Tips for protection from online scams

As NetSafe chief executive Martin Cocker has said: "At the moment, there is no official 'one-stop-shop' that the public can report scams to and rely on for the advice they need. There is no co-ordinated national effort to disrupt scams locally."

The need for such a service is clear. According to a recent NetSafe report, Kiwis lost $33m in online scams last year, triple the total loss for 2017. NetSafe received 13,000 scam reports, up from 8100 in 2017. The average loss was $21,140, which is up from $10,771 in 2017, and the largest single loss was $5m. The most recent trend has been sextortion scam, where cybercriminals claim to have hacked into victim devices and recorded intimate recordings of people using pornographic websites, dating websites, and other websites and apps.

Although we have the Unsolicited Electronic Messages Act 2007 regulation in place in order to discourage cybercriminals, this report shows the significant rise in spam, and therefore scams.

So what is spam and what are scams?

Spam is the term used for all unsolicited electronic messages, for example, unwanted email, SMS, or other instant message. Scams, delivered via spam, are designed to defraud people by exploiting human psychology around urgency, risks, financial loss, and benefits involving prize, money, business partnerships, or investment opportunities online. For example, cybercriminals pretend that the victim has won a lottery, will get a flight ticket, or has been left an inheritance.

Although traditional ‘cold calls’ are among the most reported scams, there are other common online scams that successfully target specific groups, mostly aged people who make the most vulnerable group, 48 percent of those scammed in 2018. These online scams include, but are not limited to, email phishing scams (for example, that have a dodgy link), social media campaigns, and romance scams, where scammers present to be in a relationship with the victim.

In email scams, cybercriminals use an email spoofing technique for luring innocent users to believe that the email originated from a legitimate address, and once a victim responds, it actually is delivered to a different address. In email scams, victims send sensitive information such as personal details, or even their password, or act on requests by clicking links or, even worse, transferring money, assuming they are responding to legitimate users.

Other email scams make victims believe their email addresses have been compromised when they see the email came from their own email address. To make scam emails appear more legitimate, cybercriminals may include the victim’s password for their online accounts, which might be collected from one of the numerous data leaks from major online services.

In order to deal with cybersecurity issues, New Zealand's cybersecurity strategy has four main goals: exercising cyber resilience, having cyber capabilities, improving cybersecurity, and increasing international cooperation.

So although it seems like an arms race where cybercriminals better exploit online social networks and other online services to harvest sensitive information – and use social engineering attacks for specifically targeted scams – there are great opportunities for security businesses to develop new detection tools that can mitigate scam calls and emails. For instance, a scam call detection mechanism can be used to blacklist reported numbers once they are identified as scam. Likewise, before sending an email, users might be warned about the risks of sharing their personal information with strangers.

But most importantly, people need to be aware of possible online scams and the growing risk they pose. The suggestions below could help reduce the risk and protect people and organisations:

Tips for users

• Do not respond to unnecessary emails.
• Never respond to emails (or calls) asking your password.
• Check that the email has the same address in both ‘came from’ and ‘reply to’.
• Do not click on links or download attachments if you are unsure.
• Before you decide to click a link, mouse hover over the link (or image) to see alternate text descriptions.
• Transfer money, send gifts, or help in case if you are sure that account details and addresses are trusted.
• Do not pay or transfer fee if you received an email from a stranger to make a transfer overseas.
• Use strong passwords.
• Regularly backup your data.
• Do not publish your personal information online.
• Use privacy and security settings for online social networks (and other online services) in order to protect your sensitive information.
• Scan virus regularly using an antivirus.

Tips for organisations

• Educate your employees about online scams.
• Use a good email spam filter.
• Have a process in place to deal with online scams.

Tips for governments and enforcement agencies

• Launch scam awareness campaigns.
• Develop a nationally coordinated response to deal with cybercrimes including online scams.