Over the holidays, they see an increase in scammers trying to trick us into buying non-existent items or accidentally giving away our personal information by simply clicking a button.
Scammers are always looking for a chink in the armour – and one unguarded place they often find is how much we trust the businesses we deal with every day, often using a technique called phishing.
Nothing to do with rods and reels, this is where the scammer sends you an email or letter, or gives you a call pretending they’re from a familiar company – your bank, telco or even the IRD. When it seems like it comes from a trustworthy source, you’re far less likely to worry when giving out your password, or letting someone have remote access to your computer.
Phishing consistently ranks as one of CERT NZ’s top reported categories, with over 3,000 phishing incidents reported to date.
“We know that phishing can be hard to spot, and easy to fall for. At CERT NZ we recommend putting simple cybersecurity steps in place so that if you do experience a phishing incident, you can recover quickly. The CERT NZ team is also here to help. If you receive a phishing email, or if you’re just not sure, report it online at www.cert.govt.nz/report,” advises CERT NZ Director Rob Pope.
Phishing attacks can be difficult to identify, but knowing a bit more about what to look for can help you spot them and send the scammers packing.
Spotting a phishing email
A phishing email is where a scammer sends an email pretending to be from a legitimate organisation. It might look like it’s from your bank or a government agency and can be really convincing – it will use the same fonts and logos and will be sent from an email that looks really (but not quite!) legitimate.
This email will ask you to do something – usually open a link or download an attachment, which will either infect your computer with a virus or give the sender access to your personal or financial information.
A really common phishing email that preys on that lovely Christmas spirit is one that looks like it’s from a courier company. Oh, a present that’s to be delivered – how nice! That seems harmless enough, but click on a link to ‘claim’ the parcel and you’ll be giving the sender your personal information. This is then used to access your finances or other attacks. You could also be asked to pay to have the parcel delivered.
What to look for
Scammers are really clever – they prey on your emotions, whether that’s excitement, loneliness, fear or openheartedness! It’s best to assume every email is suspicious until proven innocent! Here’s what to look for:
- Look at the email address – it should exactly match the website of the company it’s claiming to represent. Just jump onto Google to work out their URL. For example, if you receive an email from mary@courierpost.org.nz, that’s a huge red flag. Courier Post’s URL is courierpost.co.nz – with a “CO” not an “ORG”, so you’d expect the email address to be mary@courierpost.CO.nz.
- If the email seems out of the blue – treat it as suspicious!
- The best way to check is to find the company’s website, and contact them directly. Don’t believe any of the numbers you were sent in the email!
Spotting a phishing website
Phishing websites will offer you gifts, rewards or amazing bargains – and they look really real. The aim is to get you to click a link and provide personal or financial information. Phishing websites might also make you pay for products or services that don’t actually exist.
What to look for
When you’re cash-strapped over the holidays, a good deal is especially hard to pass up – but if it seems too good to be true, it probably is! Before you make a purchase or enter your details, check on a few things.
- Does the website URL match the brand? If the website is Techbay.com, but you’re looking at signing up for food boxes, that’s a big clue!
- Do some Googling – search the name of the business, or the item you’re trying to buy. You might see there are already articles and warnings about the scam online.
- When in doubt, ask someone – call the business directly.
Think you might have been phished? Here’s what to do
If you think you might have been phished, report it to CERT NZ. They can help you work out what to do next.
If you’ve given out personal and financial details, all’s not lost! Move quickly and you’ll minimise any fallout:
- Get in touch with any relevant organisations, like your bank or email provider, and see how they can help.
- Change all your passwords, especially on your email, online banking, business software and social accounts. Make sure you use a new password for each account so even if someone hacks your email, your bank account will still be safe. A password manager can securely store your passwords so you only have to remember one!
- Get a free credit check done to see if there’s been any suspicious activity in your name.
- Add two-factor authentication to your online account, to add an extra layer of security. It means that even if scammers do have your login details, they still can’t access your account.