If my banking app is hacked, will my bank refund me?

If a criminal gained access to your banking app without your knowledge or assistance, this is generally treated as unauthorised access and your bank's zero-liability guarantee should apply. However, if you were tricked into providing login credentials through a phishing attack, the bank may consider you partly responsible. Report immediately and let your bank investigate.

How can I tell if my account has been taken over?

Warning signs include: unexpected password reset emails, being locked out of your accounts, charges you don't recognise, contacts receiving messages from you that you didn't send, or your phone losing signal (SIM swap). Act immediately if you notice any of these signs.

Personal Protection Guide

Account Takeover Fraud

Criminals gain access to your bank, email, or social media accounts — then drain funds or lock you out.

1 in 10

Adults affected by account compromise

Banking apps

Most targeted account type

Hundreds p/a

SIM swap reports to carriers (2024)

12+ weeks

Avg time to detect ATO

What is Account Takeover Fraud?

Account takeover (ATO) fraud is where a criminal gains unauthorised access to your online accounts — banking, email, social media, or e-commerce — by stealing credentials through phishing, data breaches, SIM swapping, or credential stuffing attacks. Once inside, they may drain bank accounts, make purchases, or use your identity to defraud your contacts.

SIM swap fraud is a particularly damaging form of ATO, where a criminal convinces your mobile carrier to transfer your phone number to a SIM card they control. This bypasses SMS-based two-factor authentication, giving them access to your banking and email. Multi-factor authentication apps (not SMS) and strong, unique passwords are the best defences.

Written by FraudInsurance Editorial Team·Updated May 2026

What Account Takeover Fraud Involves

SIM swap fraud bypassing SMS two-factor authentication
Credential stuffing attacks using leaked passwords
Phishing attacks harvesting banking login details
Keylogger malware capturing your username and password
Email account hijacking to reset banking passwords
Social media account takeover for financial fraud

How to Protect Yourself

1Use an authenticator app (Google Authenticator, Authy) instead of SMS for 2FA
2Use a unique password for every account — a password manager makes this easy
3Check haveibeenpwned.com to see if your email has appeared in data breaches
4Set a PIN or passphrase lock on your mobile account with your carrier
5Enable login notifications on all banking and email accounts
6Report SIM swap fraud immediately to your carrier and bank

What is Account Takeover Fraud?

Account takeover (ATO) fraud is a specific form of identity and financial crime where a criminal gains unauthorised control of one or more of your online accounts — most critically banking accounts, but also email, social media, e-commerce, and investment accounts. Once in control, the criminal can drain funds, make purchases, access sensitive information, or use your account to defraud your contacts. Account takeover differs from general identity theft in its immediacy and directness: rather than creating new accounts in your name, the criminal takes control of existing accounts with real funds and established relationships. This directness is what makes it so financially damaging. SIM Swap Fraud: A particularly dangerous form of account takeover where a criminal convinces your mobile carrier to transfer your phone number to a SIM card they control. Once they receive your phone number, they can reset your banking and email passwords via SMS verification codes — bypassing two-factor authentication entirely. Credential Stuffing: Using large databases of username-and-password combinations from data breaches to systematically attempt logins across banking, shopping, and other platforms. If you use the same password across multiple sites, and one site suffers a data breach, every account using that password becomes vulnerable. Phishing for Credentials: Fake websites or emails that collect your username and password when you "log in" — giving criminals direct access to your real account. Keylogger Malware: Software installed on your device (through a malicious download, phishing link, or compromised website) that records your keystrokes and transmits your credentials to criminals. Email Account Hijacking: Taking control of your email account — often through phishing or credential stuffing — and then using the "forgot password" function on banking and other sites to reset credentials and gain access.

