27.07.2019

Avoiding clever scams

We have all seen them – the ridiculous emails from Nigeria promising millions of dollars – and how often does the phone ring with someone trying to get you to hand over access to your computer? It can be easy to think you can avoid being scammed, however, scammers are getting cleverer, and even tech savvy people are being tricked out of their money.

Just last month a Nelson man almost lost his house deposit to a phishing attack when his lawyer’s email account was hacked – you can read the story here https://www.stuff.co.nz/national/113115596/nelson-family-nearly-lose-home-deposit-to-african-hackers

Closer to home, we’ve had the parents of a staff member fall victim to a phishing attack – a phone call, purportedly from Spark to sort out an ongoing connectivity problem following a recent fibre installation, was in fact scammers. After gaining remote access to the family computer, under the guise of needing to do so to correct installation related issues, they installed software that allowed them to control the computer and see all activity on it. They were able to collect bank login and password details and quickly emptied the contents of the account. What was particularly clever on the scammers’ part was making several withdrawals instead of one large one and thereby avoiding immediate detection by the bank’s fraud team.

We are also aware of both a contractor client, and an accounting firm, who have had email systems for individual employees hacked in unrelated incidents. Hackers have been able to control the employee’s emails accounts. They have been able to view confidential information within those email accounts, and in both cases have sent change of bank account requests to the organisation’s debtors from those accounts. When viewed by the recipient these come from the email account of the employee and therefore appear genuine. This carries substantial risk that your clients will pay into a bank account controlled by the scammer rather than your actual bank account. 

In business, you need to be aware of even more sophisticated attacks. Known as spear phishing or whaling, these emails are hunting for confidential company information which is later used to defraud the business. Here is a good article on the problem and how to avoid it: https://www.cert.govt.nz/business/common-threats/protecting-your-business-from-spear-phishing-and-whaling/?gclid=CjwKCAjwmZbpBRAGEiwADrmVXje9DC_EKWo6zLfFl4q1UJrhPaL1W7GP7iJYeU4Kh-HPsE1detUO-xoCVrcQAvD_BwE

Each year, New Zealanders lose millions of dollars to fraud of this kind, with Research NZ saying that 72 percent of Kiwis have been the target of either an online or phone scam.

The key pieces of advice are to double check anything that seems out of place, don’t click on web links from people you don’t know, don’t give out personal or business information by email, take care with what business details you post online, and ensure your business has appropriate online security and staff training.

We also strongly recommend that if you receive a request via email to change bank account details for any of your suppliers or employees that you have processes in place that require you to verify this by phone as well as in writing. Do not assume that these requests are genuine when received by email alone.