General

Avoiding scams and fraud Te karo i ngā tāware me te hara tāware

In association with
Scammers and hackers want to exploit you and your business to gain access to your money or private information. To protect your business, it’s important that you know about common risks and make prevention a priority for all staff.

Cyber attacks

There are many ways attackers might target your business.

Attacks can be:

  • obvious, like if your business loses money or you’re suddenly unable to access your online systems
  • less obvious, like when an attacker uses your website or network to attack others.

Luckily, there are things you can do to help prevent your business being the target of an attack.

To reduce your chances of experiencing online incidents, everyone in your business must be aware of the risks and use safe practices. 

Reporting cyber attacks

You can report scams, fraud or cyber security incidents to the National Cyber Security Centre.

Report an online security incidentNational Cyber Security Centre

Defence against cyber attacks

To defend yourself against cyber-attacks, you can:

  • back-up systems and data regularly
  • encrypt important systems and data
  • keep all software up to date
  • install security software to protect from viruses and other malicious programs
  • use strong and unique passwords or passphrases across all your accounts.
Top online security tips for your businessOwn Your Online

How to spot a scammer

Scams have common characteristics you can look out for.

They usually start when someone makes unexpected contact with you – in person, by phone, letter or email.

In exchange for money or private information, they may:

  • make you an attractive offer, like connections to angel investors if you pay an upfront finder’s fee, or access to crypto currencies
  • say you urgently need important products or services, like critical software updates
  • pretend to be someone they’re not, like your bank, a supplier or a senior leader within your own business.  

Train your staff

Take time to educate your staff and make sure anyone who has access to your IT systems knows:

  • the common characteristics of a scam
  • how to detect cyber security risks
  • how to avoid them.

You should:

  • get staff to read this page so they are familiar with common risks and how to avoid them
  • make sure staff know when it’s appropriate to share private information and financial details, and with who
  • set policies around payment for products and services
  • train new staff on cyber security as part of getting them on board
  • keep regular updates about new security risks and scams
  • create a password policy
  • have a cyber security policy.
Educate your staff about online securityOwn Your Online

Common scams and how to deal with them

Malicious spam emails are any unexpected email from someone asking you for money or personal information.

If you receive a malicious spam email, do not:

  • reply – if you do, it confirms your email address is active
  • open attachments from senders you don’t know – clicking on links can infect your computer with malicious programs
  • forward hoax emails – if it looks like a hoax, it probably is.

If you receive a strange request for private information or money from a sender you recognise, always verify with senders over the phone.

Cyber criminals may intercept business emails and send false invoices to clients asking for payment to be made to their own bank account and pretend to be from your business for other reasons like gaining confidential business information.

These are some things you can do to stop email hacking or identity theft.

  • Make sure your antivirus software is up to date.
  • Make sure all email accounts are strong with unique passwords.
  • Turn on two-factor authentication on email accounts to add an extra layer of security.
  • Don’t ignore pop-up reminders of updates from your software providers.
  • Train staff on how to spot risky links and websites, and why they shouldn’t click them.

Business email compromise - Own Your Online

Ransomware is a type of malicious software designed to encrypt data and make systems inaccessible. It stops systems and computers working until you enter a password. You’ll get a ransom demanding payment, usually to an overseas account, in return for a password. Ransomware also infects smartphones, often through apps downloaded via social media.

What to do to prevent ransomware attacks:

  • If in doubt about an email or text, delete it. Don’t click on the links.
  • Make sure software systems are up to date, particularly antivirus and malware protection software.
  • Don’t open attachments you weren’t expecting or that come from sources you don’t know.
  • Don’t download apps from sources you don’t know.
  • Make sure you have an offline back up available.

What to do if experiencing a ransomware attack:

  • Physically unplug your infected devices.
  • Seek IT support.
  • Use an offline back up, if you have one available. It can take time to get everything back up and running.

Businesses and ransomware - Own Your Online

Scammers use emails and texts to get you to reveal PIN codes and passwords for things like banking, Inland Revenue and social media, and to send false invoices.

