Digital safety specialists are warning people to be savvy of more sophisticated ploys cybercriminals are using to appear official and target victims.
Scammers are increasingly imitating or duplicating bank phone numbers (known as spoofing) and websites, as well as replicating call centre dialogue to look authentic and trick New Zealanders into handing over their pin numbers and security codes.
Several banks and government agencies said New Zealanders were being tricked out of millions of dollars each year, and called for everyone to keep up their awareness about the current tricks being used by cybercriminals, how to spot them, and how to keep safe from them.
Scammers often used urgency and fear so victims believed they had to react quickly, and made misjudgements or mistakes in not keeping their details safe, says Rob Pope, the director of the government's national cyber security agency: the Computer Emergency Response Team - CERT.
One of the best ways to beat them was to: "Take a breath and pause," says Rob.
Most attempts to access people's accounts could be busted simply by turning on two-factor authentication (2FA) on accounts (a system that requires a one-time unique code for login) -and by never giving out 2FA or pin number codes to anyone - including the bank, or officials.
The warning was issued by CERT, the Department of Internal Affairs (DIA), Consumer Protection and 10 banks operating in New Zealand; ANZ, ASB, Co-operative Bank, Heartland Bank, HSBC, ICBC, Kiwibank, Rabobank, TSB and Westpac.
Methods used by cybercriminals include:
- Duplicating (spoofing) genuine phone numbers, to appear legitimate
- Text messages sent containing links to fake websites
- Malicious software sent to people's devices to spy on their account details
- Realistic dialogue and social engineering triggers to try to convince people to tell them log-in details or to fall for a dodgy link or malicious software
Department of Internal Affairs director of digital safety Jared Mullen says people should remain vigilant and stay up with the play on the latest cybercrime methods.
"Tactics used by scammers are getting more sophisticated as new technology develops. But the advice to Kiwis to avoid being a target stays the same: be savvy, always question a link before you click on it, and if something doesn't feel right report it."
In particular, there had been a rise in the number of scam calls in tandem with text-message phishing.
A short text would be sent that was designed to get the victim to take urgent action, such as a warning of a security breach or the arrival of a courier package, and containing a link.
"Increasingly, once the user has clicked on the link and entered their banking information into an imitation bank website they will receive a phone call from the fraudster impersonating the bank's fraud team, trying to obtain security codes and other financial information to complete fraudulent transactions they have just created," the agencies statement says.
"You should always only access your bank by visiting the bank's website. Banks will never send you a link to log in to your internet banking via text message."
CERT incident response manager Jordan Heersping says people of all ages were falling victim to cybercriminals.
"They are becoming more sophisticated; We see for example the phone spoofing schemes being used in combination with the regular phishing and SMS spoofing scheme - and those combinations can make them very effective."
Basic steps to take to stay safe from cybercrime:
- If you don't know that the person calling you is legitimate hang up, look up the organisation's official number, and call them back at that number
- Turn on two-factor authentication (2FA) for your banking accounts
- Never share passwords or two-factor authentication codes ever - including with your bank or any official, as legitimate callers will never ask you for these
- Do not click links in suspicious text messages or emails
- Forward suspicious text messages to the Department of Internal Affairs, on: 7726
- If you did click a suspicious link or give someone a 2FA code, then immediately contact your bank, and report it to CERT NZ.