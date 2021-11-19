A single mother who fell victim to a widespread text message scam is urging others to be vigilant as Christmas approaches.

The woman, who asked to remain anonymous, recently received a text saying a parcel had been delivered to a drop-off point and instructing her to click a link for more information about collection.

“I’m usually someone that is pretty on to it about scams, but I totally fell for this one as I have family overseas that I know are sending us parcels,” she said.

“So I got excited and didn’t see all the little details in hindsight might have made me suspicious.”

After following the link, she was told the parcel had been stopped at the airport, and she would need to pay $4 stamp duty before it was released.

Stuff FluBot scams attempt to trick phone users into downloading malware which then steals information including internet banking and other passwords. (File photo)

The woman gave her credit card details but the parcel never materialised.

“After a week I rang NZ Post to find out where my parcel was and they informed me I had been scammed,” she said.

“My bank said they are getting so many people scammed and cancelling credit cards right now because of the same scam. In my circle of friends and colleagues I have since heard of one other friend who fell for it and at least 10 other people that have received this text in the last week.”

In September, Government cyber-security agency Cert NZ said there had been a surge in the number of people contacting the Department of Internal Affairs about scam text messages, with 30,000 reported in a single week.

Cert NZ said that if phone users clicked on links contained in the text messages they would be directed to a website that would attempt to trick them into downloading a malware app called a FluBot.

The malware could then seek to steal information including internet banking and other passwords and would replicate by sending out another wave of scam texts to contacts in the phone’s address book.

“Once a device has been infected with this malicious app it can result in significant financial loss,” it said in an advisory.

In the latest case, the woman had $80 stolen from her account in the time between providing her details and cancelling her card, which she estimated was about five days.

“The bank tells me I’m lucky it wasn't more. I’m a single mum, busy as, got excited and got scammed,” she said.

“If I hadn’t rung up NZ Post to follow it up to see where parcel was, I would still be having money stolen from my account.”

With many people waiting for pre-Christmas parcel deliveries, some would be too busy to see the finer details and could potentially get scammed, she said.

“I just feel so sad that these thieves are getting more and more cunning in deceiving vulnerable and trusting people. I was really concerned about how easy it was to fall for it.”

123rf Cert NZ says people affected by FluBot malware should “factory reset” their devices as soon as possible.

BNZ head of financial crime, Ashley Kai Fong​, said the bank wasn't seeing any more package delivery scams than usual, but it was a scam that “is always doing the rounds”.

“With Auckland still in lockdown and online shopping going strong, it’s easier to fall victim to these sorts of scams,” he said.

“You can spot them by the unusual URL [website address] they provide to check your status, and they are always trying to hurry you into acting for fear of something bad happening.”

The best thing to do was delete them, but those who tapped on a link and gave personal or financial information should contact their bank as soon as possible, Kai Fong​ said.

“The sooner we know about it, the more chance we have of helping you out. It also pays to check on vulnerable family members in case they too have got a text message like this.”

A Westpac spokesman said it was working with customers who had been caught up in the parcel delivery text scam and had replaced a small number of cards.

Cert NZ advised people affected by the malware to “factory reset” their devices as soon as possible.

This would delete any data on the phone, including personal data. Backups created after the malware had been installed should not be used to restore the phone.

Victims would also need to change the passwords to all of their online accounts.