How to combat online scam artists
Online scams are becoming more sophisticated than ever, costing Kiwis an estimated $400 million each year. What do businesses and individuals risk by maintaining lax digital security - and how can they protect themselves against a rising tide of cyber crime? Andrea O'Neil reports.
A hostage drama unfolded at a small restaurant not long ago - the owners held to ransom, with their livelihoods at stake.
The hostage-takers did not carry guns or wear masks. Instead, they were shadowy cyber-criminals who crippled the restaurant's computer system from an undisclosed country abroad - demanding cash to get the computer up and running again.
READ MORE: Fraudsters fine tune online scams
A restaurant staff member had unwittingly downloaded malicious software. This allowed an overseas scammer using the virus to seize control of the business's computer.
Every bit of information on the computer was locked away from use by staff members, including the Eftpos system and all stored files.
The infected program, known as "ransomware", is one example of a new breed of sophisticated online scams costing Kiwis millions of dollars each year.
The restaurant had no backup data so, after hours of panic, the owners were forced to pay $750 to unlock their files and continue trading.
Other businesses and individuals do not get off so lightly, NetSafe's digital project manager Chris Hails says.
"I've talked to people who have parted with their whole life savings," Hails says.
"While most of us would laugh off emails from a Nigerian general promising $50 million, we hear from a really wide range of people who have fallen victim. It affects anyone and everyone."
NetSafe receives 20 to 30 reports of scams a day, with the amount stolen ranging from 39 cents to $1m. Losses totalling $8m are reported to NetSafe each year - but only a fraction of victims report their misfortune and some have estimated the real number is more like $400m, Hails said.
"Most people are embarrassed or ashamed of what's happened to them."
There are typically two reasons people fall for scams - need or greed, Hails says. Those in need might fall for a fake employment offer, while greed cost Kiwis $3.1m in investment scams last year.
Once money has gone offshore, it is usually gone forever, he says.
One businesswoman who had been using a Chinese supplier for 15 years found herself $75,000 out of pocket when she paid an invoice falsified by spammers who had hacked the Chinese company's emails. The woman had not thought to question why their bank account details had changed - she knew and trusted her contacts.
She discovered it was a scam only when the real company asked why she had not paid the same invoice.
"When you're a small business person, that's a killer blow," Hails says.
Amazingly, the business owner got half her money back a year later, when Ukrainian police managed to recover it from Nigeria.
"Ninety-five per cent of the time, the money is gone," Hails says.
NOT so long ago terrible spelling and obviously fake logos meant it was reasonably straight forward to spot a hoax email when it landed in your inbox.
But now a dodgy email might be indistinguishable from a legitimate one, and is often sent from a trusted email address, Internal Affairs investigator Kate Newrick says.
In fact, poor grammar might be used deliberately - to weed out sceptical people who notice such details, Newrick says.
"People who are thinking it's dodgy in the first place, they're less likely to pay or give information."
Early April typically sees a rash of emails claiming to be from the Inland Revenue Department, offering tax refunds. Scammers have little respect for moral boundaries - they might pose as charities collecting for natural disasters or offer inheritances purportedly left by someone who died in tragedies like the MH370 plane crash, Newrick says.
"There definitely is a scam for everybody, and the scammers are getting far more advanced with how they approach scams. It's a lot more psychological."
Newrick makes up one-sixth of Internal Affairs' electronic messaging compliance unit, a team with legal powers to prosecute spammers and scammers under 2007's Unsolicited Electronic Messages Act. Individuals can be fined $200,000 or businesses $500,000 for breaching the act, but the team has limited powers when it comes to overseas scammers, even if they can be identified, team manager Toni Demetriou says.
"Those people are very competent and capable, and can anonymise their activity."
However, the number of hits the team's website gets from countries such as India, Nigeria, Malaysia and the Philippines suggests scammers are taking notice of their work.
A scammer can sell even the smallest bit of personal data, earning perhaps 50 cents to confirm an email address is active. But gaining access to an email account is the jackpot - potentially giving scammers credit card and bank details, plane tickets, passport details and more, Demetriou says.
"It's a whole dark economy that drives this kind of activity. Any piece of information about an individual has a value on the dark internet."
SINCE people often use the same password for all their online activity, one breach can bring down a person's whole digital identity.
While many people understand the need for strong passwords for email, they often fail to take the same precautions for Facebook or other social media accounts, NetSafe's Hails says.
"People say, it's only my Facebook, do I really need to use a strong password? We say yes, because you're connected to platforms that are linked to your credit card. People can daisy-chain round your online life."
He recounts how a Kiwi clothes shop owner had her Facebook account hacked, the scammers racking up a $97,000 bill placing Facebook ads for other companies. They also drained $1500 from her business account.
"She was facing financial ruin. The guys that are doing this are professionals. This is their business, this is their life."
Friends and family can also be targeted once scammers gain access to a Facebook account, as seen in New Zealand recently with a Ray-Ban sunglasses sale scam.
Cybercriminals frequently change the look and approach of their scams to outwit victims and enforcers, Hails says.
"It's hard to keep up."
In March, Facebook announced users could transfer money to each other using the Messenger feature. Hails does not want to discourage anyone from embracing technology, but immediately sees the potential for scammers.
Victims of scamming say their feelings of violation, as if they have been burgled, are worse than money lost.
Better passwords and improved online "hygiene" could prevent both, Hails says.
"Most people ignore it. It's about as exciting as life insurance.
"It's like changing the oil in your car. You pay to have a service every year hopefully, and your computer is the same."
Protecting your mobile phone is just as important - without a pin number, anyone can access your internet banking, work and private email, and apps with credit cards attached such as Trade Me, Hails says.
Demetriou agrees: "If people care about their digital citizenship, then spend a little bit of time on it."
Hands up if one of your passwords is "12345" or simply "password". You are not alone - both made 2014's top 10 passwords list, but rate bottom for security.
The best passwords feature 15 characters or more, with a sprinkling of symbols and a mixture of upper and lower case, Netsafe's Chris Hails says.
"That sounds absolutely horrendous to most people," he admits.
To make it easier, try modifying a line from a song or poem.
Do not allow your web browser to auto-save your passwords, Internal Affairs senior investigator Peter Merrigan says. Free software is available that can generate and store passwords securely.
Use two-step authentication wherever possible, secure your wi-fi network, and always update software when your computer or phone prompts you to.
Even if an email is sent from a legitimate address, Merrigan advises people to hover their mouse cursor over the link it directs users to. If the link address is long and made up of gobbledygook, "that's when a bell should be ringing", he says.
In any case, "nobody should be navigating to a login page from an email".
Businesses especially should back up their information separately from their computer network, so another copy is obtainable if ransomware seizes their system.
Anybody who suspects they have received a spam text message can forward it for free to 7726, which alerts Internal Affairs. Other scams can be reported on the unit's website, manager Toni Demetriou says.
The more people who report scams, the better chance Demetriou's team has of spotting trends and patterns, and allocating resources accordingly, he says.
- The Dominion Post