The Department of Internal Affairs

Te Tari Taiwhenua | Department of Internal Affairs

Building a safe, prosperous and respected nation



 

DIA identifies phoney phishers


18 November 2015

Internal Affairs is warning people during International Fraud Awareness Week about the continued threat and dangers of “phishing” spam – a common technique used by fraudsters to obtain valuable information.

The Department’s Electronic Messaging Compliance Manager, Toni Demetriou, says a typical “phish” seeks to solicit information such as usernames and passwords for an online account or service, for example a bank, email, social media, cloud service, or work account.

“Traditionally, an email may look like it has come from your bank or email service provider,” Mr Demetriou says. “It asks you to click the link in the email to access your account (for some particular reason). You are then navigated to a fraudulent webpage that appears legitimate – it provides a log-on function.

“Once you have entered and submitted your log-on credentials, the fraudsters behind the campaign will have the relevant details needed to log into your account and steal personal information, identity records, valuable files, and, in the case of a bank account, money. You may even lose complete control of the account once it becomes compromised.”

Phishing is a common method to try and gain access to a company’s network. Often known as “spear phishing”, these types of messages target a particular company or employee. A fraudulent email looks like it has come from a client or IT service / helpdesk team. It may ask you to log on to the company’s network, or to click an “important” link or attachment in the message. If this type of attack is successful, the fraudster or fraudsters may be able to obtain valuable files, information and intellectual property of the company.

While email phishing has been around for many years, Internal Affairs has seen an increase in SMS text message phishing.

“This is quite relative to the general increase in uptake and use of mobile devices and mobile banking,” Mr Demetriou explains.

There have been 80 SMS text message phishing reports submitted to the Internal Affairs’ 7726 SMS spam reporting service this year. Similar to email “phishing”, an SMS phishing message purports to be from a New Zealand bank and requests the recipient to “log in”. The message contains a hyperlink that uses a shortened URL service such as Is.gd, or Bit.ly. Using a shortened URL service helps hide the actual URL behind the phishing web page.

Internal Affairs has been working with the New Zealand Police Cyber Crime Unit to identify and take down phishing web pages on .nz websites; the Department has identified 1300 such .nz websites this year, and asked the relevant hosting provider or domain name operators to have the phishing page(s) removed.

Reminders

· Phishing continues to be a threat to anyone with an email address or mobile phone number.

· Do not open suspicious or unsolicited email or SMS text messages.

· Forward SMS text phishing messages from your mobile phone to 7726.

· Forward email phishing messages to scam@reportspam.co.nz.

· Do not click on any links or attachments in email or SMS text messages that you were not expecting to receive.

· Know who the message has come from. It is not enough to check and trust the email address the message was sent from any more as these can be easily spoofed. Contact the company via their usual phone number (not the number in the message) to verify the message received.

· Contact your bank or financial service provider immediately if you have provided banking log on credentials to a fraudulent party.

· Report any fraud to your local Police.

Ends

Media contact:
Trevor Henry, senior communications adviser, Department of Internal Affairs
Ph 04 495 7211; cell 021 245 8642


Spokesperson:
Toni Demetriou, Manager Electronic Messaging Compliance, Department of Internal Affairs
Ph 021 937 630