How to protect yourself and your money online

31 min read
20 October, 2021

The topic of this episode is cyber security, and we've got some fantastic guests here to help us better protect ourselves and our money online.

All-round award-winning superhero Bronwyn Groot from Bronwyn Groot Consulting, cyber security researcher Chris Hails and Andrew Lee from CERT NZ joined us to chat about how to avoid falling victim to cyber scams.

Welcome, guys, and thanks so much for joining the discussion today. I might just hand over to you to briefly introduce yourselves and just explain a little bit about what you do.

I might start with you Bronwyn – the superhero of the group!

Bronwyn: I’ve lost my cape, I'm gonna have to go pick it up!

Thanks, Clarissa. So I am the director of Bronwyn Groot Consulting Limited, and I work particularly closely with victims and families of frauds and scams. I'm really passionate about helping vulnerable New Zealanders and trying to stop the bleed. Once they're caught out in the fraud and scam, it's emotionally and financially draining, and I'm here to help and hold their hand and not judge. That's what I do.

That sounds great. And Chris, how about you?

Chris: Well, I have a day job running information security for a financial services organisation. But in my spare time, I like to dig into the reasons why people fall victim to cybercrime. I did a few years with NetSafe and the National Cybersecurity Centre, and then I've done some research into people profiling and trying to sort of prevent harm.

Fantastic, alright, and Andrew.

Andrew: I'm a senior advisor with the partnership engagement team at CERT NZ. For those who haven't heard of us, CERT New Zealand is a government agency, started up probably about just over four years ago now to help raise the awareness of cyber security as well as respond to incidents where people can report to us and it's basically opened up to any New Zealanders, small businesses, government agencies, and big organisations.

Alright, let's kick things off. So our research has shown that a lot of Kiwis are quite concerned about the privacy and security of personal information when they're using digital technology. So about 80% of the people that we surveyed earlier this year said that that was a big concern for them. And we've also seen a lot of banks and financial service providers fall victim to scams in recent times. I'm just wondering is this concern about scams and fraud warranted? How safe is our money actually online? I'm a bit scared to ask this!

Bronwyn: It's always difficult, and I think the biggest problem is, at the moment, particularly with COVID and the banks and branches being closed down, people are getting forced onto online devices or internet banking and things like that, that they're actually not used to. And I think that's probably the biggest concern. And yes, we should be concerned, we should all go into this stuff with our eyes wide open.

Chris: Working at a bank, I can authoritatively say that from the bank's perspective, it's very safe. Yeah, it very much comes down to the customer I suppose in terms of the steps that they've taken to protect themselves. So I know we, in the cybersecurity community, we spend a lot of time messaging about things and we try and persuade people, you know that there are simple steps to take.

Often there is complexity in that messaging and there's things that people don't necessarily understand. Certainly an older generation that might be being moved towards digital channels, you know, self service apps and that kind of thing. And so some of that often gets lost in translation.

It's an expectation that everyone is an expert, with a computer and a smartphone. And so to some extent, I think there's an education gap, a digital literacy gap around what we need to do, what we can do. It’s ability and knowledge and that's a real area to focus on, I think we need to take.

And in terms of that responsibility, where does that lie? Do you think that it's up to Kiwis? Is it up to us to educate ourselves and try to improve our own cybersecurity? Or, you know, is there also a responsibility of financial service providers and banks to help us with that?

Chris: Yeah, I definitely think there is a responsibility on the part of the providers. I think you’ll have seen this year, particularly with some of the bigger banks, they've really resourced up in terms of their education efforts.

I can think of Westpac with their Stash the Cash game, ASB and ANZ have definitely been putting money into communicating to customers, you know, we'd like you to move to these digital channels, and here are ways that you can protect yourself. There's been some really good efforts around this.

There is though, that shared responsibility, there's definitely a need for customers to engage. Those surveys are always quite interesting, because everyone comes out and says, 'we're really concerned, we're worried about our security and our privacy', and then often there's a gap between that level of concern and then taking action. There’s a sort of a privacy paradox where people carry on doing the same thing.

