Photo: 123rf
Fraudsters stole just over $4.2 million from New Zealanders between April and June, with text message scams on the rise.
New Zealand's Computer Emergency Response Team (CERT NZ) director Rob Pope said New Zealanders lost $1.6m less than in the previous quarter, but the reason behind the drop was unknown.
In the three months to June, CERT NZ responded to 1950 reports from individuals and businesses, with 21 percent reporting financial losses.
Historically, most phishing was delivered by email, but this year CERT NZ had seen more smishing - scams sent by text message, Pope said.
The messages aim to get people's logins and passwords, which can lead to severe losses.
"The rise in SMS text-based phishing (smishing) is a worrying development. The number of phishing reports (including smishing) to CERT NZ is up 26 percent from the last quarter and doesn't seem to be slowing down," Pope said.
Smishing messages generally pretend to be from reputable organisations, such as banks and government departments.
They usually claim there is a problem and ask victims to click on a link to resolve it.
Recently, some smishing texts had come with a phone number - calling it gave scammers direct access to victims and could make scams seem more legitimate, said CERT NZ.
"The risks to people are increased with smishing, because most people have their phones on them all the time and see text messages as soon as they arrive.
"This means messages can come through at times when you aren't thinking as clearly," CERT NZ said in its quarterly report.
The best way to stay safe from scam messages is not to click on links in texts and emails.
"Even if you think the text might be legitimate, it's better to navigate to the organisation's website using another method."
CERT NZ said in the three months to June, malware reports increased 36 percent, but scam and fraud reports were down 24 percent on the three months prior.
Online marketplaces were frequently being used by scammers, CERT NZ said.
Some pose as buyers, pretending to purchase items from genuine sellers. The scammer often says they have paid for a courier to pick up the item and asks the seller to send them an 'insurance fee', to be refunded when the item arrives.
After scammers receive the fee, they break off all contact with the seller and cancel their purchases. It could be hard to recover funds from this type of scam, CERT NZ said.
Scammers posing as buyers are also requesting bank account details from sellers to make payments.
The scammer then asks the seller to check their email for confirmation of payment. The scammers sends an email that looks like it's from the seller's bank and claims a transaction was attempted, but could not be processed due to a limit on their bank account. The email states the seller's 'bank account limit' can be increased by transferring money to their last buyer, the scammer. It says this will be refunded once their limit has been increased.
When the target sends through the money, the scammer immediately breaks off all communications and leaves the seller with a long fight to recover any of the money they paid.
Former fund manager Janine Starks told Checkpoint that the banks are responsible for much of the security failings, not the customers.
"It all comes down to their security systems and they are outdated."
Starks said the payment system was old and banks were not educating about fraud.
She said the industry was ignoring international best practice.
People see scam victims transferring money to accounts and there was a lot of "shame and embarrassment," Starks said, but the banks must bear some responsibility.
"The way I explain it to people is that fraud doesn't actually target people, it targets the payment system. So people are just the conduit.
"Every scheme has its origin in some sort of weakness in the payments system.
"As a fraudster sits there and decides how do I get money, the entire thing is about putting the banking system first and finding the holes that exist within it in order to do the social engineering to convince that customer to hand over money."
Starks said the banks tend to take an adversarial approach to fraud that occurs in their systems.
"We need to stop letting the banks put themselves at the end of the chain, which is where they will say they are, and they'll victim blame and tell people that they are the people that made the bad judgements and now why should they have to repay the money?
"We have to turn that in its head and say hang on, all fraud targets the payments system, that's what they're aiming for."
One of the problems with the payment system was that it did not allow banks to match the name that you input when transferring with the account.
"The banks in quite a misleading way are asking you to put my name in the system and that makes you believe that they're checking does that name match that account number? They're not."
"The banks leave it to your own risk and liability" that you have got it right, she said.
"You can try to pay your mum tonight and write the word Mickey Mouse on the account name, and it'll go through."
Starks said it was possible a class action could be on the cards to force changes.
"I think perhaps we do need a class action in New Zealand. We need to let this go through the court system."
