Westpac customer service asks for SMS code

Please note this sub-forum does not provide professional finance advice. You should seek advice from a licensed financial advisor.

To post in this sub-forum you must have made 100 posts or have Trust status or have completed our ID Verification.

If investing please consider our affiliate link for new accounts: Sharesies.

Forums › Finance and wealth management › Westpac customer service asks for SMS code - poor security?

robocat

109 posts

Master Geek

#320317 31-Jul-2025 01:44

When a Westpac customer service agent calls me they ask me to tell them an SMS code.

An example from another provider (Wise) state: "How to tell if you're talking to us: 1 We'll never ask for your password, or for an SMS code sent to your phone."

Westpac normalises having a person call and then requesting an SMS code.

A customer cannot verify that it is Westpac that is calling them, so a threat actor could fraudulently call and request that a customer tell them an SMS code (which could cause financial harm to a customer).

Mentioning here because:

1: I have reported this to Westpac. If anybody is scammed by someone asking for an SMS code, they can argue that Westpac themselves normalized that (might help if defending a claim).

2: I'm interested in the opinions of security professionals about this "security" practice.

3: I generally find Westpac security to be crap (1: proper 2-factor authentication unavailable - they use cellphone when other banks can provide a OTP token device; 2: their firewall blocked overseas users from accessing their account - issue lasted many weeks and personally caused me some troubles while I was traveling).

1 | 2

BDFL - Memuneh
79294 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#3398586 31-Jul-2025 01:49

You're right. This is a shocking security practice.

geek3001

64 posts

Master Geek

ID Verified

Subscriber

#3398605 31-Jul-2025 07:53

I have adopted a policy when dealing with banks, or any other entity that requires me to provide over-the-phone proof of who I am.

If they call me, then I refuse to answer any ID or security-related questions.

I will ONLY answer ID or security-related questions if I have called them.

I would also seriously question being asked to provide an SMS code or OTP over the phone. What's next, asking me for my payment card PIN ?? We have been consistently told not to share these things.

If needs be, I will ask for the caller's name, and then call the bank on one of their publicly advertised numbers and proceed from there as it seems much less likely that I would be talking to a scammer by that method.

While I appreciate that my rationale might not be fully correct, it is based upon the notion that I have no way of checking the caller's bone fides, therefore I am not providing any ID info or answering any security-related questions.

cddt

1561 posts

Uber Geek

#3398607 31-Jul-2025 08:01

robocat: When a Westpac customer service agent calls me they ask me to tell them an SMS code.

This is an absolute red flag for a scam. Are you sure you haven't been scammed?

My referral links: BigPipe | Mercury

OldGeek

899 posts

Ultimate Geek

ID Verified

Lifetime subscriber

#3398614 31-Jul-2025 08:29

Read this:

https://www.westpac.co.nz/personal/ways-to-bank/safety-and-security/how-to-spot-a-scam/#keeping-you-safe

--

OldGeek.

Quic referal code: https://account.quic.nz/refer/581402

Linux

11428 posts

Uber Geek

Trusted

Lifetime subscriber

#3398616 31-Jul-2025 08:32

I would of refused to hand it over and taken staff members name and then laid an official complaint with Westpac

BNZ sends a request to the App to approve and it is the great

nztim

3819 posts

Uber Geek

ID Verified

Trusted

TEAMnetwork

Subscriber

#3398617 31-Jul-2025 08:32

ANZ and ASB send a notification to the official app on your phone, this is a far better practice

Any views expressed on these forums are my own and don't necessarily reflect those of my employer.

robocat

109 posts

Master Geek

#3398620 31-Jul-2025 08:40

cddt:

Are you sure you haven't been scammed?

It wasn't a scam: just normal business!

First time they were fixing THEIR cockup where they were charging my father's account every time I chose "savings". Took them over a month to work that one out - when dad saw a bill that he worked out was me. They were just calling to confirm they could transfer $1,612.75 out of my account to pay my Dad back for the erroneous transactions!

Second time was for detailed mortgage, income and expenses information a credit card application - no red flags there... right?

Personally Westpac security feels like security theatre. Both times they had called me on my cellphone but asked for the SMS code that was txted to me from a random 4 digit short number (so no way it verifies them).

The first time I declined and then she asked further security questions "what was your last transaction". Total bullshit.

My next step is to get a separate mobile number that I only use for banks.

At TSB, I requested an OTP token. They still confirm large transactions using SMS texts - you can't secure yourself against these arseholes.

My Westpac has a facility that allows 1/2 a house worth of cash to be taken out. The security for my account really matters to me. But I want that facility (optionality) so I don't want to just change banks.

Linux:

would of refused to hand it over and taken staff members name and then laid an official complaint with Westpac

That's a dik move. Don't take corporate decisions out on the staff that have no power. I'm not sure how to escalate it beyond emailing them a complaint and posting here about their crappy security practices.