I think we're in a position where we're sort of back in the 1960s, 1970s, around drink driving, when it was socially acceptable to you know, have a few pints and then head home in the car. You know, there were no airbags, no seatbelts. And so what we're seeing now is this kind of social model where people are being educated to take care of themselves, and we're having to provide those controls. You know, we teach them how to use the seatbelt, and how to buy a better car with better safety measures.

Okay, we'll get to some of those things that we can all do shortly. Andrew, I might just turn to you with this question. Obviously, we, you know, we all like to think that we wouldn't fall victim to a scam. But obviously people do. And I'm just wondering what you've seen at CERT NZ?

How many Kiwis are actually affected by cyber scams and fraud? And are the number of us that are falling victim increasing? Are we doing better? I’m curious to know what you guys have seen.

Andrew: It's really hard to say, whether New Zealanders whether it be general people, individuals, businesses, government agencies, likewise, whether they're better at spotting the scams. We like to think so. I mean, it's getting better, well people are getting more responsive, and being aware of that. But the other on the flip side of that, so are the scammers. They’re getting much more authentic, they're getting much more sophisticated, and we're seeing it played out and in a way that's very believable. And it's all from the same group, playing it out incidents.

Asset 3@4x

"[Scammers are] getting much more authentic, they're getting much more sophisticated, and we're seeing it played out and in a way that's very believable."

Andrew Lee, CERT NZ


Certainly the incidents reported to CERT has made up at least consistently about a third of incidents reported. So that's the scams and fraud category. But if we look a bit deeper, there's another form of scam called phishing. And that's a way where individuals are contacted through an email.

The email looks quite authentic from somewhere authoritative, where it be a big government agency from the banks. And they've been encouraged to click on a link to verify some details. So that's another form of a scam, and that's probably a little bit more sinister in some ways.

Traditionally, the scams have been just quite dumb. Definitive in terms of the end result, there's always a payment aspect. But now they're actually getting much more sophisticated where they're actually asked to do something. And that's where it becomes a bit more sort of deep. It certainly breaks into individuals' privacy, we talked about it before.

But being CERT with just one agency among many, unfortunately, agencies that help manage the incidents, we work closely with other departments like police and department of internal affairs, and also with Netsafe. So Netsafe's an organisation where we direct individuals where they need some advice on how to manage scams. And in a recent conversation with Netsafe, they've reported since lockdown, the first lockdown, their website relating to scam advice has been regularly visited. So clearly people are interested to find out more. So that's a good thing that you're getting the visitors there.

Andrew, you talked about phishing, and I'm quite keen to find out a bit more about that and also some of the other types of scams that people should be looking out for.

I'm wondering if you might be to give an example of what phishing could look like. So, you know, what should I be looking for if I see something in my email inbox? Are there things that I can look for that will tell me 'yep, this is definitely a scam’?

Andrew: Well start with phishing, it's another form of scam. As I mentioned before, it's something that comes to your mailbox, generally. So it's an email that comes through, it will look quite legitimate.

The most recent one what we're seeing, and we're working with the agency is from Waka Kotahi, NZ Transport Agency. Where we get an email suggesting or mentioning that their vehicle is up for renewal. And it's actually true that somehow the perpetrators have somehow connected to the registration system, the car registration system, and actually sending out emails to say, yep, your vehicle with the right registration number, and the right date of expiry is up for renewal. And in there, somewhere along the lines is the link to ask you for payment.

Now, people looking at the email with the right logo and so forth, would assume that's right. So they would then go and click on the link, and proceed to enter their details, credit card details. Now it all seems quite legitimate until later on, the real agency comes along and say, look, your payment has now expired, you haven't paid. And that's when it seems a bit dubious when you then go back and say, look, I paid this. Why isn't it coming through?

