When Amy received a call from her bank last year, she had her mind on other things.
She was used to receiving calls from her bank from a No Caller ID number, but she was still hesitant to trust the man with a British accent on the other end of the phone.
"I didn't trust them at first," Amy said, who asked for her name to be changed because of concerns about her privacy.
"But they knew where I lived, my date of birth, and what transactions were going in my account."
The man said her bank account had been compromised and he needed to verify her identity.
He followed a script Amy had heard before from ubank, and a text message was sent to her phone and she read the code out to him.
Amy then watched as her savings were drained in front of her eyes.
Amy fell victim to a common scam targeting digital banks where fraudsters persuade their victims to authorise immediate push payments.
Ubank, which was taken over by NAB in 2021, is what's known as a neobank — online-only financial outlets that have operated in Australia since 2018.
Steve Worthington, a marketing professor at Swinburne University, said there was optimism digital banks could stimulate a "stagnant" financial market and offer services that appealed to digital natives.
But there have been security challenges.
"Neobanks and digital banking in general has opened the door for fraudsters," Professor Worthington told the ABC.
"They can persuade their victims to transfer money themselves with immediate authorised push payments."
12-hour wait for answers
Many neobanks still allow instant payments to new payIDs and new account numbers.
They also text customers and use a No Caller ID for security communications.
And with no branches, and generally no call centres, customers in crisis are often left struggling to get help.
Amy tried to reach ubank's customer service hotline as soon as she got off the phone to the scammers.
"It wouldn't go through," she said.
"The line kept on ringing, and ringing and ringing — it took four or five times for an actual operative to pick up."
When she finally got through, it was too late.
"The [customer service agent] said she would stop all transactions from going out of my account," Amy said.
"But at that point, $16,000 had been lost already."
It was another 12 hours before Amy was able to speak to someone from ubank's team about where the money had gone.
Out of the $16,000 taken from her account, $7 was recovered.
Amy later found out her money had been sent to a bank account that was opened using stolen details.
"I was in such a vulnerable spot, and I was very depressed at that point, and in a situation where I was vulnerable, " she said.
"My bank said 'well, too bad'."
Unique challenges for online banks
Ubank's head of everyday banking Andrew Wright said the bank would always do "whatever it could" to get stolen money back from criminals, and was working on toughening up its security and online presence.
"Unfortunately, recovering funds is extremely difficult for a number of reasons including the speed with which criminals move money, often overseas or to unregulated cryptocurrency platforms," he said.
"Ubank processes tens of thousands of payments every day and scams are often extremely hard to detect because, in many instances, a scammer has coerced a victim into giving away important security details."
Mr Wright said ubank accepted this was the customer authorising the transaction, and there was little they could do.
"We are working proactively with industry, regulators and law enforcement to continually enhance the way we facilitate fast payments for customers whilst helping them identify scams and protect themselves from losses."
The National Anti-Scam Centre said ubank had appeared in at least 490 of its complaints in the last year, and the total reported financial loss for that period was just over half a million dollars.
Last year, Australians lost $2.74 billion to scams, with a significant majority relating to banking and finance.
Online banks easy for scammers to copy
University of Melbourne cyber security expert Shaanan Cohney said as banks moved online and away from the typical brick-and-mortar model, experts were witnessing more security challenges.
"If a consumer is used to dealing with a bank through wholly online means, they are less likely to be surprised if they get a message that purports to be from the bank over one of those online channels," he said.
"These scams are totally not limited to ubank, and you'll see similar scams purporting to be from the Commonwealth Bank and similar."
He said often neobanks use more casual language to appeal to younger customers, which could be easier for scammers to replicate.
"Some of the messaging that they've used legitimately can be used by scammers," Dr Cohney said.
"That doesn't mean they're targeting ubank because ubank has weak security: it means they're able to replicate the messaging that those types of banks use to the customers."
Who pays the price?
According to a report by the Australian Institute of Criminology into scams, data leaks have also made it easier for scammers to set up accounts with stolen details.
Consumer Law Action Centre policy director Tania Clarke said her organisation had written to the Australian Prudential Regulation Authority about banks failing to pick up criminals using banks.
"APRA is responsible for making sure that the banks are following its risk standards and codes — including making sure banks aren't using money for proceeds of crime and money laundering.
"The banks have a liability because they're allowing it to happen."
Ms Clarke said her organisation was calling on banks to reimburse customers who were scammed.
The UK established a payment systems regulator to address Authorised Push Payment (APP) fraud, after nearly 500 million pounds was lost to the scams in 2023.
And from October 7, payment service providers will have to reimburse victims of APP fraud.
Professor Worthington from Swinburne University said the UK regulator would also name and shame banks that did not investigate scams and reimburse customers.
"There are other countries where confirmation of payee is imposed, and banks are forced to confirm that the person is genuine," he said.
"They are also pushing for big tech and telecommunications companies to pay in the fight against scams."
Australian Banking Association chief executive Anna Bligh said Australian banks had some of the strongest anti-scam protections in the world, noting a 13 per cent drop in scam losses last year.
She said banks endorsed the government's plan for mandatory industry codes, but rejected the concept of reimbursing customers who were victims of scams.
"Scam losses are reducing at a much faster rate in Australia than in the UK," Ms Bligh said.
"A reimbursement-style scheme would put an even bigger target on the back of every Australian."
Vigilance is key
University of Griffith professor of finance Robert Bianchi said Australia was playing catch-up with the rest of the world.
"This is why scamming is very prolific here," he said.
Professor Bianchi said there should still be obligations for banks to provide face-to-face support.
"Banks hold our life savings … they have a social obligation to offer a branch, physical offices and give out physical cash," he said.
"It might not be the profitable part of the business, but that's the cost of being a bank in Australia."
Professor Worthington said without a physical branch to help verify accounts, customers needed to be vigilant.
He said scammers have been increasingly hacking into emails to impersonate conveyancers or real estate agents to provide false account numbers.
This could lead to customers losing entire home deposits.
"You need to be very sure with this confirmation of payee that you are paying digitally to the right person with a valid, genuine bank account," he said.
"Because digital banking is a gift to fraudsters … the thing to bear in mind is that when you act with speed, you may also regret with leisure."
Hannah Murphy is a neobank customer who became aware of this issue after having a similar experience.