NZ Post text message scam running hot, ‘phishing kits’ likely deployed to infect devices

The new NZ Post parcel message scam is being widely distributed.

The scam has a similar strategy but different tactics to previous package delivery rackets, and cybersecurity agency Cert NZ has received much feedback about it.

“Your package has arrived at the warehouse and has been suspended for delivery due to a missing home number in the package,” one such message in the campaign reads.

A link is included. The goal is to either infect a device or obtain personal details to compromise bank accounts.

“What’s different here is the [way] they’re being delivered. It’s being delivered by internet-enabled text messages,” Cert NZ threat response senior analyst Sam Leggett said today.

The scam most probably involved people using “phishing kits”, which could spam hundreds of thousands of people.

“That’s the back end behind the campaign. It’s the tools that they’re using to start up the phishing email, to start up the phishing websites,” Leggett added.

It was not immediately clear who was running the current campaign, Leggett said.

“What’s more relevant for people in this case is to just look at the email address, the content of these phishing messages.”

The iMessages were being sent from email addresses including Gmail and Outlook hosts to New Zealand phone numbers.

Leggett said phishing campaign scammers might send 200,000 messages but that could be worthwhile if even 1 per cent of recipients took the bait and clicked the link.

The fake parcel delivery campaign was still running hot this week.

“If you have a mobile number, if you have an email address, you’re likely to receive it.”

Locals have received these scam messages this week, in what seems to be an enduring phishing campaign. Photo / Supplied

Leggett said Cert NZ received a high number of reports about the scam.

“What I can say is I’ve been looking at our phishing inbox. I’ve seen upward of 20, 30 per day.”

He said many people would quickly see the message was a scam because the email address was not an NZ Post address.

It could be harder to know how many people had been duped in this campaign, or how much money was lost.

“The thing that can be really tricky is for people to actually understand what happened.”

Sometimes people lost money but it could take days to establish when and how funds went missing.

NZ Post has urged people not to click links in the scam messages, but report the incident to Internal Affairs. Photo / Supplied

“It can be hard to track that back to the original event,” Leggett added.

People should also protect themselves by using two-factor authentication, viewing the email sender’s address and exercising some scepticism, he said.

Artificial Intelligence was a hot talking point currently but might not make much difference to this type of scam.

“The AI tools [are] not really changing the faces of these scams.”

More relevant technology was the phishing kit, Leggett said.

“It’s a bit of a ‘software as a solution’ option.”

Cert NZ says it has received an unusually high number of reports and complaints about the fake parcel scam. Photo / Jason Dorday, NZME graphic

Leggett said if NZ Post scammers were based in New Zealand, they could be prosecuted if caught.

“Absolutely it can happen, and that highlights the importance of reporting these things.”

In late February, two men were arrested and charged after police and Internal Affairs carried out a search warrant regarding alleged text scams.

The police’s Auckland City Financial Crime Unit said that alleged scam “escalated significantly” last year.

Police said texts impersonated well-known establishments, asked recipients for personal details, and allegedly led to ill-gotten gains of $10,000-$100,000 after bank accounts were infiltrated.

A broader seven-month operation involving police, Customs and Cert NZ worked with telcos and banks to disrupt scams.

It led to seizure of SIM cards and hardware and luxury items, including a designer handbag and skincare products.

It wasn’t always clear if compromised email addresses were being used to send scam messages.

Leggett said it was important to report abuse because if a person’s email was hijacked, Cert NZ could take steps to alert the legitimate email address owner.

NZ Post advised people not to click the link, but report the message to the Department of Internal Affairs by forwarding it to 7726.

John Weekes, online business editor, has covered court, crime, politics, breaking news and consumer affairs. He reports on topics including scams, strikes, retail and macroeconomics.