So it's quite hard to actually identify the elements, and where we are trying to encourage users to look at, where the email has come from. A telltale sign is the sender, the email of the sender, even though it looks like it's got the wording, the agency, but if you look closely, the email address is not from a, government agency email address.

Asset 3@4x

"A telltale sign is the sender... if you look closely, the email address is not from a government agency email address ."

Andrew Lee, CERT NZ

So little things like that, it's quite hard to pick up. So it relies on the individual to actually look at the email closely. Which in this current digital age, it's quite hard to encourage people to do so. It's a cultural change. It’s a bit like what Chris mentioned before, it's a behavioural change, and that takes a lot of effort, especially in this day and age where we get a lot of emails, whether it be work, particularly social related stuff outside work. And people just go through in the process, it's like a muscle memory where they just click on things without actually reading things, if you know what I mean. And that's I think that's where the scammers and where phishing is doing really well, and by really well people fall into that trap. So yeah, that's generally the easiest, simplest way of phishing.

It gets worse. Sometimes when you click on the link that actually installs something a small script or otherwise on your device. Some devices actually warn you before it's installed. Others it just pops up in because of this whole muscle memory thing as I mentioned with the clicking when you click on it, and it gets installed, unbeknown to us doing something and harvesting information and then pumping it back to the to the perpetrator. So yeah, it's a bit hard to pick up unfortunately. Yeah.

And Chris and Bronwyn just sort of expanding on that, are there other types of scams that you've noticed recently, in addition to phishing that are affecting a lot of Kiwis? Are there any common ones that we should be looking out for?

Bronwyn: I think the big one that has hit New Zealanders recently is the text scam that's come through for the parcel deliveries because most people are expecting some sort of parcel online, right. And I think DIA reported something like 4,000 reports in a day or something like that from New Zealanders. And I've spoken to a lot of people who've actually fallen for that, because they're like, oh, yeah, I was expecting a parcel so I just clicked on it. And I think as Andrew mentioned, there's a malware behind that one called FluBot. Chris, you can probably talk better to that than I can.

Chris: Yeah, the FluBot thing’s been interesting because obviously, the campaign’s been really quite successful. I think the numbers that I've heard of late have been really substantial in terms of the number of people that have fallen for it and then maybe, you know, infected their Android phone. Like Bronwyn says it's coincidental around timings.

So those performance shaping factors about I'm expecting a parcel, the coincidental arrival of a text and click, click, click, like Andrew said, you know, we're habituated into doing these things and the bad guys have a good outcome.

I think not long ago there was another campaign around COVID testing as well, obviously, lots of us are in a heightened state of concern, you know, we're worried about health and we're worried about levels up and down. And then there was a campaign that was sent out saying, you know, for your test result or to take your test or to go for your vaccination and I know CERT has been charged with sort of securing the whole kind of COVID environment as well around that misinformation. So the bad guys are just looking for an opportunity to strike really and they'll take it with whatever they've got to hand.

Asset 3@4x

"... the bad guys are just looking for an opportunity to strike really and they'll take it with whatever they've got to hand."

Chris Hails

Bronwyn: Just on that note, as well. I've recently had a few people who've fallen for the Inland Revenue phishing scam. So they thought, yes, I've got taxes due, they've clicked on a phishing email, it's asked them who they bank with, they've given us a selection of banks to choose from, they've been clicked on who they bank through, too. And it's then taken them to a fake bank website, which they've then logged in, had their information and then their bank accounts have also been compromised in and funds accessed. From the victim's point of view, the responsibility then comes back on them, the banks are not going to reimburse you, because you were the one that actually clicked on the link. So it's a really painful process to actually go through, you know, not only emotionally but financially as well.

What's the worst thing that can happen if you do click on a link? Is it just a case of, you might lose a bit of money, or, you know, you get some software installed on your phone, or your computer? What's the actual impact that this can have on a person?

Andrew: If I might just chip in on that. So the immediate impact would probably be a bit of inconvenience,. So what happens is with these that are installed worst case is the message then replicates itself on your phone, and it gets sent to all your contacts on your phone. So there's a bit of inconvenience.

