NZBA warns against email whaling scams

The New Zealand Bankers’ Association (NZBA) warns that anyone can be the target of an email whaling scam.
Following a fake email purportedly sent by NZBA’s chief executive to a colleague, it was thanks to training and attention to detail that the scammer was foiled. NZBA’s work includes educating consumers on fraud prevention, and believes the incident shows that any organisation can be the target of scammers.
“This attempt has reminded us that no organisation or individual is immune to whaling,” said New Zealand Bankers’ Association chief executive Karen Scott-Howman.
“A colleague noticed a suspicious email that looked like it was sent by me demanding an urgent payment. However, when you looked carefully there were a number of classic whaling hallmarks including poor grammar and spelling. Whoever sent the email had also done their homework – they mentioned the name of our finance manager and that he was on holiday to try to create urgency and authenticity.
“Cybercriminals have become quite sophisticated, and people could easily fall victim to a whaling or bank email scam if they are not vigilant in making the appropriate checks before acting on an email.”
The people behind whaling scams put a lot of effort into creating emails that look authentic by using logos or personal information to make their request appear legitimate. NZBA says that educating all staff on these types of scams, and training them to pay careful attention to detail and to follow processes makes it difficult for scammers to succeed.
“We all have a role to play to help protect ourselves from financial crime. We are grateful that this failed scammer provided us the opportunity to remind New Zealanders what to look out for,” said Scott-Howman.

Follow these tips to help avoid whaling scams

  • Spam emails are often disguised to look legitimate. If it doesn’t seem right or looks odd, take your time and take care to double check first before handing over personal information, clicking on links or replying. It’s always a good idea to check the email address against one you know to be legitimate and to type in a full web address.
  • Ensure all staff are trained to recognise suspicious emails and follow processes when handling payments or other requests.
  • Make sure your organisation has robust internal processes for authorising payments such as two-factor authentication or face-to-face verification.
  • Don’t reply to, click on any links, or open any files in spam emails or text messages. Don’t call any numbers in spam emails or text messages.
  • Never share your bank account login details, cards, PINS or passwords with anyone – not in person, online, over the phone, or in emails or texts. Your bank will never ask you for this information.