In association with
Avoiding scams and fraud
Both scammers and hackers want to exploit you and your business to gain access to your money or private information. To protect your business, it is important that you are aware of common risks and make prevention a priority for all staff.
Cyber attacks
There are many ways attackers might target your business. Some are more obvious, like if your business loses money or you are suddenly unable to access your online systems. Other attacks are harder to detect, for example, an attacker may use your website or network to attack others. Luckily, there are things you can do to help prevent your business being the target of an attack.
To reduce your chances of experiencing any kind of online incident, everyone in your business needs to be aware of the risks and commit to safe practices. Make sure you set aside time to educate yourself and staff on new threats and regularly check-in with any questions or concerns.
Defence against cyber attacks
Safeguarding yourself from cyber security threats can be easier than it seems. Some simple measures to significantly reduce risks include:
- Backing up systems and data regularly.
- Encrypting important systems and data.
- Keeping all software up-to-date.
- Installing security software to protect from viruses and other malicious programs.
- Using strong and unique passwords or passphrases across all your accounts.
Top online security tips for your business(external link) — Own Your Online
Get Cyber Smart(external link) — CERT NZ
If one of your devices alerts you to an update, don't ignore it.
The latest updates or versions often patch or repair any new vulnerability to cyber attacks.
Spotting a scammer
Scammers are often inventing new ways to try and trick people and businesses. But scams usually have common characteristics you can look out for.
Scams usually start when someone makes unexpected contact with you. This could be in person, by phone, letter or email.
In exchange for money or private information, they may:
- make you an attractive offer, for example, connections to angel investors if you pay an upfront finder’s fee, or access to crypto currencies
- say you urgently need important products/services, for example, critical software updates
- pretend to be someone they’re not, for example, your bank, a supplier or a senior leader within your own business.
If you think you’ve been scammed
- Stop all contact with the scammer.
- If you’ve provided any financial details, call your bank.
- Report the scam.
You can report scams, fraud or cyber security incidents to CERT NZ.
Train your staff
You can’t blame staff for getting things wrong if they don’t know the rules or understand what the risks are. Take time to educate your staff and make sure all your employees, and anyone else who may have access to your IT systems, are aware of the common characteristics of a scam, how to detect cyber security risks and how to avoid them.
It’s a good idea to:
- Get staff to read the content on this page so they are familiar with common risks and how to avoid them.
- Make sure staff know when it’s appropriate to share private information and financial details, and with who.
- Set policies around payment for products and services.
- Set out the dos and don’ts for new staff as part of getting them on board.
- Keep regular updates about new security risks and scams.
- Create a password policy
- Have a cyber security policy.
Educating your staff about online security(external link) — Own Your Online
Create an online security policy for your business(external link) — Own Your Online
Create a password policy for your business(external link) — Own Your Online
Set times for tasks like depositing money and making payments — it’s easier to spot suspect transactions if they occur outside these designated times.
Banks never ask for passwords in person or by email — be wary if asked.
Common scams and how to deal with them
Here are some common ways scammers and hackers may target your business. But remember, different scams are always being invented. A good rule of thumb is if a deal sounds suspicious or too good to be true, it probably is.
Malicious spam emails
What is it?
Any unexpected email from someone asking you for money or personal information.
What to do:
- Don’t reply — if you do, it confirms your email address is active and ready for further 'offers'.
- Don’t open attachments from senders you don’t know — the same goes for clicking on links, which can infect your computer with malicious programs.
- Don’t forward hoax emails — if you get an email that looks like a hoax, it probably is.
Note: If you do receive an out-of-character request for private information or money from a sender you recognise, it always pays to verify with senders over the phone.
Watch: How to spot phishing
Video transcript: Unmasked Cyber Crime: Episode 5 - How to spot phishing
[Visual] The screen opens up to display our unmasked real leader. Throughout the episode you will see our unmasked real leader on the right side of the screen and our masked fake leader, whose mask looks like the real leader’s face, on the left, sometimes they will appear solo and sometimes side-by-side. The masked fake leader will often mimic the unmasked real leader.
[Audio: Real Leader] Now you've gone through the modules so far, you might think you have all the protections sorted.
But to be tricked by one of the most common scams out there…
[Audio: Fake Leader] …all you need to do is click a link.
[Visual] Unmask Cyber Crime intro graphic - Episode 5 - How to Spot Phishing
[Visual] Montage of the unmasked real leader flickering through different outfits to represent different business Industries Including, real estate, accounting, construction, retail, hospitality, floristry and farming.
[Audio: Real Leader] Say you're leading a tech firm. Your team may have seen emails come through from someone who looks suspiciously like...you.
[Audio: Fake Leader] When actually…it's me.
[Audio: Real Leader] Maybe they've received a message from 'you' asking them to urgently authorize a payment, update business data, or even organize gift cards.
[Audio: Fake Leader] Guilty!
[Audio: Real Leader] Or they might receive a phone call from a strange number, asking a whole bunch of strange questions…or even questions that seem pretty innocent.