But then very quickly that leads on to potentially, if it's something installed on your phone, it potentially might be harvesting information inside your phone, things like your passwords to various accounts, potentially access to your bank account, if you've got a banking app installed on it.

In terms of money lost, this could be one of the issues there, but perpetrators are now becoming more... money is one thing. And that's certainly a definite outcome. But what they're looking for is something that continues to give. So information is key. So we talked about credential harvesting is a term that we use in the cybersecurity industry and others as well. But that's where individuals details, physical details, and potentially information to your work details. Because ultimately, when we're working from home now, and people are a bit more open about bringing your own personal device into a work environment, information that you use to login from your home PC to a work environment, in a secure environment, potentially could be harvested all those details. So it's, you know, it's the information that's gold, and that's something that could provide a good, certainly, you know, it's something that could be sold for a good amount of money on the dark web. And that's just from one individual. If you can imagine the multitude of individuals all published on the web, that itself presents a huge risk to the individual and to organisations where the individual works.


Asset 3@4x

"Money is one thing... But what [scammers] are looking for is something that continues to give... It's the information that's gold."

Andrew Lee, CERT NZ


Chris: I can talk to a few cases certainly that Bronwyn is very familiar with these as well as that account takeover piece. One of the most significant things I think, I experienced at Netsafe was when someone's email account was taken over. And as Andrew says, you know, the attacker maintains persistence. In effect, you have a bad guy who's got your credentials or tricked you into logging in or somehow got access to your email account. And then they just sit there and they read your emails. And then they have this ability to kind of rifle through your digital filing cabinet and go after information.

I can remember one case, probably six or seven years ago of a nurse, who had a Gmail account that didn't have multi factor authentication on it - didn't have the second layer of protection. And somebody sat in her Gmail account reading all of our emails and found copies of her passport and her nursing qualification. And then managed to use those identity documents to actually secure a job in Australia and pretend to be her.

So there's identity fraud and theft, damage to credit records. In some cases, when you’ve got access to a company email account as well, you're sitting there, you can set up filters and forwards and then you can take invoices, and then send those through to other people. And sort of defraud those third parties and actually do invoice fraud, what's called business email compromised, and that's really quite significant that’s into hundreds of 1000s of dollars that can get stolen or misdirected.

Oh my gosh, okay.

Bronwyn: We’re just the bearers of doom and gloom but hopefully raising awareness. And I think, as Andrew mentioned, and Chris, you know, so many people have said to me when I'm out presenting, what are the scammers or the offenders, what do they want with my information, I'm just one little person, you know, doing my own thing. Maybe I'm an older New Zealander, they're not gonna want my information.

Now, just one little part of your information they may not want, but once they have access to that big picture, as Andrew said, it’s absolute gold on the black market. And they'll use it over and over again.

Asset 3@4x

"Now, just one little part of your information they may not want, but once they have access to that big picture... it's absolute gold on the black market. And they'll use it over and over again."

Bronwyn Groot, BG Consulting


Bronwyn, I'm just wondering if you could talk a bit about some of the other impacts that this might have on a person. If you are a victim of one of these scams, there might be a bit of shame or embarrassment about the fact that it happened to you. Potential mental health impacts as well. I'm just wondering how it could impact someone beyond just losing money or identity theft. Not that those are small things, but I imagine it can have more of a long term impact as well?

Bronwyn: Yeah, you're absolutely right, that it isn't. It doesn't stop the moment you tell someone that they've been scammed or defrauded, it goes on. And depending on what the incident might be like for.

Recently, I spoke to a lady who lost all her photos on Facebook, they were her son's photos. And for her it was absolutely devastating. And then you've got the other extreme we talked about before, an Inland Revenue phish, and they took over the bank account and actually siphoned off all of the funds, including her children's funds that they were saving for university, because they were all linked to that one access number on her internet banking. Now, she has to deal with the fact that she's a really smart woman, but she clicked on this link, then she has to deal with the fact that the police aren't gonna do anything. The banks are saying it's your fault. And she has lost all of this money that they've been saving for so long.

