Facebook Marketplace NZ Post scam rife, Kiwi cyber security expert reveals counterattacks

One current scam, seen on Facebook Marketplace, involved a con artist asking to organise 'payment' through NZ Post.

Cyber security experts and police are urging the public to be wary of social media shopping scams this summer.

One common scam now involved people approaching social media users and claiming to organise payment through NZ Post.

“Scams involving buying and selling goods online are the most common type of scam reported to us,” the National Cyber Security Centre told the Herald.

“They will try to trick you into paying for items that don’t exist, or into giving them sensitive information such as your personal or financial information, which they can use to steal from you.”

One current scam, seen on Facebook Marketplace, involved a con artist asking to organise payment through NZ Post.

“They will send you a link to a website that may look like NZ Post, but the site is controlled by the scammer,” the NCSC added.

“They will ask you to enter your financial or personal information. Money is then taken from your credit card.”

Another common scenario involved a supposed buyer trying to convince people payment had been made, such as through a fake screenshot of a bank transfer.

“So you will send the items, but the money will never arrive, and they will stop communicating. A scammer may also pretend to be selling something on social media. You pay for the item, only for it to never show up, or you receive the wrong item.”

The NCSC added: “Do not click on any links sent you by the buyer or seller. And if you do, do not enter any personal or financial information, no matter how legitimate the site may seem.”

An example of one postal delivery online scam operating. The NCSC examined these messages and said the person being targeted correctly identified it as a scam. Photo / Reddit

NZ Post referred queries to police.

Detective Inspector Stuart Mills of the police National Criminal Investigation Group said several reports had been received of offenders targeting people selling items or services online at places such as Trade Me and Facebook Marketplace.

“The offenders pretend to be an interested buyer, and urgently request to buy your product and arrange a courier pick-up,” Mills said.

“The victim receives a fake courier website link to complete a verification process asking for personal details, like bank account numbers, passwords and phone numbers.”

But even as scammers scale up their tricks and use stolen personal data to target Kiwi shoppers this Christmas, another secretive group will be watching the scammers.

Josh Alcock, Fortinet principal cyber security strategist, said many cyber security companies, including his own, were monitoring dark web forums and marketplaces.

Undercover operatives engaged in “adversarial-centric intelligence” and built up personas to infiltrate dark web forums, Alcock told the Herald.

He said some scammers traded stolen or compromised personal data on dark web forums.

“The majority of this stuff is initiated from overseas,” Alcock said.

“People are selling compromised shopping cards and things like that.”

Some scammers and organised criminals discreetly traded personal information from data breaches.

Information gleaned from data breaches was sometimes of little intrinsic use but could be used to establish accounts on places such as adult subscription sites where ID verification was required.

Fortinet said this Christmas it expected more shopping-themed phishing lures using generative AI.

Alcock said Fortinet was recently involved in Operation Serengeti, where law enforcement from multiple African and other countries dismantled a scam network.

“Afripol took down a bunch of people and we were involved in it.”

Alcock said the scammers were involved in ransomware, extortion, compromising business emails and other online scams.

He said scammers would be targeting New Zealanders with seemingly good shopping offers.

“There will definitely be stuff that looks extremely appealing, or they’ll push a massive discount.”

High-pressure sales tactics were common in these scams and so were tactics such as telling people the desired product had limited availability.

One of the groups Operation Serengeti targeted was a Kenyan online credit card fraud outlet.

Fortinet said funds were stolen using fraudulent scripts and redirected to companies in the UAE, Nigeria and China.

In another crackdown, authorities tackled a Cameroon multi-level marketing scam where victims were trafficked from seven countries, held captive and forced to recruit others to gain freedom.