Finance boss at Te Wananga o Aotearoa falls for 'whaling' scam
The tertiary institute has enlisted Hong Kong authorities to repatriate more than $100,000 sent to offshore fraudsters.
The chief financial officer of one of New Zealand's largest learning institutions has left her job after falling for an email "whaling" scam.
The executive director of finance at Te Wananga o Aotearoa, Bronwyn Koroheke, transferred $US79,000 ($118,000) to an offshore bank account after receiving an email which appeared to be from her chief executive Jim Mather telling her to send the money.
In fact the email was from Chinese-based fraudsters running a whaling scam, so-called because it targets an organisation's top executives, or "big fish". They forged Mather's email address to make it look like he was sending it from a mobile device.
The scammers have been targeting New Zealand companies in recent months, prompting a warning in September from Internal Affairs for organisations to be vigilant.
It's one of the largest amounts of money sent from a New Zealand organisation to offshore email scammers.
* Kiwi finance bosses have fallen for 'spoofed' emails from bosses, MPA believes
* Big wananga snubs Maori king's controversial appointee
* Former wananga head drops lawsuit against old empire
Koroheke agreed to resign after the incident but her supporters say she has been treated unfairly as the wananga's systems weren't capable of picking up cyber attacks.
Koroheke oversaw annual revenues of $155 million at the wananga, the second biggest tertiary institution with 32,000 students at campuses around the country.
The wananga was forced to restructure after a series of scandals and financial problems a decade ago, an Auditor-General's report finding contracts worth milllions were awarded to members of founder Rongo Wetere's family.
Mather, long-serving chief executive of Maori Television until he resigned in 2013 to take up the wananga job, said he received a text on November 19 confirming a payment had been made to an offshore account "as requested".
He launched an investigation and the payment was frozen in a bank account in Hong Kong. "The process to repatriate the funds is underway."
Mather said police here and in Hong Kong had immediately been alerted and Audit NZ was also notified.
He would not comment on the circumstances around Koroheke's departure as it was an "employment matter".
He sent an internal letter this month saying she had tendered her notice "and will be leaving us for family commitments".
Koroheke is an experienced accountant who was formerly head of the financial accounting team at Hamilton City Council and was appointed to the wananga's senior leadership team last year. Both parties have signed a confidentiality agreement and Koroheke said it prevented her from commenting.
A close friend said Koroheke's resignation was unfair considering TVNZ had fallen for a similar scam recently.
"You can't stop something like this. She put her hand up for a degree of culpability but it should be shared culpability. The organisation is really not prepared for those kinds of cyber attacks."
But Mather said the wananga's security settings and other controls were appropriately set.
"We have re-emphasised to staff the necessity for strict adherence to our accounts payable policies and procedures. It highlights the need for protocols and checks and balances to be followed."
Toni Demetriou, manager of the electronic messaging and compliance unit at Internal Affairs, said the department sent out a warning in September about "whaling" scams and the importance of organisations putting safeguards in place.
A single person should not have sole responsibility for money transfers and the scam highlighted the need for appropriate checks and balances.
Demetriou said there had been three or four cases where money had been sent and in some cases companies had been able to recover funds through the banks involved.
Thom Hooker, chief technology officer with email security company SMX, said the scammers were going to greater lengths than ever before.
"They are going to the trouble of researching a company, identifying individuals and then creating a domain to prop up a forging attempt to try and elicit the funds, they're actually spending money to do this."
Hooker said if the scammers didn't have a chief executive's email signature they would make it look like it was sent from a mobile device.
"They tend tend to play on people's desire to be helpful. They'll say something like 'I'm off site today can you help me out, a wire transfer needs to be paid urgently'."
Staff needed to have up to date security awareness training.
"You can put all the algorithms and computer hardware in place but if the people aren't going to stop and think 'am I following the process?' then all the security in the world isn't going to help. The human factor is the weak link in the chain."
RED FLAGS TO LOOK FOR
* Email correspondence begins with a simple email query from the "CEO" to the CFO asking if they're available, before progressing to request an urgent funds transfer.
* The emails may say they have been sent from an iPhone, iPad or similar. This may be an attempt to distract the recipient from the fact that the CEO's normal email signature is not featured in the message.
* The spoofed email address domain of the "CEO" may be slightly different than it should be; for example it may end in ".biz" rather than ".co.nz".
- Sunday Star Times