The complexity, sophistication and frequency of scams is increasing, delivered in many different forms – across social media platforms, telephone calls, SMS, emails, and sometimes even by post.
Where once we could spot a scammer’s email a mile away through tell-tale signs of poor English language usage and an offer to share a $1,000,000 USD inheritance with an African government official, we’re now receiving well designed, well written, targeted email campaigns from scammers. Emails are being routed through legitimate third-party email servers and services and are bypassing an organisations spam filtering to land straight into our email inboxes.
Here’s an overview of some of the most common scams we’ve seen, some clues to watch out for and what to do if (or when) you’re targeted.
1. Email Phishing
What is ‘Phishing’? You can think of phishing in terms of its more common namesake fishing. An attacker will cast out some bait in the form of an email promising you something, or calling you to action, hoping to catch the unwary off guard, and when you’ve taken the bait they’ll reel you in and deliver the real purpose of the attack.
A simple example of this is the flood of emails from New Zealand ‘Banks’ that hit email junk boxes (and inboxes) urging recipients to update their details due to some fraudulent activity being spotted on their account by the bank. These are almost always scamming. Banks never send this type of email with links to log into their systems to verify yourself.
We’ve seen an increase in the number of email-based attacks in the last few months. It’s generally a numbers game for the scammers, they write an email and send it out to tens of thousands of email accounts, and they might get one recipient who believes them. However, the sophistication we’re seeing suggests that the attackers know some information about their targets, they know who the person is and the company they work for, they know the relationships between various staff members at that company, they know the software it uses, and therefore what scam to send to the soft (easy) targets. Like any results-driven direct marketing campaign, they spend time researching how best to tailor their message (scam) to increase their return on investment. The frequency and number of these scams is on the rise, so we all need to be vigilant.
2. Telephone Calls
We’re dogged by these in New Zealand. Our computer software company calls to tell us we have a virus on our workstation, or the Government wants our tax number and bank account details to refund us a great deal of money. Of course, neither of these is legitimate. People often receive automated calls in a foreign language from a Consulate, or pick up the phone and no one speaks at all. These callers are becoming smarter, in some instances disguising their phone numbers. Instead of the call coming through on an overseas number, it now looks like it’s a New Zealand number, coming out of Auckland or Wellington.
If we remain alert, we can generally spot these scams. It may have been reported in the news media, we may hear noise on the phone line, the distance in the voice on the end of the call, or an unfamiliar, out of place, accent.
The Telcos in New Zealand are attempting to work together to stop these scam calls coming through to New Zealand, but they’ve a hard task ahead of them.
3. Fake Invoices
The scammer will send through an invoice for goods and services that we haven’t purchased or received. In 2016 there was a well-publicised scam of this type in Christchurch, with all the rebuilding work going on. Scammers hacked builders and construction workers email accounts to find out the initial client information, and then they targeted these clients that were having rebuild work carried out. Those people would have been expecting invoices for work carried out, so an email request to transfer money to a bank account wouldn’t have seemed unusual. Many people were caught out by this and they lost a lot of money. Although quite a sophisticated example, scams don’t have to be this sophisticated to be dangerous. Any organisation or individual is at risk of receiving fake invoices.
We all like to receive parcels, however the next time you receive an email branded from NZ Post, Courier Post or DHL think before you act upon it. The email generally states that there is a parcel either awaiting delivery, or that there was a missed delivery of a parcel to an address. This scam could be used to demand payment for goods or tax, or as a means for you to download a ‘delivery receipt’ or ‘invoice’ to obtain a username/password from you. It can also be used to deliver virus and malware onto your computer.
With this type of scam, you’re essentially being blackmailed into paying money either through embarrassment or fear of humiliation based on some explicit material the blackmailer has obtained on you. If you find yourself in this situation seek help and support and go to the police.
6. Hybrids of the above (one to think about)
When these scams are married together, their effectiveness increases dramatically, making them even more dangerous for innocent victims to fall into their trap. How will you deal with a phone call from your local supermarket telling you that you’ve won a new iPad by shopping at their store. They just need a delivery and email address for you to receive and track the package. You provide your contact details, then receive a follow up email a few days later, telling you the goods couldn’t be delivered, so could you download the delivery note to redirect or pick up the package. Once you click that download button the scammer has succeeded.
The damage that comes from becoming a victim of an email scam can be substantial, you can easily lose money, your identity can be stolen, your emotional well being can be affected, you could even find yourself being used to commit fraud on a third party. Your computer could be hijacked by a virus or malware and used for other purposes, including attacks and scams on other people including your friends, family and work contacts.
What can you do?
- Stay alert and be vigilant about potential scams across all your communication channels.
- When you receive emails hover over sender email addresses and any links in the bottom of the email to check if they have a legitimate URL. Scam emails are often from an ever-so-slightly different URL – Can you spot the difference between the email addresses below?
- Avoid opening suspicious emails on your mobile phone. It’s way easier to fall victim to a scam when you are unable to hover over the links and sender addresses and analyse them properly before clicking on any links
- Always validate the authenticity of the sender of any form of communication (email, phone, text, mail) where you don’t know the sender or were not expecting to receive anything. This is especially important if the correspondence asks you to provide personal information or to click on a link or open an attachment. Do this BEFORE you take any action.
- Before contacting the sender to validate their authenticity, Google them. Search for the name of the company/person that has contacted you and obtain their contact information from their website or another reliable source. Do NOT use the contact details provided in their correspondence to you as these could trigger the scam to take effect.
- Either phone or email the sending organisation to confirm their correspondence, using their contact details you obtained via google.
- Do not share any personal information in this communication (address, phone number, bank account details or passwords) – just enquire as to the nature of their correspondence to determine its validity.
- If you’ve received a suspicious phone call, do NOT give out your personal information to anyone without first validating they are a credible source.
It’s not impolite to hang up on the caller. If you’re worried you’ve missed out on that tax refund, use google to find the telephone number for the company yourself and call them. Never call the phone number that called you, especially if it’s an overseas number, or you missed the call, or they didn’t speak when you answered, as it could cost you a lot of money.
One of the biggest risks for an organisation is its people, and the practices they exhibit receiving potentially suspicious correspondence. We all must play our part in protecting the security of our businesses. Educate your team to be aware of the risks of scams, what warning signs to look for to determine whether something poses a risk and what they can do to eliminate or minimise that risk.
If you happen to fall for a scam, whether in your workplace or at home, act fast and get help immediately. Do not try to hide it. An IT expert will work out what the potential damage is and plan any effective countermeasures if required. If you’ve been affected by a scam outside of work, let your organisation know, as they may be able to help and there could be ramifications for your work that you may not have thought about.
There are many more scams out there than what we’ve covered here. For further information on a range of current online safety issues please visit Netsafe New Zealand