Acting on scams and fraud

We humans are an optimistic bunch. As individuals, we tend to think bad things happen to other people, not ourselves. It is classic ‘optimism bias’. It creates a false sense of security and can stop us from taking practical steps to protect ourselves or our businesses.

This can leave us susceptible to cybercrime, with many believing they would never fall victim to a scam. But with increasingly sophisticated scams and generative AI, the reality is that anyone, at any age, can be tricked by scammers. For the victims, the financial loss and emotional toll can be devastating.

Businesses and organisations are not immune either. Invoice fraud is on the rise and a simple employee scam can lead to a significant cyber event. The hard-earned trust of customers can be fast lost and the reputational damage can be ongoing.

We all have a role to play in protecting New Zealanders and our businesses.

As a banking industry, we recently announced a raft of joint initiatives to help combat this growing issue, including working towards the establishment of a centralised, multi-agency anti-scam centre and implementing a name check service that would enable customers to confirm the name of the payee when making payments.

We have also removed all web links from text messages sent by ASB. However, this practice is still widely used by a range of businesses – to confirm an appointment, to provide health information, to link to a media outlet or for event tickets.

This leaves the door open to scammers, who are impersonating well-known brands and their commonly used communication methods. Your organisation could become the next toll payment or package delivery scam.

To really limit the effectiveness of this type of scam, all businesses need to eliminate web links in text messages – not just some. Unfortunately, as we continue to innovate and invest in fraud prevention so too do the scammers, developing complex workarounds and crimes that are increasingly difficult to detect.

As the web-link-in-text-message example shows, this is not just an issue for banks to solve. All business leaders need to be thinking, anticipating and finding solutions for this threat that is conservatively estimated to be costing New Zealanders at least $200 million each year.

As a bank, keeping our customers and their personal information and money safe is our utmost priority. We are investing tens of millions of dollars each year in verification, digital technology, in-branch screening and investigations.

We are blocking more and more fraud from occurring. We have seen a reduction in our customers impacted by unauthorised fraudulent activity, largely driven by improvements to target unusual logins. A two-way push notification system that we introduced in March 2022 has helped more than 37,000 customers digitally respond to card fraud alerts.

Cybercriminals target people when they are distracted, vulnerable or stressed, and socially engineer their victims to believe their promise of an investment return, a new romance, award or payment. And when payments are authorised by the customer who then may become embarrassed and ashamed when they realise they have been scammed, it is very difficult for us to retrieve the stolen funds.

So, how can you reduce the chance you'll be scammed?

At a personal level, we must all be alert to the risk of scams and fraud. Never click on links in text messages and be wary of cold calls or messages asking for personal details. If someone is trying to pressure you into doing something, it may be a sign they are trying to scam you. You should always check who you are dealing with before sending any money.

In addition to using unique, long passwords, there are a range of tools available. For example, you can set lower daily payment limits and two-step verification to ensure further protection. If you are ever concerned there has been a breach in your accounts, contact your bank immediately and report the matter to police.

For business owners, education sessions are a great starting place. We hold regular education sessions sharing insights and analysis on how to protect against cybercrime.

Consider the following three questions:

• What practical steps can the organisation take to defend against scammers and avoid impersonation? We frequently run scam tests across the whole business, including the board and executive that help us understand where further education is
• How would the organisation respond if caught up in a scam or major cyber incident? A playbook that is kept up to date with learning from real events is a key tool which can be tested with practice
• Who can we collaborate with in the fight against scams and fraud? This is good topic to add to your next industry meeting agenda.

There are also useful cybersecurity resources on the IoD website, which all directors and business leaders should be familiar with. CERT NZ’s Own Your Online website is another helpful resource with business and personal cybersecurity advice.

By taking steps such as removing web links in text messages and adopting a collaborative mind set, along with education and vigilance, together, we can make a big impact.