And sadly, I hear it a lot of the victims saying Bronny, I just don't want to wake up in the morning, because they have to relive it over and over. And even when they have to go and report it. They have to go to so many different places. So you go to the banks, you tell your story, you may talk to someone who's not that sympathetic. You then go to the police. Again, you may get someone who's not that sympathetic, you have to tell your story again, then you have to report it to the agency. It may be CERT, it may be DIA, it may be the Financial Markets Authority, you have to tell your story over and over again. And during that process, you are going to have someone, hopefully it's not a friend or a close family member who's gonna say, jeez, how can you be so blimmin’ stupid and you're already beating yourself up. So it's absolutely devastating and in particular with romance scams, and there is no solid research, this is just me having worked this stuff for around 11 years now. If you fall victim for a romance scam and you lose your money, what I'm seeing is that it's taking on average the victim at least two years to recover mentally from that. That's a long time two years, and that's just an average that they're beating themselves up every single day.

Yeah, I can imagine with the romance scams as well, you sort of formed a relationship with someone you believe is a real person, right? And there are all those emotions attached to that. I imagine that would be incredibly difficult to not only find out you've been scammed, but you've sort of lost that connection with a person?

Bronwyn: Yeah, that person that you've been talking to for maybe a few years is actually not even real. And yeah, the romance scams are, for me, absolutely the worst. But we're seeing a lot more of it during lockdown as well. People are going online looking for love. And, you know, looking for companionship. And it may just start as simple as using an app like words for friends, which is an online Scrabble type app. And the scammers are accessing those platforms. And also too when you sign up, you jump on a dating website, straight away you're on the back foot because a lot of the websites you may sign up for are, maybe it's a Christian widows dating website. So already the scammers know your vulnerabilities right from the start, and they play on those as well. So absolutely devastating.

Are there certain groups of people that tend to be targeted by these scammers? And I guess you sort of partly answered that already. But it seems like these scammers are looking for people that are vulnerable or in a certain position that they can then take advantage of them. I'm just wondering if you'd go into that a bit more. Are there people that are more likely to be a target than other people?

Bronwyn: I think we are all vulnerable. Absolutely all of us are vulnerable to any type of scam. It just depends on our mood and the actions on the day. And I think I've heard it time and time again is a victim will say to me, normally, I would never ever click on that, or answer that phone call or respond to the phone call, but that day I had a head cold, as simple as that. Or maybe they've had a loss of a family member or a pet, or their medications have changed. Any number of things will make us vulnerable and fall for the scam.

Asset 3@4x

"Absolutely all of us are vulnerable to any type of scam."

Bronwyn Groot, BG Consulting

Myself, for instance, a few years ago, my daughter wanted to buy some t-shirts online, and I was busy and I was stressed and you know, just trying to get dinner on and stuff like that. She's like, mum, mum, mum I need these, this t-shirt. So I entered my credit card details and the transaction didn't go through. Now I should have stopped at that point. But because I was being hounded by a teenager, I entered another credit card detail and a different credit card in and it went through. Next thing I'm getting a call from the bank saying hey, there's nine transactions of $460 trying to come out of your credit card. It was that quick, it was just a dodgy website that my daughter was wanting this t-shirt off. And that's how quick and how fast it was.

So essentially, what you're saying is that even someone like yourself who works day after day, you can also fall victim to it. Right? So it really is everyone, all of us, no matter how smart we are, these scammers can get us somehow. That's scary. That's scary to me.

Okay, so we've looked at, you know what the impact is and some of these common scams that are out there. Now I'd like to turn to, I guess more of the positives. So you know, in terms of what can we actually do about this and what can we do to protect ourselves?