How Account Takeover Fraud Happens in New Zealand

Account takeover fraud uses several distinct methods, each with different warning signs and prevention measures. Understanding the specific attack vectors helps you prioritise your defences. SIM Swap Attack Anatomy: The criminal contacts your mobile carrier (Spark, One NZ, 2degrees, Skinny, etc.) by phone or online, impersonating you. Using personal information gathered from social media, data breaches, or previous phishing attacks — your name, address, date of birth, sometimes your account PIN — they convince the carrier to port your number to a new SIM. From this point, all SMS-based two-factor authentication codes go to the criminal's phone, not yours. Your phone loses service (often the first sign you notice). Within minutes, the criminal resets your banking passwords using SMS verification and drains your accounts. Credential Stuffing from Data Breaches: International data breaches — thousands of which occur annually — generate vast databases of email/password combinations. Criminal groups purchase or obtain these databases and run automated tools testing the credentials against banking sites, PayPal, e-commerce platforms, and other targets. If you use the same password across multiple sites, a single breach of any one of them compromises all your accounts. Social Engineering of Mobile Carrier Call Centres: Criminals can obtain enough personal information from social media and other sources to successfully impersonate you to a carrier's call centre. Carriers have improved verification processes, but trained social engineers can still succeed, particularly if the call centre representative is having a busy day and takes shortcuts on verification. Phishing Campaigns Targeting Banking Apps: Sophisticated phishing messages — often arriving as text messages — direct you to convincing fake versions of your bank's login page. Your credentials, once entered, are captured and used immediately. Some phishing attacks are real-time: the criminal is waiting for your credentials and uses them while you are still on the fake site.

The Damage Account Takeover Causes

Account takeover fraud causes a range of direct and downstream harms that can extend well beyond the immediate financial loss. Immediate Fund Transfer Losses: The most obvious harm — criminals transfer funds from your bank account immediately upon gaining access. Bank transfers can occur within minutes. Savings, term deposits, and linked investment accounts may all be accessible. For accounts with high balances, the losses can be catastrophic. Identity Theft Downstream: Email account takeover is particularly dangerous because it enables further fraud. A criminal who controls your email can reset passwords on any account linked to that email, access personal correspondence containing sensitive information, impersonate you to your contacts, and intercept communications from your bank and other institutions. Credit Applications: With email access and enough personal information, a criminal can complete credit applications in your name — personal loans, credit cards, buy-now-pay-later accounts — adding financial obligations you will need to dispute and remove. Difficulty Reversing the Damage: Unlike card fraud (where the bank can block the card and reverse transactions), account takeover can result in funds being transferred out and moved multiple times before you are aware. Recovery depends on the speed of your response and the willingness of the receiving bank to cooperate with recall requests. Reputational Damage from Account Misuse: If your social media, email, or messaging accounts are taken over and used to defraud your contacts — requesting money, spreading malware, or sharing inappropriate content — the reputational damage can be significant and long-lasting. Psychological Impact: Account takeover is a violation of privacy and security that many victims find deeply distressing. The time and stress of recovery — changing passwords across dozens of accounts, liaising with banks and carriers, monitoring for ongoing misuse — is considerable.

What Banks Cover and What They Don't

How banks treat account takeover claims depends significantly on the specific circumstances — particularly on whether the takeover involved genuine hacking (without your participation) or whether you provided credentials through phishing. SIM Swap vs Customer Negligence: When a criminal successfully executes a SIM swap and drains your account, this is generally treated as unauthorised access — you took no action that gave the criminal access; they exploited a vulnerability in the carrier's verification process. Banks have generally reimbursed SIM swap victims, though the process can require escalation and persistence. Zero Liability Conditions: Banks' zero-liability guarantees apply when you have taken reasonable security precautions and the access was genuinely without your participation. If you provided your login credentials to a phishing site — even if you were deceived — the bank may characterise this as your having shared your credentials voluntarily, which may affect your claim. Cases Where Banks Have Denied Claims: Banks have denied account takeover claims in cases where: the customer used a weak or reused password that appeared in a known data breach; the customer clicked a phishing link and entered their credentials; the customer shared their access codes with a family member; or the customer delayed reporting. Whether these denials are appropriate is regularly contested through the Banking Ombudsman. What to Do If Your Bank Declines: If your account takeover claim is declined, escalate through the bank's internal complaints process and then to the Banking Ombudsman (bankomb.org.nz). The Ombudsman has ruled against banks in cases where the victim took reasonable precautions and the bank failed to detect obviously suspicious activity. The Practical Position: If your account is taken over and your bank is investigating, cooperate fully, provide all information about how the takeover happened, and document everything. Do not assume the bank will not reimburse you — the outcome depends on the specific facts.