To avoid this, do the following:

  • Don't reveal your passwords, PIN or sensitive information in a text or email. Instead, go to the website the person says they represent to check if it’s genuine.
  • Check the authenticity of emails you weren’t expecting or that promise something too good to be true. Scam email addresses may be different (but similar) to genuine addresses. The email address may also be genuine but compromised if a scammer has hacked into someone’s system and is sending emails on their behalf. If in doubt, mark the email as junk mail or spam without opening it. Then delete it from your spam folder.
  • If an email seemingly from your bank asks you to click a link to log in to your account, don’t click it. Open a browser window and type your bank’s web address in. If the URL is different in the email but the website looks like your bank’s, it’s a clone designed to catch people out.
  • Don't use the same password or passphrase for any of your systems or staff. Cyber criminals will get access to all your information at once.
  • Don’t use passwords that are easy to guess, like P-A-S-S-W-O-R-D .

Phishing scams - Own Your Online

This is when someone calls you out of the blue, saying your computer has a virus or you need to upgrade software. They tell you to download software that will help or ask for your login details to fix it. But there’s no virus or service. The software hacks your computer or the hacker logs in to your systems to steal information.

If you get a suspicious call about IT support, do not:

  • click on links or type in any web address you’re asked to enter.
  • give login details to anyone who contacts you out of the blue.

If it happens to you:

  • hang up the phone
  • immediately unplug your computer from the internet or turn on airplane mode if you've downloaded the software
  • run your antivirus software
  • use another computer to change all your passwords
  • contact your bank, as they might be able to get your money back.

Malware - Own You Online

This involves sending fake invoices to trick businesses into joining something, like online directories or renewing intellectual property registrations. If you pay the first invoice, you’ll be invoiced for the fake listing until you spot the error.

If it happens to you:

  • write to the company invoicing you that you didn’t authorise what you’re being invoiced for and won’t pay 
  • talk to a lawyer if they threaten legal action. 

Scammers may contact you with an attractive opportunity in exchange for an upfront fee, but the scammer never delivers their promise.

A common example is promising grant information that either doesn’t exist or can be easily found on government websites.

Before you pay money to a business or person who has contacted you out of the blue, do some research on the product or service they are offering.

Scammers may call to ask you for information about your business for a survey or directory. The information they ask for may seem harmless, but they could be collecting details to appear legitimate when they contact you later.

Make sure staff who answer telephone calls are familiar with what information they can give out, and how to recognise this type of phone call as potential scam.

Staff fraud is rare, but there are warning signs to watch for, including situations when an employee:

  • controls a financial process from start to finish, without being checked by people qualified to do so
  • has large debts or appears to be living beyond their means
  • has financial responsibilities and is reluctant to take annual leave.

Insider threat - Own Your Online

Staying safe with email

youtube b6nVEmvYwBU
Hear tips from Paul Macpherson, head of security at Xero, on how you can stay safe when you use email — the vital tool many businesses rely on.
Source: YouTube

Video transcript: Staying safe with email

[Visual: Intro blue screen appears, with the text “business.govt.nz” in white on the righthand side of the screen. The words “Staying safe with email” in thinner white text appear on the lefthand side of the screen, separated by a white vertical line from the text on the right.]

[Visual: The screen changes. The screen is split into two smaller blocks on a black background. The block on the right is a screenshot with the title “Cons” in blue text. Under it, there’s a bullet-point list with the text:

  • Primary attack tool for hackers and scammers
  • Cost effective delivery of malware and scams to thousands of people
  • Spam
  • Inherently insecure
  • Easy to copy and impersonate
  • Used to manipulate the recipient into doing the hacker’s work for them – social engineering

In the bottom left corner of the screenshot, there’s the text “business.govt.nz” and the Xero logo in light blue. The block on the righthand side of the screen shows the presenter.]
I always think of email as being an open postcard rather than a sealed envelope. If it’s out there on the wire, and if somebody wants to sniff it, they can do. That said, most of your major mail providers do recognise these issues and they’re working with all the other mail providing community to put the controls in place to make life better and more secure for people using email.

I was fortunate enough to go to a conference event recently where I heard someone from Google speak, and through their relationships with other mail providers, over 80 per cent of email that is inbound or outbound to/from  Google is now encrypted, as  well as being encrypted on their internal network.

But there’s other things that people do –  impersonating email and impersonating senders –  to try and trick people into clicking on that link, or clicking that document that’s attached. Some of you have probably heard of the term social engineering –  that’s basically manipulating somebody  to do what you want or provide the information you want.