For Cyber Smart Week CERT NZ is running this campaign all about cybering up and trying to build your cyber resilience and defenses and protect yourself. I'm just wondering if you could talk a little bit about Cyber Smart Week and what you're trying to achieve through that campaign.

Andrew: So with Cyber Smart Week, it aligns with the International Cyber Awareness Month. October is essentially the month of cyber awareness. For us in New Zealand we decided to focus on a particular week or just one week of pushing out the awareness messages just so that it’s easier to maintain and also to manage for us as well.

CERT NZ CSW2021 Social Tile Square 1080x1080 - Passwords
So we've picked four interrelated messages. So encouraging people, if they did one, or any of the four - all four of them will be better - then they're much more protected from any incidents that occur. So the four are essentially making your password harder to crack or to guess; checking your privacy settings on your app, on your phone, on your devices are managed properly, including information that you share with people you know, or not know. So that's something that we call ‘uphold your privacy’.

CERT NZ CSW2021 Social Tile Square 1080x1080 - Privacy

The other thing we also encourage is to keep an eye on the current age of digital devices, and so forth there's always updates and information to upgrade on your devices. Don't ignore those. Make sure you actually update and upgrade your devices every time this message comes through.

Things keep improving, and obviously scammers are getting better as well. So it's a bit of a catch up process. So every time your devices or you get notified, update them, don't ignore it and just update it. And just even if you can't do at the time, remember to set yourself maybe once a week to go through and do that.

CERT NZ CSW2021 Social Tile Square 1080x1080 - Updates
And last but not least, is what we call ‘upgrade to two factor authentication’. Now that's a term that not many people understand, but believe it or not, that's something that's been around since banking has been around. Remember the days where you've got a card, and you rock on up to the ATM on the wall? And then once you put the card in you put in a four digit PIN. So that essentially it's an early form of two factor authentication with something that you have, which in this case, is your card. And you can't just put your card in and expect money to come out, you actually have to put something in that you know. So something that you have and something you know, in this case, what you know is your PIN. And once you put the two together and they marry up and the bank verifies that’s you because of what you put in, you then get what you could do on the ATM machine. So two factor authentication is something that is a technical team and you can also get the extension of that which is called multi factor authentication, where we enter more than two ways of identifying yourself. So there are some apps where you actually have to identify yourself before you can do anything.

CERT NZ CSW2021 Social Tile Square 1080x1080 - 2-FA
Fortunately, from what I've seen, and what I've heard, online banking are good at that. The apps that they put out actually follow that process. So that's a good thing to do. But there's other things that they probably need to be aware of as well across the other apps like social media or Gmail. So those are the four different messages.

I firmly believe that putting aside the four messages there, the best thing people need to be aware of is to slow down and actually look at what you've got in front of you. I strongly believe no matter what you do, just slow down and have a read of the text, have a read of your email that's been sent through to you.

And as Bronwyn highlighted, it happens to everyone, it's not just her, you know, it's a common thing. We're in the business of things, especially in lockdown, especially with distraction from family, people get distracted very quickly. In this current age of information overload, that's what perpetrators prey on. It's human – it's being human essentially. So one of the things I do encourage people is to slow down and read what's in front of you. Don't react to it so quickly.

And as you know as the adage goes, if it seems too good to be true, it probably is. So that's, that's generally the message I would encourage people to look at. And then you've got all the other four simple steps that we're doing with Cyber Smart Week.

Awesome, thanks for that. Andrew, really, really good tips there. And I think that slow down message is so important. I myself have a habit of just you know, you skim through things and you don't have time to look at things properly, but just taking the extra time could really pay off.

Chris, I'm wondering if you have any tips to add to that, in terms of what people can do to protect themselves?

Chris: I definitely second that point that Andrew shared about updating. I think one of the biggest things we see at the moment is the volume of software updates that are coming through. There's a lot of vulnerabilities in our technology. And the flubot thing is quite interesting. You know, if you had a more modern android phone you're probably safe and secure. For the bank that I work at, we looked at our customer base, and we can identify those customers on the older devices, and then take steps to kind of, you know, notify them. So definitely playing that part and patching things, you know, not ignoring updates. And, you know, putting those onto auto update is really, really good.