What to Do If Your Account Is Taken Over

Speed is the most critical variable when responding to account takeover. The faster you act, the better your chance of limiting losses and recovery. Immediate — Call Your Bank First: If you notice your phone has lost service unexpectedly (possible SIM swap), or if you receive notifications of password changes or transactions you didn't initiate, call your bank immediately using the number on the back of your card — not any number from an email or text. Ask them to: - Freeze all accounts immediately - Reverse any recent transactions where possible - Issue new account numbers and cards - Place a fraud flag on your file requiring additional verification for all future transactions Lock Your SIM With Your Carrier: Call your mobile carrier (Spark, One NZ, 2degrees, or your virtual carrier) immediately if you suspect a SIM swap. Ask them to lock your SIM against any port-out requests and review recent account changes. If a SIM swap occurred, they can reverse it and restore your number. Change All Passwords from a Clean Device: Using a device you are confident is not compromised (not the one you believe has malware), change passwords on all accounts — starting with your email, then banking, then everything else. Use unique, strong passwords for each account. Report to NZ Police (105): File a police report to obtain an official crime record. This supports the insurance claim process and any recovery action. Enable Stronger Authentication: After securing your accounts, enable authenticator-app-based multi-factor authentication on all important accounts. Remove SMS-based authentication where possible — SIM swap attacks bypass SMS. Check All Linked Accounts: A compromised email account or banking account may have been used to access other linked services. Check all accounts linked to the compromised one for unauthorised activity.

How to Protect Your Accounts from Takeover

Account takeover prevention is primarily about reducing the number of ways a criminal can obtain your credentials or bypass your authentication. Each layer of protection you add makes you a harder target. Unique Strong Passwords for Every Account: This is the single most important protection. A password used on one site that is later breached gives criminals access to every account using that same password. Use a password manager — LastPass, 1Password, Bitwarden, or your device's built-in manager — to generate and store unique passwords. You only need to remember one master password. Authenticator App-Based MFA (Not SMS): Enable two-factor authentication on all accounts that support it. Critically, use an authenticator app (Google Authenticator, Microsoft Authenticator, Authy) rather than SMS — authenticator app codes cannot be intercepted by SIM swap attacks. Set a PIN or Passphrase with Your Mobile Carrier: Contact your carrier and ask them to add a port-protection PIN or passphrase to your account. This requires anyone requesting a SIM swap or number port to provide the PIN — a critical protection against SIM swap attacks. Account Lock Features: Many banks and email providers offer optional account lock features — requiring in-person verification before certain changes can be made, or sending alerts for any account setting changes. Enable these features. Security Questions You Don't Answer Truthfully: Security questions ("What was your first car?") can often be answered from social media research. Consider using nonsense answers stored in your password manager — "first car: purple elephant47" is not findable from your Facebook posts. Credit Freeze as Downstream Protection: A credit freeze with all three bureaus prevents a criminal who has taken over your identity from opening new credit accounts in your name. It's a meaningful downstream protection for high-risk individuals.

Account Takeover Insurance: What Exists?

Account takeover is primarily addressed through bank zero-liability guarantees rather than standalone insurance products in New Zealand. Here is an honest assessment of what coverage exists and what the gaps are. Bank Zero-Liability Guarantees: As discussed throughout this guide, your bank's zero-liability policy should cover genuine unauthorised account access — including SIM swap attacks and hacking. This is the primary financial protection layer for most individuals. The limitations relate to cases where you were involved in providing credentials (phishing) or where negligence is alleged. NZI Cyber Cover for Individuals: NZI offers a cyber safety product that includes some individual identity and account protection features. This is an emerging product category in New Zealand — personal cyber insurance for individuals rather than businesses. Coverage typically includes identity restoration support and some financial loss coverage for account takeover scenarios. Availability and terms may change — check directly with NZI or an insurance broker. Business Cyber Insurance: For business owners and self-employed individuals, business cyber insurance (from DUAL, NZI, Delta, or others) typically covers business account takeover events as part of the cyber coverage suite. This does not cover personal accounts but is relevant for protecting business banking and systems. What's Coming: The personal cyber insurance market is developing globally and locally. As account takeover and identity theft losses increase, insurers are developing individual-focused products. FraudInsurance.co.nz monitors these developments and will update this guide as new products become available. The Gap Summary: For personal account takeover, your primary financial protection is your bank's guarantee (for genuinely unauthorised transactions), supplemented by IDCARE support services for recovery assistance. There is a coverage gap for phishing-related credential loss where the bank may argue partial responsibility. This gap is an argument for the strongest possible preventive measures — authenticator apps, unique passwords, carrier port protection — rather than a gap that is currently insurable in New Zealand for individuals.

Frequently Asked Questions

SIM swap fraud involves a criminal impersonating you to your mobile carrier and convincing them to port your phone number to a new SIM. This lets the criminal receive your SMS verification codes, bypassing two-factor authentication. Carriers have implemented additional verification steps after a series of high-profile SIM swap fraud cases.