Sharesies

Trade NZ and US shares and funds with Sharesies (affiliate link).

Earbanean

944 posts

Ultimate Geek

#3398631 31-Jul-2025 09:12

Just for my education (and maybe others too), why exactly is confirming a code sent by SMS a security problem, if they had called you on that mobile anyway? Or would this be situations where they'd called a landline and were then potentially 'discovering' your mobile number?

freitasm

BDFL - Memuneh
79294 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#3398633 31-Jul-2025 09:16

Earbanean:

Just for my education (and maybe others too), why exactly is confirming a code sent by SMS a security problem, if they had called you on that mobile anyway? Or would this be situations where they'd called a landline and were then potentially 'discovering' your mobile number?

If a scammer gains access to your bank account login and password (through some malware for example), they could login to your account and try to start a money transfer.

When confronted with the "We have sent a SMS to confirm this transaction", he could call you and pretend to be from the bank:

"Hi @Earbanean, I'm from Bank of Scam and there's something weird on your account. We just sent you a SMS to confirm you are the right person. Could you confirm the number in the SMS?"

You, not aware or busy with something, read the number. The scammer enters it online and your money is gone.

An app notification is much harder to fake. If someone from the bank calls you only their internal systems could send a notification to the app, that reads "I'm confirming this is from the bank"

Earbanean

944 posts

Ultimate Geek

#3398634 31-Jul-2025 09:26

freitasm:

If a scammer gains access to your bank account login and password (through some malware for example), they could login to your account and try to start a money transfer.

When confronted with the "We have sent a SMS to confirm this transaction", he could call you and pretend to be from the bank:

"Hi @Earbanean, I'm from Bank of Scam and there's something weird on your account. We just sent you a SMS to confirm you are the right person. Could you confirm the number in the SMS?"

You, not aware or busy with something, read the number. The scammer enters it online and your money is gone.

An app notification is much harder to fake. If someone from the bank calls you only their internal systems could send a notification to the app, that reads "I'm confirming this is from the bank"

Ah, I see. So the SMS code would be legit from the bank and the scammer needs to get it. I'd been thinking in terms of the scammers sending a code to your phone, which I couldn't really see the point of.

I guess in the case above from an unsolicited call I'd (hopefully) question why they'd send a code to the number they were ringing anyway - since my only number is my mobile. However, I'd say a lot of people definitely wouldn't. Particularly someone like my mum. So yep, a bit of a problem.

freitasm

BDFL - Memuneh
79294 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#3398637 31-Jul-2025 09:33

The scammer only needs to get it right once. You have to get it right all the time. It's an imbalance. A lot of people will fall for it.

concordnz

474 posts

Ultimate Geek

Trusted

EMT (R)

#3398653 31-Jul-2025 10:27

A complaint to Westpac will achieve nothing

(but I agree it's unacceptable practice)

You have 3 options.

1) Banking Ombudsman (but you need to identify and articulate the failing accurately )

2) Privacy Commissioner (Maybe? )

3) I'm sure there's a Cyber Commissioner office - but I can't recall the official name/title.

4) Raise it with our National Cyber Security Centre.

Or raise it with all four offices.

You need to go higher than Westpac themselves, if you want any 'actual' change - otherwise you are just shouting into a black hole. - if you just want to vent with no change, then sure raise it wit Westpac.

If you want 'real change' - and an improvement in your personal banking security - raise it with the national organisations.

Earbanean

944 posts

Ultimate Geek

#3398658 31-Jul-2025 10:43

To be fair, the only point of complaining to Westpac (and higher) would be to protect the general population - and that's certainly a valid endeavour if you have the time. However, to protect yourself and your family, is much quicker and simpler. Just discuss the scam and agree to never give codes to unsolicited callers.

robocat

109 posts

Master Geek

#3398659 31-Jul-2025 10:48

concordnz:

1) Banking Ombudsman (but you need to identify and articulate the failing accurately )

https://bankomb.org.nz/five-things-your-bank-should-never-ask-you says:

Your bank should never:

ask you for texted codes, passwords or PIN numbers

LOL!

I had looked into the ombudsman but I didn't bother with a complaint because (1) it looked like they had no teeth - it appears to be a private organisation and is not like the UK ombudsman, and (2) I hate feeling like I'm wasting my time

FYI Here's the text of the SMS sent from telephone number 4582 (shortcode):

THE TXT:

From Westpac: Your verification code for account access is 123456

If you were not expecting to receive a code, please call us on 0800 400 600 or if calling from overseas +64 9 912 8000. Alternatively you can visit your local Westpac Branch.

freitasm

BDFL - Memuneh
79294 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#3398666 31-Jul-2025 11:07

Even those phone numbers in the SMS shouldn't be there. Banks should always tell people to call the numbers on their cards or the numbers from the official website. And obiously the SMS shouldn't have a link to anywhere either - because phone numbers and links on SMS could be just going to the scammers.

1 | 2