On the personality side, I did a piece of research with Internet NZ a few years ago around the types of people that might be more vulnerable. I think Bronwyn’s right, you know, it's performance shaping factors about business and emotional kind of stuff that's going on at the moment with lockdown.

But the research that I did found that certain types of people are also more likely to fall victim. So if you were unemployed, for obvious reasons, you're, you know, in a financial sort of danger point. And so people that were looking for jobs were actively preyed on. So understand your environment and understand your vulnerabilities.

And I found that people that smoked were two and a half times more likely to fall victim to cybercrime. I think if you're a high risk individual by smoking, and I was a smoker for 15 years, you need to acknowledge, you know, is there something about me as an individual that might put me at a more likelihood of falling victim? So definitely that slow down piece, think through your decisions. There's an American chap who uses the phrase slow down and frown, which I think is a really lovely term. He's actually come up with a piece of research that says, if I read my emails, whilst frowning, I'm more likely to be cynical. And there's a whole piece of, you know, sort of psychological research that says, if you're frowning, your physical face is actually saying to your mind, oh, this could be dangerous. And I think that's, it's just that thinking things through you know, engaging a sort of slow mindset and really assessing those risks.

That's a really interesting one. I'm going to try that.

Bronwyn anything to add in terms of your own tips for how people can avoid falling victim?

Bronwyn: I think that's absolutely right. It's all around the amygdala hijacking that goes on in your brain. It's like when you see something, whether it be a handbag, or a new top, and you think, oh, my gosh, I need that so badly and I need it now and I'm going to enter my credit card details. But actually, the next day, you know that rush has gone in and you don't actually need it then. So it's just giving yourself time to stop and think it through. The scammers are going to use that sense of urgency, you have to act now you have to click on this link, you have to send the details or do what they're instructing you to do. So it's giving yourself time. Stop and think and breathe and frown. I think that's a great point. I'm not sure about the wrinkles that'll cause though Chris!

And say, you know, you do what you can to be proactive, you know, you upgrade and you update things and you're vigilant, you slow down, you frown, you know, you're doing all the right things. But somehow, you know, something happens, it slips through the cracks, you accidentally click on something, or, you know, you fall victim to a scam. And, you know, you realise that that's what's happened. What can you do at that point? Where should you go? Who do you tell? Can you talk me through that process?

Bronwyn: The first thing you should do - the very, very first thing if you've fallen victim to some form of scam, clicked on a link, contact your bank. That protect your finances, because the scammers, yes, they want your information, but first up they're gonna want your money. So contact your bank, let them know what's happened. Tell them exactly what you've done. Don't feel stupid, don't feel dumb. Tell them and then they can put some processes in place and secure your finances. That is where I would go first.

Chris: For me and what I always say to people is you know, think through what you have of value and what that is. So Bronwyn talked about photos, somebody losing photos before. That's a different form of loss, but there are prevention steps that you can take, so take backups of those.

The big piece is the money though obviously and at the moment there's, you know, that shared responsibility for you as an individual to protect it. So if you think that you've given out a card number, if you think that you've given out access to something, if you've granted someone remote access onto your computer and they're logged in, then, you know, you really need to start thinking about, just talk to the fraud team at the bank.

I have an app for my bank where I can turn off my cards, you know I can actually control that myself. So if I'm worried about a payment, I can disable things and stuff like that. So definitely on the financial side, definitely talk to your bank. And then obviously, you know, there are other agencies that you can report to as well.

Andrew: Following on from what Bronwyn and Chris mentioned, that's exactly what we encourage people to do. In fact, when the individual does eventually find who CERT is and report to us, first thing we would ask is, have you contacted your bank? Because it leads on to things that potentially could have access to their banking account, especially if they have apps that are installed on their devices, banking apps.

