Go from exposed to secure online
We live our lives online. We run our businesses and connect with friends. We purchase items and find jobs. And every day we’re at risk of a cyber attack.
CERT NZ’s latest campaign is called EXPOSED and aims to raise the importance of being secure online by showing what’s at stake when we don’t get cyber security right.
Below are stories of New Zealanders who have been targeted by attackers while going about their lives. They want to share their stories to encourage New Zealanders to go from exposed to secure online.
First-hand advice on how to own your online
Read and watch the stories below to find out how everyday New Zealanders were targeted online. They’re sharing their stories to help keep others secure online.
Not a winner
Subject name: Tiana
Incident Type: Phishing through social media
Tiana was the target of a phishing scam through social media. She was so excited when she was tagged in a post that said she had won $1,000 through an online competition. This would help her and her whānau out in a big way. To redeem her prize, she was asked to register with the company and provide her bank details. Without thinking, she did what was asked. A few days later, Tiana noticed $340 gone from her account. Tiana was panicked and anxious - $340 went a long way for her whānau. She was unable to get her money back and felt embarrassed. She didn’t report the incident as she felt she was at fault for not recognising all the signs.
The job seeker
Subject name: Nish
Incident Type: Job scam
Nish was the target of an online job scam. He was job searching when he came across a position that looked ideal. He applied and got an email confirmation including identity documentation forms he was required to fill out. Soon after filling in and submitting the forms, he was told they wanted to interview him and shortly after received a call on WhatsApp. The call flashed up from an international number and Nish started to wonder why they hadn’t just called him normally on his mobile. He became suspicious. He called the police and his bank, deleted his profile on WhatsApp, and saved himself from potential identity theft. The experience has had an emotional toll on Nish at an already very vulnerable time. He’s taken a lot of precautions to stay secure online since then.
Watch: Nish was exposed to an online job scam
[Visual]: The scene opens with a man sitting on a couch shot from the waist up. He's in a living room setting and sitting slightly to the left of shot. His name [Nish] pops up in the bottom right-hand side of the screen with the text [Job scam victim] underneath. Throughout the video, he remains seated with minimal movement.
Audio starts immediately – with Nish talking direct to camera.
[Audio] 'I was looking for a job and I found one which was ideal.'
[Visual]: The camera shot changes. Mid-shoulder close-up with more of a 45-degree angle. Name and description removed from screen.
[Audio] 'Good perks. And it was a total win.'
[Visual]: Camera shot changes back to the first setup, but with a wider shot. There is more of Nish - shot from the knees up and more is included in the lounge scene. His head is slightly blurry with pixilated detailing. You can still make out his features.
[Audio] [voice has been distorted to a low level] 'So I applied for the job, and then they came back asking…'
[Visual] Camera shot changes back to side on mid-shoulder shot. Same pixelation around the head. Looks more prominent as it's a closer shot.
[Audio] [voice remains distorted to a low level] '…for details like IRD and bank accounts.'
[Visual] Camera shot changes back to wide knee-level shot. Head is further pixelated. Features are less obvious with detail being more of a mixture of colour.
[Audio] [voice distortion intensified – sounds low and gravelly] 'That's when I realised it was a scam.'
[Visual]: The shot changes back to the side close-up. Pixelation remains as is.
[Audio]: [voice distortion further intensifies] 'I got really really scared.'
[Visual]: The shot changes again back to wide angle. Head is further pixelated. On the screen built in subtitles appear across the bottom of the screen: 'I went on Instagram, private my account. Facebook, all of those things.'
[Audio]: [voice distortion continues to get deeper - failly unrecognisable] 'I went on Instagram, private my account. Facebook, all of those things.'
[Visual]: The shot changes back to the side close-up. Pixelation remains as is. Built in subtitles appear across the bottom of the screen: So I would advise everyone to be just extra careful.
[Audio]: [Voice continues to get deeper] 'So I would advise everyone to be just extra careful.'
[Visual]: The shot goes back to the wide angle. Pixelation is at highest level with no obvious features or likeness. Subtitles 'and make sure it's legit.'
[Audio]: [Voice continues to get deeper] 'and make sure it's legit.'
[Visual]: The shot goes back to side angle but is a shot of just the face. Full pixelation over the head – completely unrecognisable. Subtitles: 'Now I've gone from exposed to secure.'
[Audio]: [Voice continues in deepest distortion] 'Now I've gone from exposed to secure.'
[Visual]: Own Your Online green and purple branded circles close in over the frame. Nish's head is kept in a circle with the rest of the screen containing block colouring. The writing appears to the left of the screen 'Go from exposed to secure online.'
[Audio] Small jingle plays.
[Visual]: End frame pulls up block colour teal with darker [forest] text: Own Your Online logo with 'Learn how to protect yourself online at ownyouronline.govt.nz.' The CERT NZ logo is in the top right corner.
