Safety

Phishing: Text Message Scams

|

4

Text scams are a real problem, but you don't have to be a victim. This article explains how text scams work, what to avoid, and how to stay safe online.
Person holding phone

Source: Lindsey LaMont, unsplash

A common scam that is affecting everyone who owns a device, targeting victims who fall for a simple message that contains a link.

These types of scams are designed to obtain user information and are commonly known as phishing. They work by convincing the user to open the link, fooling them into either entering critical information or visiting malicious sites.

Identifying a Text Scam

Understanding how to deal with these types of scams is the first step in ensuring that you don't fall victim to them.

Identify who is sending this message. Look at the supplied number. These numbers often use the wrong area codes in New Zealand; scams will typically use +61, which is Australia, though this could be any country code. If it doesn't look familiar, then it's likely a scam.

New Zealand uses +64.

For numbers that are quite short, such as 3720, 3136, or 5678, these types of text messages are used to send notifications or authentication codes. The purpose of these numbers is to provide a quick text with a code or an important announcement directly to your phone.

These are used when signing into some services; they'll ask you to enter these numbers to verify the identity of the account. These are called 2-Factor Authentication codes or 2FA Codes. Generally, these are considered safe, but be aware when being asked to enter them.

If you've received a code for a service you haven't used or signed into, ignore it, as the code will expire.

Never share the authentication codes with anyone over the phone when requested. The risk with these codes is that if someone requests a password reset on one of your accounts, they can take over the accounts if this code is shared.

Be mindful of the message; it will say what the authentication code is used for. For messages with links to services such as the delivery of an item or providing a link to log in, do not click on the link unless you are expecting it.

Here is an example of a 2-Factor Authentication code you'd typically see:

Uber Authentication Code Example
  • This code is from 3362.
  • It states the code is from Uber.
  • I'm expecting this code as I've just signed into Uber.
  • Note: This code is no longer valid and has expired.

Here is an example of a text scam:

Phishing Text example international
  • The message comes from +61 (Australian-based).
  • I didn't know this number and wasn't expecting it.
  • The message mentions something to do with Euro.
  • Contains a strange-looking url/link.

Here’s another example:

Phishing Text example local

  • This message comes from +64 (New Zealand-based).
  • Mentions getting NZD, specifically for me.
  • Contains a strange-looking link.

As you can see, the point of these text scams is for you to click on this link.

A more recent example:

NZ Transport agency phishing example

  • Claims to be from NZ Transport Agency and is asking you to pay an outstanding fee.
  • This message is unexpected.
  • Notice the URL mentioned; it doesn't match NZTA's website.

These examples provide guidance for understanding what a scam text message looks like. As for the links provided in these examples, they don't match any known website, and accessing them may lead to information being stolen.

In the above example, NZTA suggests that you may have an outstanding fee. Do not click on the link. Instead, go directly to your web browser and enter the official NZTA website.

Lets compare the links used:

Comparing phishing link vs legitimate

Offical government based links will always have the .govt.nz domain. Always navigate to the offical website before entering sensitive information.

Reporting and Getting Help

If you have come across a scam, please forward the message to the Department of Internal Affairs for further investigation. Simply forward the text message to the following number: 7726.

See here how to forward a message in iOS. For Andriod devices this should be a similar process of holding down the message and selecting forward.

Report directly to the organization. I have listed the email addresses for popular services operating within New Zealand. Please screenshot the suspicious text message or email and attach it to the email sent to one of the following:

ASB - phishing@asb.co.nz

Kiwibank - suspicious.email@kiwibank.co.nz

Westpac NZ - phishing@westpac.co.nz

BNZ - phishing@bnz.co.nz

ANZ - hoax@cybersecurity.anz.com

Spark NZ - scamhelp@spark.co.nz