*Some names have been changed
*Simon wasn’t part of the leadership team where he worked, so he was surprised to receive an email from the CEO. The short message held a simple request – could he please follow the link below to an online report and give his feedback?
Curious, Simon clicked the link, which took him to a page where he was asked to log in with his work email and password. He didn’t, believing the email had been sent to him in error. A quick word with the CEO’s PA revealed the truth: the email was part of a scam, a phishing attack sent from a bogus email address and designed to steal Simon’s login details.
Cyber scams are a hot topic in 2023, with renowned psychologist Nigel Latta having delivered a deep dive in his recent programme You’ve been Scammed with Nigel Latta. To paraphrase Latta in his opening voiceover, the vast majority of Kiwis believe they’re savvy enough to spot a scam from a mile away. But this confidence, Latta goes on to explain, can create blind spots that make people even more susceptible to scammers.
“A lot of people don’t take these things super seriously, but we try to do as much as we can to combat phishing attacks, because they do lead to other things,” says Jordan Heerspring, Threat and Incident Response Team Manager at CERT NZ. CERT NZ, an acronym for the New Zealand government’s Computer Emergency Response Team, supports people and businesses across the country by receiving reports about cyber-attacks, tracking online scams, and advising Kiwis on how to protect themselves. Jordan’s team in particular looks into reported incidents, responds to them, and works to help people and businesses deal with those incidents.
“Once a phishing victim has entered their login details, the scammer can use their username and password to sign into the business’s Microsoft online account,” he explains. From there, the scammer can potentially wreak havoc, using every tool at their disposal to access accounts with more privileges, compromise the business’s emails to conduct invoice scams, and even introduce ransomware. “Ransomware is probably on the top end of seriousness – all your systems get corrupted, and you essentially can’t do anything.”
According to statistics released by CERT NZ, in the first 3 months of 2023 alone, the organisation received reports of almost 2,000 cybersecurity incidents, from phishing attacks to romance scams and more. And it’s no longer emails from Nigerian princes that catch people out. “A lot of scams are done by SMS these days,” notes Jordan. “It used to be primarily email, but now it’s SMS with a little email on the side.”
Jordan says that most scams target individuals, but Kiwi businesses are far from safe. Name-dropping the CEO, it turns out, doesn’t just work as a phishing lure; it can also be an effective way to run a gift card scam. According to Sebastian Waldschmidt, a coordinator on Jordan’s team, CEO gift card scams are regularly reported. “They’ll have a heading like, ‘Hey, it’s your CEO. I want to buy presents for everyone – why don’t you get me X-number of dollars in gift cards.’” If the gift cards are purchased and sent as instructed, the scammers have made off with an untraceable and non-refundable chunk of the victim’s money.
Invoice scams are another lucrative scheme for scammers, and businesses are regularly a target. The scammer will impersonate a goods or services supplier and send out an invoice, hoping the receiving business doesn’t look too closely and just pays. One of the more blatant impersonation tactics sounds like something out of the latest Mission Impossible.
“We’ve seen a couple cases of people using publicly available information on the New Zealand business register to set up websites impersonating a business,” says Sebastian. Using that easy-to-find information to build a startlingly convincing website, the scammers then launch invoice-style attacks, fooling businesses into believing they’re dealing with a trusted supplier.
Mike Hannan, Owner Operator of RBA Partner Spark Business Hub West Auckland, says that businesses of any size can be targeted by scammers. Mike and his team specialise in business IT solutions and services, including diagnostics and IT Health Checks. He likens online scammers to “digital RAM raiders,” playing on the term for computer memory, aka RAM.
“As a business owner or manager, you may not think that your business is at risk of a cyber-attack. However, ‘smALL’ businesses are at risk of cybercriminal activity. The targeting is often a ‘broad stroke’ attack across hundreds or thousands of accounts so can impact any business regardless of industry or size.”
The risk of assuming otherwise, Mike adds, is significant. “A security breach can result in financial loss, reputational damage, and legal liability. Ask yourself: What would happen if I couldn’t access my systems? What if someone had access to my financial records, commercials such as COGs, pricing and customer base, or my employees’ private information?”
Jordan agrees: anyone can be targeted. “For the most part, it’s very much a scattergun approach,” he says. “They’ll fire things out as broadly as possible and just try to get some response.”
And it’s easier than you might think to fall victim to scammers’ manipulation tactics. By piling on the pressure, scammers push people into taking action before they’ve had the chance to think things through.
“Scammers use whatever method they can to try to create a sense of urgency,” says Sebastian. “That typically plays in their favour. If someone feels that there’s a sense of urgency around a task, they’re less likely to use a critical lens to assess it.”
“Urgency is a big one,” agrees Jordan, “as well as the threat of repercussions. A lot of the scams will say things like, ‘Your password has been changed – please click here to confirm whether it was you’ or ‘There’s a big new charge about to go through on your credit card – click here to stop it.’”
In the face of scammers’ increasingly devious and creative methods of attack, how can businesses protect their valuable systems and data? “IT security should be a top priority for small business owners,” says Mike. “IT security needs to protect your business’s IT infrastructure and data from unauthorized access, use, disclosure, disruption, modification, or destruction.”
Mike says that the best way to start is to take a thorough look at your systems and processes. “Conduct a risk assessment to identify potential threats and vulnerabilities,” he advises. “It’s better to know issues tested by an independent party than by a digital RAM raider.”
Next, take steps to protect yourself and your business. Mike suggests using strong passwords, keeping software up to date, installing firewalls and antivirus software, and creating data backup and recovery procedures. And, perhaps the most important piece of the puzzle: strengthening the human firewall. “Ensuring that all staff know not to open links or files from unusual email addresses is also a 101!”
Jordan agrees that educating your team on the importance of IT security is one of your best defense’s against online scammers. “There are several things that businesses can do to lower their risk, and one of them is raising the awareness of this type of activity among their staff. A lot of these things can start with a phishing attack, and so if staff know about phishing and how to spot it and deal with it, the business is least likely to be affected.”
Jordan also advises questioning any sudden changes to how a supplier or service provider asks you to pay.
“If things change – like bank accounts – that’s a bad sign,” he says. “But if it’s always the same process and nothing has changed, it’s probably okay.”
And, if you do feel suspicious of an invoice, Sebastian adds, “Try to independently verify it through a channel that you didn’t receive the invoice through.” As in, don’t call the phone number listed on the invoice or reply to email you received – instead, look up the publicly listed phone number for that business and call them directly.
One final tip: if you’re the unfortunate victim of a cybercriminal, reach out to CERT NZ. “If you do get one of these scams,” says Jordan, “the best thing you can do to help yourself, especially if you don’t know all the details behind it, is to report it. That way, we can help you understand what’s going on and potentially help you recover accounts or money lost. And whether you fall for the scam or not, you can help others by reporting it – so if you tell us at CERT NZ, we can share the domains being used to perpetrate these scams across a range of organisations. It also helps us to build a picture of what’s going on so we can target our efforts and coordinate our response across the government and private sectors.”
For additional advice or support with strengthening your IT security, contact Mike at his team at the Spark Business Hub on 0800 824924 or via email at [email protected]. You can reach CERT NZ on 0800 CERT NZ or at https://www.cert.govt.nz/ and https://www.cert.govt.nz/individuals/report-an-issue/