Two thirds of us received suspicious emails from unknown people seeking money or personal details in the past year. At least 1 in 20 has responded with information, tricked into thinking the request is from their bank or another reputable organisation.

These findings from Government-commissioned survey research on cyber security highlight the prevalence of scam emails – and suggest that many New Zealanders are readily taken in. Among those surveyed by Colmar Brunton*, 6% said they knew someone who had paid money to an online scammer in the past year (fewer were prepared to acknowledge a loss themselves).

Emails, or text messages, which are sent anonymously to individuals or businesses to prompt unwitting disclosure of personal or confidential information are referred to as “phishing” (similar to “fishing” with an email as bait). The aim is usually information enabling access to bank accounts or theft of an identity.

"Phishing" emails with links to fake websites or malware

Most commonly, a scammer will target many people at once with an email requesting they click a hyperlink onto a website which appears to be a bank or another institution of high standing. The site is fake. Any information entered will be stolen, sometimes with disastrous consequences for the scammed individual.

With some phishing emails, clicking on the link or opening an attachment will trigger a download of malevolent software, or “malware”, capable of detecting personal information on the recipient’s computer and relaying this to the scammer. The person is exposed with just one wrong click!

More sophisticated malware can encrypt data on the targeted computer, with the scammer demanding a fee to unlock it. This form of ransom is usually directed at businesses holding valuable private client or company records. Retrieval of data encrypted by such email-borne “ransomware” is said to be virtually impossible without access to the code used in its creation.

Other common email scams

In fact, phishing emails are only one type of suspicious email – or more specifically one type of email that ought to be suspicious in the eyes of New Zealanders.

Government agencies concerned with cyber security and cybercrime say the Internet is also used heavily for more traditional scams. Emails from strangers who ask for charitable donations to worthy-sounding but fake causes, from scammers who offer romance through dating sites but then ask for financial assistance, and from imposter employers or clients who make highly plausible requests for the transfer of “their” money between accounts.

In one case this year, the Police say a New Zealand woman lost US$130,000 to an American man she met online. He posed as a financial expert as well as romantic friend and, as their email exchanges continued, offered the woman an “investment opportunity” in the United States. She transferred the money and the scammer abruptly ended the online contact.

How do people protect themselves from scams and fraud that can accompany even the most credible-looking email or text? The answer will depend on each person’s need for emailing in their personal or work life, their deliberate efforts at increasing cyber security (eg frequent resetting of personal passwords) and their comfort with being exposed to the risk that some emails are scam attempts.

Tips for managing cyber security

  • Legitimate businesses will never send emails asking for customers, suppliers or shareholders to give out their passwords or credentials.
  • Phishing emails will often have the name and branding of a known bank or organisation and at a glance, the address will look correct, but by hovering over it, the real destination will be revealed.
  • Particular suspicion is warranted when the address line ends with and/or the organisation’s name is misspelt.
  • Likewise, urgent subject lines are more suspicious, including "account suspended" or "unauthorised login attempt”.
  • Avoid opening attachments that were not expected in a particular email as these are the most common means of delivering malware.
  • Never make payments to any unknown individual or organisation simply on the basis of an emailed request.

See Scamwatch or the CERT NZ website(external link)  for more information.

Phone text lure to fake websites

Phishing can start with a mobile text message out of the blue asking the recipient to visit a familiar-looking website.

Retired insurance underwriter Trevor received two such texts one morning in September – one apparently from BNZ and the other, Westpac. Both texts advised that Trevor’s bank account had been “blocked” and needed his online attention. The family are not actually Westpac customers.

“I knew straight away that the texts were scams but went onto the two websites mentioned to have a look,” he says. The fake BNZ site had an address made to look as though it was from BNZ and included fields for the entry of a bank account number, user ID and password in order for the account to be “unblocked”.

Trevor says both sites looked like the real thing although they lacked in the address line. “I wasn’t scammed but there would be other people who would think these were genuine messages from their bank.”

He alerted both BNZ and Westpac to the scams. The two fake sites disappeared from the Internet shortly after.

* Research into Cyber Security Behaviour 2016(external link) (PDF 1.2 MB) - Connect Smart website.