Stay-at-home mum Tiana was juggling housework and looking after her two young kids last April when a Facebook alert caught her attention.
The 27-year-old Auckland-based performance artist had been tagged in the comment section beneath a post from a reputable New Zealand-based media outlet, which she’d shared via her own Facebook page.
The comment outlined some exciting news: Tiana had been selected for a cash prize of $1000 and all she needed to do was message the person who had tagged her to claim the prize.
“Usually, I’d do my research and look through their page and see how many friends they have,” says Tiana.
“But at the time, I was in a financially unstable situation. I thought, ‘Wow, I can catch up on my bills and give some of that pūtea to my whānau.’”
Tiana got in touch with the commenter via Facebook Messenger, thinking the prize was related to a competition the media company was running. She was sent a link to a website where she was asked to register with the company and enter her bank account details so she could claim the prize. The $1000 never turned up in her bank account, but a month later, she was shocked to see $340 had been withdrawn from her account.
Phished
Tiana is a bit hazy about the exact personal details she entered into that website. But it’s likely she fell victim to a phishing scam designed to trick you into divulging sensitive information, such as account log-in details or downloading malware, which can be used to access data on your phone or computer.
Thousands of legitimate competitions are run on Facebook every day by reputable companies. But prizes and special offers have also become the honeypot scammers present online to lure people in.
“At the time, I was really upset because I needed that money,” says Tiana, who was told by her bank that the transaction had been initiated overseas. The bank gave no refund and Tiana didn’t report the scam to Facebook.
“I felt responsible, I felt dumb,” she says. “It was pretty stressful, I just kind of had to deal with it,” she told the Listener.
We’ve heard a lot in the past year about elaborate online financial or romance scams that have fleeced New Zealand victims out of thousands, or even tens of thousands of dollars at a time. But more common are the mass-market scams that aim to harvest small amounts of cash from unsuspecting social-media users, or text and email recipients.
During Cyber Smart Week, which kicked off yesterday, Cert NZ, the Computer Emergency Response Team, is putting human faces to the scam statistics. A total of $4.2 million in direct financial losses was reported to the government agency in the three months to June 30, with a 26% jump in reports of phishing and credential harvesting. Kiwis are reporting around $20 million a year in cybercrime losses – which is just the tip of the iceberg – the majority of scams, like Tiana’s, go unreported.
Kidnapped!
The Exposed: Through the Lens of a Hacker exhibition, launched at the Tuesday Club in central Auckland last night, features portraits of New Zealanders who have fallen victim to online scams. The photos are taken as though a hacker has hijacked the victim’s web camera, surreptitiously snapping an image without them knowing.
One of them is of William, who was on holiday in Malaysia when he received an urgent text from a travel agent friend, who told William he had been beaten up, his passport taken and that he was being held hostage at his hotel in Manila.
His kidnappers wanted NZ$800 before they’d release him, and his friend’s flight out of Manila was in a few hours. The texts kept coming, sounding more and more desperate each time. William transferred the money, but realised soon after he had been scammed - his friend was safe at home in Auckland.
The fake friend-in-jeopardy scam is a common one, exploiting our concern for the welfare of our mates, and driving us to make hasty decisions with the window for action supposedly closing quickly.
Megan fell victim to a Facebook Marketplace scam. Trying to sell a jacket online, the buyer asked if she could reduce the price and include shipping. They also asked if she’d be open to paying through the site itself, which she’d never heard of before. Megan clicked on the link they sent and provided her bank account username and password. She immediately received a payment alert saying that money had been taken out of her account.
Fortunately, her bank messaged her to say the payment had been blocked and she didn’t lose any cash.
These are the tricks scammers are pulling every day to try to part us from our hard-earned money. But the emotional toll can be considerable too.
CERT NZ this week launched Own Your Online, a new website with tips on how to stay safe online, and more accessible information than the technical content it also offers for businesses. There’s a scam check which will help you ascertain whether the email, phone call, text, social media post, or website link you’ve been sent is likely to be a malicious attempt to steal your personal details – and your money.
“I think now how silly I actually was,” Tiana reflects on last April’s events. She’d like to see Facebook owner Meta do more to stop scammers prowling its social networks, which collectively now have more than three billion active monthly users, according to tracking company StreetAccount.
“I just accepted it. It is what it is. You just have to push through it for your family,” says Tiana.
“I still use Facebook but I just know not to click on any links for any prizes.”
CERT’s five tips for staying safe online
1. Create strong passwords
Creating long, strong and unique passwords is one of the simplest but most effective security changes you can make. Many of us use the same password for all of our accounts, or stick to two or three different ones that we use over and over. The problem with this is if an attacker gets access to one of your account passwords, it often gives them access to many of your other accounts as well.
2. Use two-factor authentication (2FA)
2FA is a unique code sent to your phone (or another device) to verify that it’s really you trying to access your account. For example, if you are logging into your bank account, the site sends you a code for you to enter. You can then get into your account by entering this code along with your password. It’s a helpful second line of defence and keeps attackers out of your accounts should they obtain your login details.
3. Turn on auto updates on your apps and devices
Updates protect you from any weaknesses or vulnerabilities that could let attackers in. When vulnerabilities are identified, the developers quickly change the code to resolve the issue and send it to your device as a software update. Timing is important here — the sooner your system is updated, the more secure you are.
4. Set your social media settings to private
Make sure your social media privacy settings are switched over to ‘Private’ or ‘Friends only’ – this way, you can control who sees what information you share and who you’re sharing it with. This not only protects yourself, but also your friends, family and followers from scams.
5. Think before you click
Be wary of opening links and attachments in text messages, emails or on social media. These can be used by attackers to get hold of your personal details, or to install harmful software on your device. Even if you think it might be legitimate, it’s better to be cautious. If something sounds too good to be true, it probably is!
Source: CERT NZ Own Your Online