Off the hook: how to detect and avoid phishing attacks

Online scammers are using increasingly sophisticated techniques to lure their targets into providing money, access, and information. It may only take a few seconds for you to open a malicious email attachment, but the results can be personally and financially devastating. Having an awareness of the common tricks and traps used by scammers will help to prevent you from becoming another victim.

Phishing is one of the most common attack methods used by scammers. In a phishing attack, a fake or deceptive message is sent to a victim in the hope that they will reveal sensitive information or provide payment. Phishing can also be used to trick a victim into installing malware on their computer or device. Phishing attacks are usually delivered by email and may include malicious attachments or links.

In a standard phishing attack, the scammer casts their net as widely as possible with the aim of ensnaring a few victims: this means sending out spam emails to a large number of people. In a spear-phishing attack, an individual or an organisation may be directly targeted with an attack that is customised specifically to them and may appear to come from a trusted source – spear-phishing attacks can even use hijacked email addresses to appear legitimate. Spear-phishing can be very effective because the victim is likely to have a higher level of trust in the source.

Businesses and individuals can take these basic measures to help to reduce the likelihood of becoming phishing victims:

  • Be suspicious! If you are contacted unexpectedly by a stranger through email or social media, think about what their motivation could be for getting in touch you. How did they find you? Why should you trust them? If they send you an email attachment, don’t open it until you are satisfied the person is genuinely who they claim to be.
  • If you receive an unusual email, hover your mouse cursor over links before clicking on them. Is there anything out of the ordinary about the web address or file location the link is pointing to? Websites that require you to enter sensitive information, such as banks, often have https:// in their URL. The S stands for secure. Check to see if it’s there.
  •  If you have any doubts about the legitimacy of an email, examine it very closely. If the email is from a corporate source, does it contain any unprofessional spelling or grammatical mistakes? Is the email domain (the part of the address that comes after the @ symbol) exactly as it should be? For example, a scammer might use the address to make it look like they work at google – but the L in google has been switched for a numeral 1.
  • If you are contacted online through a social media site such as LinkedIn or Facebook, carefully examine that person’s profile. Do they share any connections with you? Few or zero connections in common can raise a red flag. Do they provide any information about themselves that can be verified, such as their education or work history? If they are contacting you with a work offer, does it seem too good to be true? If it does, it probably is. Don’t open any links in instant messages from people you don’t know.
  • Do a little digging. With some basic research, you may be able to establish whether an online person is really who they claim to be. If they have a photo of themselves, a reverse image search can show you if there are multiple photos of that person online under different identities – a hallmark of a scammer. To do this, either save a copy of their photo on your computer, or save a link to it, then do a Google image search and see what results you get.
  • Don’t provide credit card or banking information over the phone or in an email. Your funds can easily be stolen when a scammer has your full card details. Legitimate businesses usually have secure online methods for you to provide this information.
  • Never give someone remote access to your computer unless you have a well-established and trusted relationship with that person. Scammers can use remote access to steal your information or your credentials.
  • Scammers often pose as company officers and make urgent demands for money supposedly owing. Sometimes they will send legitimate-looking invoices. Always verify the expense is genuine before going any further. Check company records such as the New Zealand Companies Register to help confirm whether the charge is from a genuine business. Get a second opinion from your colleagues, friends or family about any unusual expenses. Be wary of demands that have high urgency: scammers use pressure and threats of penalties to convince you to pay before you’ve had a chance to think about it.
  • Be highly suspicious of any demands for payment in non-traditional forms like Prezzy Cards or vouchers, non-bank money transfer services, or cryptocurrencies such as Bitcoin. Scammers like these payment forms because they are very difficult to trace, and you are unlikely to be refunded if you are scammed.
  • Keep all your software up to date. Use a well-regarded antivirus programme, and regularly scan your systems. Use multi-factor authentication for all your important accounts, such as email and banking. This can make it much more difficult for scammers to access your information.

Useful links and resources:

Consumer Protection’s Scamwatch
New Zealand Police scam information
The Financial Market Authority’s warnings and alerts
IOSCO Investor Alerts Portal
How to report a scam

Contact us