SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image
Cybercriminals adopt con-artist tactics to trick unsuspecting Kiwis
Fri, 24th Dec 2021
FYI, this story is more than a year old

Cybercriminals are stepping up their game in New Zealand with a combination of cybercrime strategies and telephone tactics straight out of the con-artists playbook, says SMB cybersecurity expert Daniel Watson.

Author of the book, 'She'll Be Right (Not!), a cybersecurity guide for Kiwi business owners, Watson advises Kiwis not to be surprised when they get scam calls from people with New Zealand accents pretending to be their banks fraud team.

"There is a lot of identifying data on Kiwis, from various breaches, that is for sale on the dark web. The scammers use that collection of data to manipulate vital accounts like your phone company and bank," he says.

Watson says the latest thing is for scammers to compile enough information about you to then pass themselves off as you and convince your phone company to block outgoing calls and texts from your phone, so you cant call your bank.

"Next they will try to persuade your bank to set up a phone banking account. But because the bank uses two factor authentication, the scammers are forced to call you to get the one-off code the bank sends," he says.

"They inject urgency into the call and they sound like Kiwis. They pretend to be the fraud team from your bank trying to block a suspicious transaction. They will ask you for the authentication code by pretending they sent it to you in the first place, purportedly to verify your identity.

"The combination of these factors can be enough to panic people into parting with vital information, purportedly to halt the so-called 'suspicious activity."

Watson says most New Zealanders would recall receiving scam texts from well-known courier and logistics brands earlier this year, telling them they had a parcel waiting.

"The text messages were designed to get access to your phone, harvest essential details and then use those to persuade you to part with information that gives the criminals ways access your accounts," he says.

"If you received one of those texts, and you clicked on the link, you need to change all of your passwords now," Watson says. "Do not trust text messages that require you to install apps on your phone."

Watson says one of his small business clients was the victim of cybercriminal activity when scammers in possession of enough personal information had the clients mobile phone provider block outgoing calls and texts. The scammers persuaded the bank to enable telephone banking on the phone, which gave them transactional access to the person's bank account.

"Fortunately for the client, they were online when the criminals attempted to process the transactions, enabling the client to stop it. She actually watched the transactions being set-up right in front of her eyes," he says.

Watson offers the following advice to help protect yourself, your staff and your business:

1. Maintain top of mind awareness
Business leaders should educate their staff on common cybercrime tactics and what to watch for, and then maintain constant awareness with regular updates.

"Your bank will never ask for your expiry date, passwords or authentication codes. Any requests for such information should set off alarm bells," Watson says.

2. Install protection software

"Make sure you have robust anti-virus, malware and ransomware on all your devices.

"Also, change your passwords and don't use the same password for multiple accounts. It may seem like a pain at the time, but it will save you a lot of hurt down the line. "

3. Update your policies

"If you are in business, you need up-to-date your technology policies that very tightly prescribe how your staff interact with technology for example, bar the downloading of unauthorised apps," he says.

"Have in place incident response processes and do not browbeat staff members when they make a mistake because this may cause them to hesitate about coming forward in the future."

"If you don't live cyber security every day, you are setting a low bar."