[Audio] Jingle continues to play and fades out.
None of their business
Subject name: Bren
Incident Type: Unauthorised access attack
Bren was the target of an unauthorised access attack. One Sunday evening, Bren noticed she’d been removed as an admin on her online retail company’s social media business account. Something didn’t seem right, so she put a hold on her company credit card - just in case. She contacted her marketing agency in the morning to see if they had made this change – turns out their account had been compromised but not before fake ads and the respective charges for them appeared on their account.
Because Bren was no longer an admin, she could no longer advertise her business on the two social media platforms which were her best source of customers and income. After almost a year of endless auto response emails and going round in circles with different advisors and referrals she decided to cancel her social media business account and start afresh.
She lost a lot of her followers as a result and critical marketing data in this restart - not to mention over a year’s worth of potential full income.
These stories help to raise the importance of being secure online, by showing what’s at stake when we don’t get our cyber security right.
Sam Leggett, CERT NZ
Things you need to know
Why online security is important
Five quick steps to online security
Hostage in Manila
Subject name: William
Incident Type: Impersonation scam
William was the target of an impersonation scam. He was on holiday in Malaysia when he received a text from a friend who travels regularly, saying he was being held hostage at his hotel in Manila. The hostage takers wanted $800 before they would release him and his passport. The texts kept coming, sounding more and more desperate each time so William transferred the money. As soon as the money was gone, he realised he had been scammed. His friend was safe at home, and he was out of pocket. He regrets not picking up the phone and calling his mate first.
Not a brand ambassador
Subject name: Dolly
Incident Type: Social media scam
Dolly was the target of a social media scam. She was asked to become an ambassador for an online brand, that turned out to be fake. Giving up her personal details to accept goods from their website, she unwittingly allowed these scammers to take her funds without her ever receiving the products she ‘purchased’. She was charged over $3,000. Thankfully, with the help of her bank she got her money back. Although she got her money back, the experience had an emotional toll on her.
Real-ity romance scam
Subject name: Thea
Incident Type: Romance scam
Thea was the target of an online romance scam. She started chatting online with a man, he was Italian. So sweet and caring. They had everything in common and made plans for their future together – from exploring Aotearoa to retiring. Suddenly, the next message came, he was stuck in Singapore with his accounts locked. Thea didn’t think twice when he then asked her for money.
This scammer had played the long game with Thea which only made it more devastating. She was left heartbroken and embarrassed.
Taken for a ride
Subject name: Jaelyn
Incident Type: Phishing scam
Jaelyn was the target of a phishing scam. She was sent a text saying she needed to log into her ride sharing app to authenticate the account. It seemed simple enough. So, she clicked on the link and provided the required details. Within a week she was charged over $1,000 worth of food and ride transactions through the app, which she never ordered. Instead of authenticating her account, which she thought she was doing, she had actually provided full details allowing someone else access to her account. After much back and forth, Jaelyn got some of her money back – but lost her online confidence.
We live our lives online. We run our businesses and connect with friends. And every day we’re at risk of a cyber attack.
Jane O'Loughlin, CERT NZ
The sophisticated scam
Subject name: Anonymous
Incident Type: Investment scam
Anonymous was the target of a sophisticated investment scam. They thought they were purchasing bonds through a legitimate, reputable bank. Unfortunately, it was actually a scammer who had gone to great lengths to impersonate the bank – even creating their own online banking portal. Anonymous asked their brother who works in finance, and he said the bank was reputable. So Anonymous started ‘investing’ with this bank, initially transferring $100,000. The money showed up on their online dashboard: it all seemed legit. So they transferred another $100,000, and then another $100,000. Over multiple payments, they ‘invested’ and lost $300,000. Once they realised it was a scam, their heart dropped. They will never get their money back.
In real time scam
Subject name: Glenis
Incident Type: Phone scam
Glenis was the target of a scam phone call. She was contacted by a woman who claimed to be from the bank. They told Glenis they were investigating her account due to a few interesting transactions, all the while discussing specific and accurate account information. Glenis panicked and gave up way too much information too quickly. She had been a target of a scam before and wanted to cooperate. She then watched in distress as her money was transferred from one account to another and then go out of her account completely, all in real time. For Glenis, the emotional toll has been far worse than the financial one.
Selling your soul
Subject name: Megan
Incident Type: Marketplace scam
Megan was the target of a marketplace scam. She was trying to sell a jacket online and the buyer asked if she could reduce the price and include shipping. They also asked if she’d be open to pay through the site itself, which she’d never heard of before. She clicked on the link they sent and she provided her bank account username and password. She immediately received a payment alert saying that money had been taken out of her account. Fortunately, her bank messaged her to say the payment had been blocked and she didn’t lose any money. She could have lost so much more.