
Kiwibank says 40% of scams originate on social media, largely Facebook – by far the biggest single source. Westpac puts the number at 30%, though says it’s a conservative estimate, as a customer can be unaware of how they became a target, giving up their email address or phone number innocently, only to have it used for something malicious. Singapore has more specific notification requirements, and says that fully 50% of scams originate on Meta platforms. The top two scams, according to Westpac, are both relatively low dollar – “fraudulent e-commerce” is the most common, followed by “classifieds / goods / services / marketplace scams”.
E-commerce fraud is in some ways the original sin of internet scams. It often involves someone misusing someone else’s credit card number to make purchases for themself. The credit card number might be obtained in bulk after a hack on the dark web, or through a fake site which convinces a user to input their credit card details, potentially through a Facebook ad. The second category is a more recent, and faster growing phenomenon.
“There’s really low due diligence to sell something on Facebook Marketplace,” says Jurkovich. “So anyone can go on there and report to be selling something. And Meta’s response to it has been zero.” McGrath agrees, pointing out that this growth area impacts young people, and is likely wildly underreported. “We tend to think that scams impact older people. The Marketplace type scams more impact young people, right? And it’s for small amounts, but it’s for a higher frequency.”
Marketplace is a product that competes with the likes of TradeMe in New Zealand – but lacks many of the guardrails which exist there, such as a list of feedback and transaction history. Wired reported earlier this year that it has become awash with phishing links, whereby users will send a fake link to a transfer site like Zelle in order to fraudulently capture the seller’s bank details. It also exists on the other side of the transaction – a study by Lloyds bank says Marketplace is the biggest global source of scam tickets to live events.
The fact of it being small dollar amounts makes it very difficult for the bank to flag them as suspicious, as they appear indistinguishable from regular day-to-day transactions. Adding to the issue is the fact that the so-called “mule” accounts associated with the scams can have the appearance of legitimacy. McGrath says a typical source would be an international student leaving at the end of study, selling the account they have used while here to a scammer. It has a three year history of ordinary, legitimate transactions, before becoming the basis for scams.
Investment scams rank fifth in Westpac’s list of the most common categories – but because of their scale can be the source of the most troubling stories, like that of Taranaki pensioner Jill Creasy I mentioned at the beginning. Jurkovich and McGrath both cite a huge acceleration in the volume and sophistication of such scams. McGrath says that what is making this more difficult is that the quality of the scammers and the digital infrastructure they deploy is increasing all the time.
Where once a fake bank site or email was characterised by grainy graphics and frequent typos, now they can be near-indistinguishable from the real thing. The same goes for those who get a prospective victim on the phone – Jurkovich says they have studied the scripts of bank employees, and they will coach customers to give the right answers to bank workers questioning a transaction.
“Where scams are really hard, is I can’t look for any markers that say it’s not you moving the money, because it is you moving the money,” says McGrath. “You think you’re doing the right thing. However, you’ve been bamboozled by somebody… Nobody wants to be on the receiving end of somebody saying, ‘I’ve lost my life savings’. We say, what could we have feasibly done?”
For banks that have spent years trying to create strong digital products and reduce friction, they’re now contemplating introducing more of it – most prominently confirmation of payee, matching account names to numbers. This will certainly interrupt some types of fraud, but it’s common for an investment fraudster to invent a story about why a transaction needs to go into a particular account to “cool off” before reaching its destination. So no one in banking believes it to be a total solution.
Social media is not the only place fraud happens. In recent years there has been a proliferation of SMS-based fraud, with messages purporting to be from banks, NZTA, Customs or the IRD, containing a short-code link to a website. For a period of time, these were arriving almost weekly. To send them, all a scammer needed was a large list of phone numbers, and use one of a number of different text marketing services or devices to widely distribute their phishing link.
In this case these numbers were ultimately associated with particular New Zealand cell connections, typically with accounts at Spark, One NZ or 2 Degrees – the big three telecommunications providers. According to Jurkovich, the contrast between such companies and Meta could not be more stark. “It’s almost the complete opposite, which is a real willingness to share capability, real willingness to share knowledge. No bunfight between Spark, 2 Degrees and One NZ – they recognise that they have to lift their capability in unison.”
The heads of the telecommunications companies have sometimes joined bank CEOs on their scam prevention calls, according to Jurkovich, who says it’s a clear indication of the seriousness with which they view the issue. And a stark contrast with Facebook. Like banking, telecommunications is an area in which competition, pricing and consumer outcomes are highly scrutinised, with regular market studies, and the motherlode which was the separation of Telecom from Chorus in the 2000s.
Beyond the regulatory regime, Jurkovich says it’s also about how accessible the New Zealand businesses are. “I think it is as simple in some ways as you know, we’re on the high street and we’re easy to find. You know, where do you go to find Meta in New Zealand? They’re everywhere and nowhere.”
That extends to the government too. Who exactly is charged with overseeing the social media companies? We have a minister for racing, a minister for arts, a minister for sports – even a minister for space. Yet even figuring out which minister oversees social media is difficult. A few years ago I asked then-broadcasting minister Willie Jackson who he thought was responsible for the social giants. “I guess it’s me,” he replied.