[Audio: Fake Leader] Hello, it's your bank, I just need your account number, right now... Pleassssssseeee.
[Audio: Real Leader] Or it might be a text, asking you to click a link.
[Audio: Fake Leader] Click here!
[Audio: Real Leader] These are all examples of phishing, where your team think something is coming from someone, they trust…like you.
[Audio: Fake Leader] Surprise, I am you!
[Audio: Real Leader] Any action they ask them to do is designed to undermine your security.
Clicking links, sharing personal information, sending funds in an unexpected way, and acting with urgency.
[Audio: Fake Leader] The faster the better. So, your team don’t have time to stop and think that maybe I'm not you.
[Audio: Real Leader] Sometimes, they'll change your company's email slightly.
[Audio: Fake Leader] Oh you're .co.nz? Well I'll use .com
[Audio: Real Leader] The messages might even threaten your staff – through the pretence of being you – if they don't act on 'your' request.
[Audio: Fake Leader] ….oops.
[Audio: Real Leader] Let's have a look at some scam emails so you can recognise them.
[Visual] Graphic of a sample email from Inland Revenue appears with the email address highlighted to show It's from a completely different sender
Here you can see that this email address isn't even remotely connected to who it’s claiming to be from.
[Audio: Fake Leader] Hey, I tried.
[Audio: Real Leader] Or when you hover over the link it’s trying to get you to click, it suddenly appears as a much longer looking link.
[Visual] Graphic of a sample email from Inland Revenue appears with link In the email highlighted to show It goes to a different URL than stated
[Audio: Fake Leader] It's all well and good to know what you're looking for; I won't stop sending them as you. Someone you know will click them.
[Audio: Real Leader] But
[Visual] Montage of the unmasked real leader and masked fake leader flickering through different outfits to represent different business Industries Including, real estate, accounting, construction, retail, hospitality, floristry and farming.
[Audio: Real Leader] …all business leaders can take simple steps to protect your team from being phished. Even on the farm.
[Audio: Fake Leader] You don't need to do that.
[Audio: Real Leader] Implement security measures like email filtering and antispam, to stop phishing emails from making their way to you.
[Visual] Graphic appears on screen - Implement email filtering and anti-spam
[Audio: Fake Leader] Don’t you want to hear from your boss?
[Audio: Real Leader] Make sure there's antivirus software on any device concerning your business, to identify those dodgy email attachments before you open them.
[Visual] Graphic appears on screen - Install antivirus software
[Audio: Fake Leader] Who you calling dodgy?
[Audio: Real Leader] Conduct regular training on phishing so your team are aware of the signs – especially as times and techniques change, and cyber security tools adapt.
[Visual] Graphic appears on screen - Run phishing training sessions
[Audio: Real Leader] Any request to alter business or payment information should always be independently verified via a different channel. Using E-Invoicing for sending invoices is a great way to send Important Information more securely.
Ask your email provider to help you enable SPF, DMARC and DKIM to stop criminals spoofing your business' email addresses.
[Visual] Graphic appears on screen:
- SPF: Sender Policy Framework
- DMARC: Domain-based Message Authentication Report and Conformance
- DKIM: Domain Keys Identified Mail.
[Audio: Fake Leader] Ahhh don't reach out to them that's too much of a hassle.
[Audio: Real Leader] And that's how you can help your business avoid phishing scams. So, those are all the ways you can Unmask Cyber Crime. For more ways to protect your business from scammers like them, head to www.ownyouronline.govt.nz(external link)
[Visual] Graphic on screen ownyouronline.govt.nz
[Audio: Fake Leader] Or…don't.
[Visual] Unmask Cyber Crime graphic leading to end screen slide with Own Your Online - Learn how to protect yourself online at ownyouronline.govt.nz/business.
[Video ends.]
To learn more about cyber security in your business visit Own Your Online.
Business online security series(external link) — Own Your Online
Steer clear of hoax emails
Hear tips from Paul Macpherson, head of security at Xero, on how you can stay safe when you use email — the vital tool many businesses rely on.
Never reply to a spam email or letter — even if it had an emotional impact on you. It’s safer to report and delete it.
Email hacking or identity theft
What is it?
Cyber criminals may intercept business emails and send false invoices to clients asking for payment to be made to their own bank account. Or they might pretend to be from your business for other reasons like gaining confidential business information.
How to stop it
- Make sure your antivirus software is up-to-date.
- Make sure all email accounts are strong with unique passwords.
- Turn on two-factor authentication on email accounts to add an extra layer of security.
- Don’t ignore pop-up reminders of updates from your software provider(s).
- Educate staff on how to spot risky links and websites — and why they shouldn’t click them.
Business email compromise(external link) — Own Your Online
Blocked access to computers
What is it?
Ransomware — a type of malicious software designed to encrypt data and make systems inaccessible — stops systems and computers working until a password is entered. You’ll get a ransom demanding payment, usually to an overseas account, in return for a password. Ransomware also infects smartphones, often through apps downloaded via social media.
