Cyber criminals are using sophisticated methods to trick trusting New Zealanders out of millions of dollars every year.
Using duplicated ("spoofed") phone numbers, realistic dialogue and social engineering triggers, cyber criminals convince their targets to part with log-in details. Scammers are also sending SMS messages with links to fake websites or illicit software that harvest users’ account information.
New Zealanders are being urged to stay vigilant and take some basic steps to keep themselves safe from these predatory scammers.
- If you are unsure whether the person calling you is legitimate, hang up and call them back using the organisation’s official phone number.
- Turn two-factor authentication (2FA) on for your banking accounts.
- Never share your password or two-factor authentication codes with anyone, including your bank.
- Do not click on links in unexpected or suspicious text messages or emails.
- Forward any suspicious text messages, free of charge, to 7726, this is a service run by the Department of Internal Affairs.
- If you have clicked on a suspicious link or received a suspicious call where you have given over a 2FA code, contact your bank immediately and report it to CERT NZ(external link) .
Phone call scams
The scammers are able to imitate, or "spoof", bank call-centre phone numbers and can accurately duplicate the script that a real call centre would use.
It can be difficult to tell the real from the fake. If you have any concerns about the legitimacy of a call the best strategy is to hang up, find the bank’s phone number from its website and call them back. This way you are assured the information is genuine.
Scammers rely on urgency and fear to make you react quickly without thinking. CERT NZ Director Rob Pope reminds people to "take a breath and pause."
"The scammers will use a sense of urgency, hoping you won’t think clearly and will make a mistake."
It is highly recommended that all users turn on two-factor authentication (2FA). 2FA is a security step that requires a one-time unique code as an extra login. This simple action will stop nearly all malicious attempts to access your account.
If you receive a code on your phone, keep it secret. Your bank will never ask for your code over the phone.
Text message phishing
Text message phishing, also known as "smishing", has increased at an alarming rate over the last few years.
Users are sent a short message and a link. The message will use the same social engineering triggers of urgency, fear and opportunity to illicit a response. Increasingly, once the user has clicked on the link and entered their banking information into an imitation bank website they will receive a phone call from the fraudster impersonating the bank’s fraud team, trying to obtain security codes and other financial information to complete fraudulent transactions they have just created.
"Tactics used by scammers are getting more sophisticated as new technology develops", says DIA Director Digital Safety Jared Mullen. "But the advice to Kiwis to avoid being a target stays the same: be savvy, always question a link before you click on it, and if something doesn’t feel right, report it."
You should always only access your bank by visiting the bank’s website. Banks will never send you a link to log into your internet banking via text message. Forward any suspicious messages to 7726. This is a free-of-charge service run by DIA.
The more scams we are aware of, the more we can help New Zealanders stay vigilant and protect themselves and their whānau. Together, let’s fight scams.
This statement is issued collectively by:
- CERT NZ
- Te Tari Taiwhenua Department of Internal Affairs
- Consumer Protection
- Co-operative Bank
- Heartland Bank