It’s far easier to hack the person than it is to hack the computer. Why go to all that trouble of trying to break through somebody’s firewall and steal their data, if you can just get them to click on something that then  gives complete control of their computer, and you just carry on and do it.
I think it’s key that  people understand the risks there are  in emails. I’m not saying we shouldn’t use it –  of course we should use it. But just to understand that, and know how to mitigate that to the fullest extent you can.

[Visual: In the screenshot on the lefthand side, the bullet-point list changes to a screenshot of a FedEx email. A warning message in red shows at the top of the screenshot .] 
I think most people would  have seen one of these, if not something similar [refers to slide].  This is the FedEx email.There’s probably not a day goes by that I don’t find  one of these in my junk. And if it’s not FedEx, it’s New Zealand Post, it’s PayPal, it’s you name it.

People saying, you need to do this immediately, you need to take action now. And that’s one of the signs of a suspicious, or potentially dodgy, email – it’s that immediate call to action.
What I found interesting in this email is if you clicked on the “More details” it took you to a malicious site. Also, if you clicked on the “Unsubscribe” or the “Privacy policy”, it took you to that same malicious site. So, they’re trying to cover all of their bases.

One of the things I would say is, we see email being used to exploit our customers, to exploit the community, all the time.

So,  if you’re using email,  and I come back to what Steve said around education and awareness, there’s huge value in educating yourself, and, in your small business, educating your staff around how to spot these emails. Don’t be too quick to click on them.

And also to  protect your own email account. We’ve seen our customers, and sometimes non-customers, whose email accounts have been hacked. And  certainly, I think it’s been well publicised here in New Zealand happening in the building industry, t hat the builder’s email gets hacked, and then any recently sent invoices get modified and  resent from that builder’s email account with a message,  something along the lines of, “A  bank account is being audited, can you please pay to this new  account? ”.

And they’re after those big milestone payments. We’ve seen twenty, fifty, seventy thousand dollars paid into a fraudulent bank account.

Fortunately, in most of those instances, with the  cooperation from the banks here in New Zealand, that money has been retrieved.

So,  these are the things you watch out for. And even today, I think  it was in the p ress or in the paper, another email scam doing the rounds. Emails purporting to be from the DHB (District Health Board) to suppliers, with purchase orders. The purchase is then  sent to a freight-forwarding company, and shipped off overseas to some dude from wherever, who is now in receipt of a lot of well-made New Zealand goods for no cost.

This sort of things happens all the time, a nd just a bit of education and a few additional controls,  I’d say for your own email account, as Sai was saying, second-factor authentication is a fantastic protection for preventing people getting access to your accounts. Even if they compromise your password, if you have second-factor authentication enabled –  sometimes called multi-factor authentication, we call it two-step authentication at Xero –  it’s a really good roadblock to the bad guy getting into your account.

I can’t recommend doing that highly enough. If your mail provider doesn’t provide second-level authentication, personally I’d be looking for another mail provider.

[Visual: White outro screen appears with the text “business.govt.nz” in blue on the lefthand side of the screen. The words “Make business easier” in thinner blue text appear on the righthand side of the screen, separated by a blue vertical line from the text on the left.]
[Video ends]

 

Confirming your suspicions

If you aren’t sure if the person who has contacted you is genuine, you can do a little investigation.

These are some ways you can check their legitimacy.

  • Never assume a company is based in New Zealand just because its website address ends in ‘.nz’.
  • Check payment pages are secure. Look for the padlock symbol used on websites, even though this doesn’t always mean the website is legitimate. Make sure the URL begins with ‘https’ (the ‘s’ stands for secure). Only make payments if it’s a transaction you started.
  • Do an online search for the company’s name and the word ‘scam’. You may find stories from people caught out by a similar scam.
  • Always check contact details, especially if it’s only a mobile number or an email. Do an online search on the company name to check if the contact details given match those on its website. This is because scammers sometimes pretend to be from legitimate companies or organisations.
  • If you call and can’t get through, or it goes to an overseas call centre, it may be a scam.
Searching the Companies RegisterCompanies Office

Protect your business online from cyber crime

Learn more about

IT risks and scams