Scams are harder to spot, warn banks
Scammers are using duplicated bank callcentre phone numbers and text messages with links to fake bank websites to trick Kiwis into handing over their account details.
Children’s book author Malcolm Clarke this week posted a viral video warning of a scam in which crooks disguise themselves as bank workers and pretend to combat fraud.
Clarke cancelled his Kiwibank card when he noticed strange transactions from his account. Kiwibank then told him that its fraud department would look into it.
Clarke then received a no caller ID phone call from the scammers claiming to be from Kiwibank asking for his access code. When Clarke got suspicious of the caller the scammer then called back on an 0800 number asking for passwords and the answers to his security questions.
Luckily he didn’t fall for the scam. But millions of dollars are being tricked out of Kiwis every year.
It has prompted the banks, Cert NZ, Consumer Protection and the Department of Internal Affairs to issue a warning about the rise in sophisticated attacks against New Zealanders.
Cert NZ director Rob Pope said scammers were able to imitate bank call centre phone numbers and could accurately copy the script that a real call centre would use.
“It can be difficult to tell the real from the fake. If you have any concerns about the legitimacy of a call . . . hang up, find the bank’s phone number from its website and call them back. This way you are assured the information is genuine.”
Pope said scammers relied on urgency and fear to make people react without thinking and he urged people to take a break and pause.
“The scammers will use a sense of urgency, hoping you won’t think clearly and will make a mistake.”
Consumers are being urged to use two-factor authentication on their bank accounts. The extra security measure means people have to enter a one-time unique code, which is usually sent to their phone, for a payment or money transfer to occur.
The code should be kept secret and your bank will never ask for it.
The agencies also warned that text message phishing had increased at an alarming rate over the past few years.
Consumers are typically sent a short message and a link. The message will use the same social engineering triggers of urgency, fear and opportunity to elicit a response.
Once the user has clicked on the link and entered their banking information into an imitation bank website they will receive a phone call from the fraudster impersonating the bank’s fraud team, trying to obtain security codes and other financial information to complete fraudulent transactions they have just created.
Sam Gribben, senior analyst in the threat and incidence response team at Cert NZ, said a legitimate bank worker would never ask for a person’s password, access number or two-factor identification codes.
“If [someone] claims they are from the bank and is requesting this kind of specific information that should ring some alarm bells and that’s where we recommend you hang up the call, call the legitimate number for your bank . . . and speak to someone at the bank about the contact you have received.”
Gribben said often those who expressed concern about the call were then told the issue was urgent and needed to be sorted out straight away.
“And that can be another red flag.”
He said it was easy for scammers to duplicate a bank’s legitimate phone number.
“They just need a piece of software that will change the output of what comes up on the victim’s side . . . to make it look like they are calling from that number. It is quite easy for them.”
The number could also come up as private, which some banks also use when they make calls to customers.
Gribben said another red flag was the caller asking for access to a device via a third party piece of software. Remote access will give them the ability to get into your bank accounts.
He said Cert NZ was seeing an increase in the number of scams that involved phone calls.