Last week I asked DPMC, the all-powerful group which sits behind the prime minister and cabinet. They told me it was internal affairs minister and Act deputy leader Brooke Van Velden. I requested an interview, only to be told that “after discussions here, we’ve realised this is one for the minister of commerce and consumer affairs, Hon Andrew Bayly.” It feels telling that as far as social media goes – among the most influential developments in the history of the internet – the government still isn’t quite sure who is in charge.
Bayly has only been given the specific responsibility of social media within the scams context in the last few weeks. I spoke to him for half an hour on a Friday morning, and he stressed that he had been working hard to get up to speed on its role in scams. He says his preference is for a multilateral approach, largely because he fears for our ability to legislate in isolation. “The unfortunate thing is, they are obviously a global company, and New Zealand’s a very small part of that pie.”
The perception that it is too large, and New Zealand too small, is to Facebook’s distinct advantage. You detect a strain of fear when talking to politicians about large technology companies – that due to their geopolitical nature and immense entanglement with our lives, no one wants to upset them. “Everyone’s struggling with the social media platforms,” says Bayly. “It’s not just New Zealand, Australia is struggling with it, Singapore struggles with it. France and Britain. Everyone’s struggling with it.”
That’s not particularly accurate. Australia has introduced legislation to fine both banks and social media companies up to $50m for failure to prevent scams. Singapore has changed regulations to require verification of sellers. Malaysia has gone step further, requiring large social platforms to apply for an annual licence to operate in an effort to curb rampant scams and cyber-bullying. Meta has criticised the law as likely to prevent “innovation” in social media. Society can decide which problem it thinks is the more egregious.
What Bayly seems to be hoping is that by working closely with counterparts in Australia and Singapore, New Zealand might be able to catch up from what currently feels like a long way back on technology and scams. He says that Meta has signed with the FMA about verifying the identity of financial services advertisers as evidence of progress – though when contacted, the FMA said it was in fact Google that signed the agreement.
Bayly is not currently considering a fines-based system of coercion, and wouldn’t contemplate withdrawing government advertising from social media because “some people, that’s the only place they go”. Today, at the start of ‘fraud week’, he is announcing a push to create greater co-ordination between banks, social media companies and telcos around scam activity.
He says this is needed in part for fear of pulling down accounts associated with legitimate businesses. Based on Reeve’s reporting, it’s not clear that Facebook is remotely interested in pulling down the accounts of paying clients, regardless of how illegitimate their businesses are. Until it is incentivised to do so, scammers will likely continue to be a bank problem and Facebook income stream.
Catherine McGrath took up her role at Westpac during the pandemic, after a long period working in the UK. She finds the level of effort and thought which has gone into social media here wholly inadequate. “In the UK, they’ve put in legislation in 2023 and that starts to put accountability around fake ads. In Australia, they’re doing some quite interesting work, particularly on scams, where the government there is intending to put onus on social media companies as well as telcos and banks – the whole ecosystem, to make culpability clear and to make sure everybody’s incentivised to protect Australians.
“I would love our government here to do the same thing.”
As of today, there is no momentum around that outcome. We continue to live with the consequences of a highly regulated sector abutting a completely unregulated one, with consumers the casualty in between. There is no minister wholly responsible for social media, which sits unloved among a pile of portfolios, nor any momentum building for creating one. Facebook takes the profits from selling scam ads, while banks – and ultimately New Zealanders – hold the losses.
I asked McGrath why they continued to show up on Facebook at all. Whether their presence there – for customer service, for content, for advertising – both funds and legitimises a platform which has shown by its actions an indifference to banks, by being paid to run ads for criminal activity targeting bank customers.
“I think it is worth contemplating”, says McGrath, of whether the bank should consider leaving Facebook. “If, as an industry, we don’t think they’re stepping up, then one of the ways to help your customers not get fooled is to say we won’t put any of our stuff on it. So if you see anything with a big red W on it, it’s definitely not us…. I think there’s an interesting principles-versus-pragmatism debate that is definitely worth exploring and thinking about.”
This is not without precedent. Media giant Stuff made the decision to cease posting to Facebook entirely in 2020, while beauty giant Lush did the same in 2021, with its accounts now sitting dormant under a header reading “be somewhere else”. Jurkovich said Kiwibank had not considered the idea, but would not rule it out. Both CEOs are stunned at the way the level of scrutiny and expectation from the government towards banks is not matched by any significant effort from the social giant.
Speaking to people in government, there is a sense of impotence. That New Zealand is too small to get the attention of Facebook, and that the best way to achieve change is by joining other countries in multilateral approaches. It’s true in theory, but Facebook is approaching its 21st birthday, and only speeding up. It’s to the company’s distinct advantage for legislators to hold back, and to focus their attention on companies it can control. In the meantime, Facebook will keep running whatever ads it’s paid to, and only grow larger, stronger and harder to control.