What to do to prevent ransomware attacks:
- If in doubt about an email or text, delete it. Don’t click on the links.
- Make sure software systems are up-to-date, particularly antivirus and malware protection software.
- Don’t open attachments you weren’t expecting or that come from sources you don’t know.
- Don’t download apps from sources you don’t know.
- Ensure you have an offline back up available.
What to do if experiencing a ransomware attack:
- Physically unplug your infected devices.
- Seek IT support.
- Use an offline back up, if you have one available. It can take time to get everything back up and running.
Businesses and ransomware(external link) — Own Your Online
Phishing — or asking for passwords
What is it?
Scammers use emails and texts to get you to reveal PIN numbers and passwords for things like banking, Inland Revenue and social media — and to send false invoices.
How to avoid it:
- Be sceptical — don't reveal your passwords, PIN numbers or sensitive information in a text or email. Instead, go to the website the person says they represent to check if it’s genuine.
- Check the authenticity of emails you weren’t expecting or that promise something too good to be true. Scam email addresses may be different — though often similar — to genuine addresses. The email address may also be genuine but compromised if a scammer has hacked into someone’s system and is sending emails on their behalf. If in doubt, mark the email as junk mail or spam without opening it. Then delete it from your spam folder.
- If an email seemingly from your bank asks you to click a link to log in to your account, don’t click it — open a browser window and type your bank’s web address in. If the URL is different in the email but the website looks like your bank’s, it’s a clone designed to catch people out.
Phishing scams(external link) — Own Your Online
Fake IT support
What is it?
Someone calls you out of the blue, saying your computer has a virus or you need to upgrade software. They tell you to download software that will help or ask for your login details to fix it. But there’s no virus or service. The software hacks your computer or the hacker logs in to your systems to steal information.
How to avoid it:
- Do not click on links or type in any web address you’re asked to enter.
- Do not give login details to anyone who contacts you out of the blue.
If it happens to you:
- Hang up the phone.
- Immediately unplug your computer from the internet or turn on airplane mode if you've downloaded the software.
- Run your antivirus software.
- Use another computer to change all your passwords.
- Alert your bank — they might be able to get your money back.
Scams and fraud(external link) — Own Your Online
Malware(external link) — Own Your Online
Don't use the same password or passphrase for any of your systems or staff.
Cyber criminals will get access to ALL your information in one hit. And don’t use P-A-S-S-W-O-R-D or other easily guessed passwords.
Create a password policy for your business(external link) — Own Your Online
Ongoing payments for fake products or services
What is it?
This involves sending fake invoices to trick businesses into joining something, for example, online directories or renewing intellectual property registrations. If you pay the first invoice, you’ll be invoiced for the fake listing until you spot the error.
If it happens to you:
- Tell the company invoicing you — by email or in writing — you didn’t authorise what you’re being invoiced for and won’t pay.
- Talk to a lawyer if they threaten legal action.
Call your bank straight away if you’ve sent credit card details or paid money to a suspicious trader.
Asking for payment in advance
What is it?
Scammers may contact you with an attractive opportunity in exchange for an upfront fee — but the scammer never delivers their promise. A common example is promising grant information that either doesn’t exist or can be easily found on government websites.
How to avoid it:
- Before you pay money to a business or person who has contacted you out of the blue, do some research on the product/service they are offering.
Fake surveys
What is it?
Scammers may call to ask you for information about your business for a survey or directory. The information they ask for may seem harmless, but they could be collecting details to appear legitimate when they make contact with you later on.
How to stop it:
- Make sure staff who answer telephone calls are familiar with what information they can give out — and how to recognise this type of phone call as potential scam.
Internal fraud
What is it?
Staff fraud is rare, but there are warning signs to watch for, including situations when an employee:
- controls a financial process from start to finish — without being checked by people qualified to do so
- has large debts and/or appears to be living beyond their means
- has financial responsibilities and is reluctant to take annual leave.
Insider threat(external link) — Own Your Online
If you're suspicious, check it out
If you aren’t sure if the person who has contacted you is genuine, a little investigation can put your mind at ease.
Depending on how they made contact, there are a number of ways you can check their legitimacy:
- Never assume a company is based in New Zealand just because its website address ends “.nz”.
- Check payment pages are secure. Look for the padlock symbol used on websites, and make sure the URL begins with “https” — the “s” stands for secure. Only make payments if it’s a transaction you initiated. Remember, a padlock symbol doesn’t necessarily mean the website is legitimate.
- Do an online search for the company’s name online and the word “scam”. You may find stories from people caught out by a similar scam.
- Always check contact details, especially if it’s only a mobile number or an email. Do an online search on the company name to check if the contact details given match those on its website. This is because scammers sometimes pretend to be from legitimate companies or organisations.
- If you call and can’t get through, or it goes to an overseas call centre, it may be a scam.
Search for a company(external link) — Companies Office
