LEGAL LINES - Detecting phishing scams

Thursday, September 10, 2020

I was wading through my email inbox last month when I saw an email with the subject line ‘Your vehicle’s licence (rego) expires soon’. At first glance it appeared to be from the NZ Transport Agency, as the logo, colour scheme, layout and content were almost identical to the usual reminders I receive from the NZTA. However, I knew that my vehicle registration did not expire for several more months, and when I looked closer I noticed that email address was no.reply@nzta.org.nz rather than no.reply@nzta.govt.nz, and the link that you clicked said ‘License now (rego)’ rather than ‘Licence now (rego)’. It was fortunate that I had my wits about me because it would have been easy to overlook these subtle differences. This month I want to share with you some tips to help you spot a phishing email and avoid being tricked by the increasingly more sophisticated scams out there.

What is a phishing scam?
In a phishing scam, the scammer attempts to obtain private information from a victim by posing as a reputable entity in an email or other electronic communication. For example, the scammer may send you an email posing as a bank representative, courier company, or subscriber service, claiming that your account requires payment, fixing or verification. The email then directs you to a fake site where you are asked to provide sensitive information: your username, password, and more. With this information, the scammer then has access to your account. Often people use the same password for everything, so once entered the scammer can then access multiple accounts belonging to you.

Why are scams hard to spot?
Scams are one of the hardest security threats to protect against because they rely on exploiting naivety rather than technical flaws. Previously, the best way to confirm if a scammer was sending a legitimate request was to make a call to the business. However, these days a lot of business is carried out over WhatsApp, Zoom, Skype, and other services. The ability to easily obtain a virtual number is one of the reasons that the public is now easily sucked into a scam. Unfortunately, no country is exempt and no country can easily prevent scammers.

Identifying a scam
Here are some ways to conduct simple tests to confirm the legitimacy of an email:
• Think about whether you’ve signed up to receive email notifications and reminders from the business that has contacted you. An unsolicited email should be a red flag.
• Take time to look at the email address that the message has been sent from. You can often distinguish a genuine email address from a fake one because it will be similar but not quite correct.
• The email might be missing specific details that you’d expect the business to know. For example, in the phishing email that I received from the NZTA, it was missing my vehicle’s make, plate number, and the registration expiry date.
• If there are spelling mistakes or the grammar is incorrect then this is highly suspicious.
• Contact the police to see if they have received any information or complaints about scams from the email address used to make contact with you. If the scammer has already been reported, then this may confirm your suspicions.
• Look at the details on the email. If there are statements of reliability and phrases like ‘we are not a scam’, then chances are it’s a scam!
• When purchasing online, be wary of reports that there is only one item left. Scammers love to apply pressure for funds with excuses of low stock levels to fool you into making an impulse buy. Make them wait, or don’t buy, because creating a sense of urgency is a common ploy that scammers use.

What to do if you think it’s a scam
If you’re unsure whether you’ve received a legitimate email then you can hover over buttons or links in the email to view the website address they’ll take you to before clicking on it. Never give out your personal details or payment details and do not reply to the email. In many cases, businesses will have an email address that you can send the email to and they can reply to you to let you know whether it’s a scam email. I sent my phishing email that purportedly came from the NZTA to reportscams@nzta.govt. nz to report it and then I deleted it. I would also recommend checking that your device is protected by anti-virus and antispyware software. If you have mistakenly provided a scammer with your personal details, then contact your bank immediately and ask them to stop the suspicious payment. You may also need to request a new credit or debit card. It’s also a good idea to report the incident through your local police station and their cyber crime division.