People? Yeah, strangely enough, they don't actually or haven't actually contacted the bank. We found this anecdotally, just talking to individuals, and there seems to be a few of them, a consistent trend, is they would initially talk well, because of the nature of the incident, and also the shame factor, they would only talk to their friends, close friends, they don't even talk to their family. Because they feel a bit embarrassed and seem to be certain cultures are more susceptible to that than others. But we consistently see that they talked to their close friends about it, and to find out what it is that they can do.

Now for those that don't have that luxury, and just struggle with finding someone to talk to, they then sit on it for quite some time.

So that's something that we’re trying to get the message out there: there's no shame in being compromised. It's just unfortunate. It's just the way things have worked out. And we encourage people to let us know, or the bank know as soon as possible. The bank is not going to - well, we don't think the bank will wave a stick at them saying, look, you've done this, you're on your own there, buddy! I think that they actually would respond in their best interest - for the bank and for the individual. Time and time again, we find that people don't report things that quickly and we need to get the message out there. There's no shame in that. But certainly at the bank will be the first thing.

And then eventually, well, that's the tricky part. Going back to a comment that was made earlier. There's no central reporting site or number that people can call in New Zealand. And other countries, they have that, but certainly in New Zealand, there seems to be, in some ways, it's unfortunate, we haven't quite got a centralised way of reporting.

So what we generally do is we work in with other agencies to have no wrong door policy, and the same with them. So if they get something reported to them, and it's not within their jurisdiction, they will then share that information with the person’s consent with another agency to try and work through that. Because it's quite a traumatic time, as you've heard before from others, it's not something that you want them to revisit and relive the whole experience, again to another agency. But it is a difficult one to try and manage. But yes, certainly the first thing we suggest is to contact the bank. Talk to their family members, and people that are close to them, there's no shame in that, and they might be able to better advise on how to better manage them.

And I'm guessing too that by talking about it and sharing what's happened. You know, you're not just getting on to it for yourself, but you're also potentially helping other people, right? Because then, you know, other people that you talk to can go okay, I'll keep an eye out for that email and I won't click on that link. And by sharing information I imagine, you know, you're helping everyone really?

Andrew: Definitely, yeah, most definitely. And, you know, it's just making people aware what's going on there. And it actually might just uncover what others are experiencing too. Someone else could be going through the whole thing and perhaps feel a bit embarrassed and silly about telling it to others. So it's just something and it actually does improve and it aligns with the message of mental health awareness recently we had to talk to people, share your concerns you have with someone close, and it could be anything, including cyber incidents. Yeah.

Yeah, really good message. All right, we'll wrap things up there. Thank you so much, all of you, for sharing your knowledge and your tips. And hopefully, we can help everyone to be a bit more cyber smart, and just take some small steps to better protect themselves.

Report a scam


CERT NZ call 0800 CERT NZ (0800 2378 69) 

Department of Internal Affairs - text SCAM (7726) or email 

ID Care - call 0800 121 068 or email 

Inland Revenue - email 

NetSafe - call 0508 638 723 


ANZ - call 0800 269 348 or email 

ASB - call 0800 ASB FRAUD (0800 272 372) or email 

BNZ - call 0800 735 901 or email 

Westpac - call 0800 400 600 or email 

Want to improve your financial know-how and wellbeing?  


This information is general information only. The views and opinions expressed in this video are those of the speakers and do not necessarily reflect those of the FSC. It is not intended to constitute financial advice and does not take your individual circumstances and financial situation into account. We encourage you to seek assistance from a trusted financial adviser or other professional advice.

The links that are provided or names of third parties are additional resources that you access at your own risk and the FSC takes no responsibility for any third party content.

The FSC and its employees make no express or implied representations or give any warranties regarding this information and we accept no responsibility for any loss, damage, cost, or expense (whether direct or indirect) incurred by you as a result of any error, omission, or misrepresentation in this information.

22 October 2021.   

Subscribe to our blog