Firms lose thousands as staff are duped by scam

Detective Senior Sergeant Greg Turner said the three local businesses lost significant sums of money through the scam. Photo / File

Three Western Bay of Plenty businesses have lost significant sums of money through a targeted email attack, also known as "whaling".

Internal Affairs is warning people to be aware of the scam that imitates high-ranking executives and asks chief financial officers to transfer an amount of money to an offshore bank account.

Employees responsible for account payments had received what appeared to be authentic emails from company managers requesting funds be transferred to offshore accounts on behalf of company clients.

Detective Senior Sergeant Greg Turner said the three local businesses lost significant sums of money through the scam.

The Department of Internal Affairs issued a warning against "whaling" - a type of phishing scam which targets high-level executives.

Since the beginning of September, five companies had reported to Internal Affairs they had experienced this type of attack, although the department was aware of earlier campaigns.

The email addresses were spoofed to appear as though the messages were being sent from a company's chief executive officer, managing director, or similar, and were sent to the chief financial officer, senior accountant or similar, urgently requesting a funds transfer.

The amount of money to be transferred appeared to vary across companies and the reports sent to Internal Affairs showed transfer requests ranging from $24,500 to $89,400. In most of the reported cases the chief financial officer or accountant had become suspicious before the funds were actually transferred.

Martin Cocker, Netsafe Executive Director said the scam had been particularly effective and was a serious concern.

"All scams that are successful concern us to some extent but this one is a problem at the moment. This one is a particularly effective scam when it does take action.

"The reason it's called whaling is because it's looking at the big targets and the big amounts of money."

He suspected more than three business in the Western Bay could have been targeted.

The success of the scam depended on the actions taken within the businesses and the alertness of staff, he said.

He warned businesses with a more "relaxed practice of communication" were more likely to be targeted.

"Internal cross-checking is the thing that can prevent losses. Most businesses should have a form of double-checking and not using email as a request to make a payment of large sums of money," Mr Cocker said.

Netsafe had received reports of the scam from all over the country.

Always check sender

* If you are being asked to urgently transfer funds by email or other electronic means, be wary even if the email address appears legitimate. It is best to check with the purported sender in person or over the phone to ensure the transaction is legitimate.

* In four of the five cases reported to Internal Affairs, the companies' staff names and positions were freely available on their website. While this information assists your customers in knowing how to contact you, be aware that it also makes it very easy for scammers to know which staff to target for whaling attacks.

* If you have received an electronic message which you believe may be an attempt at a whaling attack, report it to Internal Affairs by forwarding it to scam@reportspam.co.nz

* However, if you have transferred funds as a result of a whaling attack, immediately contact your bank and inform them of the situation. The fraudulent transaction should also be reported to the New Zealand Police.