The complexity, sophistication and frequency of scams is increasing, delivered in many different forms - across social media platforms, telephone calls, SMS, emails, and sometimes even by post.
Where once we could spot a scammer’s email a mile away through tell-tale signs of poor English language usage and an offer to share a $1,000,000 USD inheritance with an African government official, we’re now receiving well designed, well written, targeted email campaigns from scammers. Emails are being routed through legitimate third-party email servers and services and are bypassing an organisations spam filtering to land straight into our email inboxes.
Here's an overview of some of the most common scams we’ve seen, some clues to watch out for and what to do if (or when) you’re targeted.
1. Email Phishing
What is ‘Phishing’? You can think of phishing in terms of its more common namesake fishing. An attacker will cast out some bait in the form of an email promising you something, or calling you to action, hoping to catch the unwary off guard, and when you’ve taken the bait they’ll reel you in and deliver the real purpose of the attack.
A simple example of this is the flood of emails from New Zealand ‘Banks’ that hit email junk boxes (and inboxes) urging recipients to update their details due to some fraudulent activity being spotted on their account by the bank. These are almost always scamming. Banks never send this type of email with links to log into their systems to verify yourself.
We’ve seen an increase in the number of email-based attacks in the last few months. It’s generally a numbers game for the scammers, they write an email and send it out to tens of thousands of email accounts, and they might get one recipient who believes them. However, the sophistication we’re seeing suggests that the attackers know some information about their targets, they know who the person is and the company they work for, they know the relationships between various staff members at that company, they know the software it uses, and therefore what scam to send to the soft (easy) targets. Like any results-driven direct marketing campaign, they spend time researching how best to tailor their message (scam) to increase their return on investment. The frequency and number of these scams is on the rise, so we all need to be vigilant.
2. Telephone Calls
We’re dogged by these in New Zealand. Our computer software company calls to tell us we have a virus on our workstation, or the Government wants our tax number and bank account details to refund us a great deal of money. Of course, neither of these is legitimate. People often receive automated calls in a foreign language from a Consulate, or pick up the phone and no one speaks at all. These callers are becoming smarter, in some instances disguising their phone numbers. Instead of the call coming through on an overseas number, it now looks like it’s a New Zealand number, coming out of Auckland or Wellington.
If we remain alert, we can generally spot these scams. It may have been reported in the news media, we may hear noise on the phone line, the distance in the voice on the end of the call, or an unfamiliar, out of place, accent.
The Telcos in New Zealand are attempting to work together to stop these scam calls coming through to New Zealand, but they’ve a hard task ahead of them.
3. Fake Invoices
The scammer will send through an invoice for goods and services that we haven’t purchased or received. In 2016 there was a well-publicised scam of this type in Christchurch, with all the rebuilding work going on. Scammers hacked builders and construction workers email accounts to find out the initial client information, and then they targeted these clients that were having rebuild work carried out. Those people would have been expecting invoices for work carried out, so an email request to transfer money to a bank account wouldn’t have seemed unusual. Many people were caught out by this and they lost a lot of money. Although quite a sophisticated example, scams don’t have to be this sophisticated to be dangerous. Any organisation or individual is at risk of receiving fake invoices.
4. Deliveries
We all like to receive parcels, however the next time you receive an email branded from NZ Post, Courier Post or DHL think before you act upon it. The email generally states that there is a parcel either awaiting delivery, or that there was a missed delivery of a parcel to an address. This scam could be used to demand payment for goods or tax, or as a means for you to download a ‘delivery receipt’ or ‘invoice’ to obtain a username/password from you. It can also be used to deliver virus and malware onto your computer.
5. Sextortion
With this type of scam, you’re essentially being blackmailed into paying money either through embarrassment or fear of humiliation based on some explicit material the blackmailer has obtained on you. If you find yourself in this situation seek help and support and go to the police.
6. Hybrids of the above (one to think about)
When these scams are married together, their effectiveness increases dramatically, making them even more dangerous for innocent victims to fall into their trap. How will you deal with a phone call from your local supermarket telling you that you’ve won a new iPad by shopping at their store. They just need a delivery and email address for you to receive and track the package. You provide your contact details, then receive a follow up email a few days later, telling you the goods couldn’t be delivered, so could you download the delivery note to redirect or pick up the package. Once you click that download button the scammer has succeeded.
The damage that comes from becoming a victim of an email scam can be substantial, you can easily lose money, your identity can be stolen, your emotional well being can be affected, you could even find yourself being used to commit fraud on a third party. Your computer could be hijacked by a virus or malware and used for other purposes, including attacks and scams on other people including your friends, family and work contacts.
What can you do?
One of the biggest risks for an organisation is its people, and the practices they exhibit receiving potentially suspicious correspondence. We all must play our part in protecting the security of our businesses. Educate your team to be aware of the risks of scams, what warning signs to look for to determine whether something poses a risk and what they can do to eliminate or minimise that risk.
If you happen to fall for a scam, whether in your workplace or at home, act fast and get help immediately. Do not try to hide it. An IT expert will work out what the potential damage is and plan any effective countermeasures if required. If you’ve been affected by a scam outside of work, let your organisation know, as they may be able to help and there could be ramifications for your work that you may not have thought about.
There are many more scams out there than what we’ve covered here. For further information on a range of current online safety issues please visit Netsafe New Zealand