The Flubot outbreak began with a fake courier message, then mutated into a “Someone has uploaded your pictures” variant and many others. (See how to tell a genuine service message from a scam with our seven tips below.)
A common denominator is that there’s always a link to download a piece of software that purports to secure a parcel delivery or secure your phone, but actually installs malware that can steal personal data like your online banking logon.
The Flubot’s final trick is to text itself to everyone in your address book - which is why you have to be ultra suspicious of any purported service message that comes from a regular cellphone number rather than the four-digit numbers used by the likes of banks and Government agencies.
Mobile phone companies have managed to reduce the frequency of Flubot recently but, like the real-world Covid virus, it’s proved hard to wipe out as its variants wriggle around the world.
The Telecommunications Forum (TCF) recommends the seven steps following for spotting a scam text, and staying safe:
Spotting scam texts, and staying safe
1. Never click on links contained in text messages. Even if you think a text is legitimate, go to the organisation’s website using an address you have bookmarked and log on from there.
2. Legitimate providers won’t ask you to install something to check your account or receive a delivery.
3. Check the sender’s number. If it’s from a legitimate company (like a bank or a courier) it will be sent via computer and likely use a four-digit number rather than an individual’s phone to send the messages. Your bank isn’t going to have someone sitting there with a phone sending out these messages manually so if you get one from an individual number (e.g. 021 123 456) it’s probably fake.
4. If you haven’t clicked on the link you don’t have to worry. A text message can’t infect your phone just by you opening it.
5. If the text includes a phone number to contact the provider, don’t use it. Go to the provider’s website and look up their number and call them that way. Scammers will try to get you to talk to them so they can convince you to share information. Just don’t trust those numbers.
6: Report the scam text to the DIA by forwarding it to 7726. The more reports they get the better they’re able to assess the potential harm and act accordingly.
7: Delete the text - better not to have it around in case you accidentally click on it.
Telecommunications Forum chief executive Paul Brislen says Flubot is finally in decline, but remains a threat.
“Flubot hasn’t been as much of an issue of late. We have been working to drop the messages when we see them so they don’t get to customers,” he tells the Herald.
“However, Flubot is using a range of messages designed to slip past defences and trigger the user into clicking on the link.”
Then there’s the broader issue that while the Telecommunications Forum - whose members include Spark, Vodafone and 2degrees - the Department of Internal Affairs and others recommend good practices, like not including links in text messages, some legitimate service providers continue to do so - muddying the message about how to spot a scam.
“We have been working closely with DIA and with various financial institutions on the wider issue of text scams in particular. This is made doubly tricky by the use of text messages by various service providers that in effect train customers to do exactly the wrong thing, namely click on a link in a text message,” Brislen says.
FOR HELP:
Cert NZ: Individuals, small businesses can report a cyber attack, get advice: www.cert.govt.nz
Financial Markets Authority (FMA): Financial scams. fma.govt.nz/scams/
Privacy Commissioner: Complaints about privacy breaches. 0800 803 909 or privacy.org.nz/your-rights/making-a-complaint/
ID fraud: Department of Internal Affairs advice: dia.govt.nz/Identity - Are-you-a-victim-of-identity-theft
IDCare: Backed by the Ministry of Justice and its counterpart in Australia. Assistance freezing your credit record, regaining control of your online identity after an ID theft: idcare.org
Netsafe: Report online bullying, hate speech, dangerous content or get advice: netsafe.org.nz
NZ Police: Report cybercrime online scams, online child safety issues: police.govt.nz/advice-services/cybercrime-and-internet
Dept of Internal Affairs (DIA): Report spam, scams banned content, child exploitation: dia.govt.nz/About-the-Digital-Safety-Group