Login
ISCOVER
Consumers are being warned that sending personal data by email – including for loans – may heighten scam risks and expose them to fraud.
The Customer Owned Banking Association (COBA) has urged consumers to be more vigilant with emails and prioritise protecting their personal information, with new research showing that emailing personal documentation makes them more vulnerable to scams.
Consumers often share photos of their driver’s licences or passports for legitimate reasons, including with brokers when taking out a mortgage or loan, with travel agents when booking travel, and with new employers when starting a new job.
However, the association is warning that doing so is not a secure way to send sensitive documents and may make them more at risk of falling victim to a scam.
COBA has issued the warning as part of Privacy Awareness Week after it found that two-fifths of Australians have emailed photos of their passports, driver’s licences, or ID cards through their personal email accounts.
According to a COBA survey of more than 1,000 Australians, which was carried out in April 2025, more than half (56 per cent) of those who had emailed identification information did not delete the email after sending it.
COBA also found that just 25 per cent ‘double-deleted’ the email (emptying it from their trash).
The association has said that emailing personal documentation “significantly increases” the risk of falling victim to scammers intercepting the sensitive information.
The stolen information can be used by scammers to directly impersonate the consumer and is sometimes combined with fabricated details to create a ‘synthetic identity’, COBA said.
The new identity can then be used to open new bank accounts, apply for loans, credit cards, or government benefits in the victim’s name, making it difficult to trace.
“When we investigate how scammers obtain someone’s personal information for impersonation frauds – such as applying for loans, credit cards, or government benefits in their name – email breaches are frequently identified as a primary cause,” COBA head of financial crimes and cyber resilience, Martin Latimer, said.
“Unless you’re using a secure, end-to-end encrypted email service and specific encryption for attachments, regular email is not a secure way to send sensitive documents.
“Once an email account is compromised, for example, through a phishing attack that steals your email password, the scammer has immediate access to all emails.”
Latimer advised consumers sending out sensitive information (including date of birth, tax file number, or other forms of identification) for a legitimate reason to “always double delete the sent email and ensure your email account has two-factor authentication”.
“We also advise against storing sensitive information on your computer or smartphone in case of breaches,” Latimer said.
“If you wouldn’t put it in a postcard, don’t put it in an email.”
How can brokers cut scam risk?
The quantity of personal information that brokers have to collect from borrowers makes the industry particularly vulnerable to attacks from scammers.
Industry associations, cyber security specialists, aggregators, and lenders have all put out a range of resources and guidelines on how best to protect themselves and their clients from cyber attack, with the associations also providing resources on how brokers can comply with the Privacy Act and best practice when collecting, using, and storing clients’ personal information.
Best practice tips include the need to develop and maintain a publicly available privacy policy.
Brokers should also obtain privacy consents from clients before collecting, using, or disclosing their personal information.
Regular reviews and updates on privacy practices are also crucial to ensure these comply with privacy laws and best practices.
Brokers should also respond promptly to any privacy breaches or complaints.
The Australian Financial Complaints Authority (AFCA) is also considering changing the rules that govern its work to expand its oversight to include the conduct of banks in scam complaints.
The consultation, which closed last week, seeks to allow the body to investigate the actions of financial institutions that receive funds from scam victims, including the use of mule accounts.
It comes ahead of the implementation of the Scams Prevention Framework, which provides a broader AFCA remit in relation to scams.
According to the National Anti-Scam Centre’s Targeting Scams Report from March 2025, Australians made 494,732 scam reports in 2024, with combined reported losses to scams of $2.03 billion (though this is believed to be an underestimate, as many scams are unreported).
Scams, and cyber scams in particular, are becoming a bigger problem with brokerages, especially vulnerable to certain attacks due to the volume of personal information stored.
Speaking to The Adviser last year, Five Dock Finance’s finance manager Paul Boykos said that he implemented a full security upgrade after seeing a sharp increase in the frequency and sophistication of phishing emails.
“We’re custodians of all of our customers’ most valuable personal information – bank details, account numbers, IDs,” he said.
Borrowers are also typically targeted in financial scams, with landmark occasions such as settlement days resulting in funds being intercepted.
[Related: Interest rate cut sparks rise in scam risk, ANZ warns]
JOIN THE DISCUSSION