NZ Skeptics Articles

The Six weeks of Scamming

Katrina Borthwick - 21 January 2025

_After 6 weeks of searching, the scammers gave to me…

One fake bank a calling

One scam centre kidnapping

One recovery scammer

A deep fake doctor

One spear phished deposit

One fake investment

One scary house sitter

A fake holiday home

Several facebook swindlers

80,000 counterfeit websites

200 million lost dollars

And $2 billion paid to fake online sites_

I have been taking the opportunity during my time off work to binge on audible books. As part of that I have taken a deep dive into social engineering, by listening to Social Engineering: The Art of Human Hacking by Christopher Hadnagy. This is currently free on Amazon audible and gives a very detailed overview of many of the techniques, albeit it was published in 2010. There is a newer version which covers a few other topics published in 2018 which I didn’t spot until I was finished. That’s probably the reason the other one is free. Whoops.

I also enjoyed Ghost in the Wires: My Adventures as the World’s Most Wanted Hacker, in which Kevin Mitnick gives an account of his time as one of the most elusive computer break-in artists. A lot of the tech is older (phone lines) but the social engineering elements which he relied on heavily are still very relevant today. I also found some of the phone/computer hacking stories, and the ensuing cat and mouse games, hilarious. Using some wily social engineering techniques, he managed to get access to the Motor Vehicle Register, Social Security system, and the phone companies’ ‘switchboards’. Some examples which made me laugh was when he had the unwitting phone company tech running around trying to work out which phone lines had been tapped and by who, and without being caught, he was making all day phone calls from solitary in prison free of charge on a ‘restricted’ line. To top it all off, if what he says is true, he also never stole anything. He did however finally get caught and sent to prison more than once, and is now running a security consulting business.

For a lighter read (or listen), with more actionable content, I really enjoyed Nobody’s Fool: Why We Get Taken In and What We Can Do About It by Daniel Simons and Christopher Chabris.

Anyway, with this in mind, I was flicking through the news the last few months and noticed a heap of coverage of various scams in the NZ media. Part of this is just due to the silly season, and there being not much to write about, but according to recent research there really has been an uptick in scams.

Impersonating the bank

On 12 January two scams were reported. The first was a social engineering trick to get a person to divulge their two-factor authentication code sent by text message to their phone. The scammer pretended to be from the bank, and said they had noticed suspicious activity on the victim’s account and were helping her lock her account down. They needed her to send the code coming through on her phone, in order to confirm her identity. They even spoofed the bank’s phone number, so it looked like they were calling from the bank. In fact, the person had somehow got hold of or guessed her password and was triggering the two-factor authentication code when trying to login. Once she sent the code, they completed the login and were able to transfer money out of her bank accounts. She contacted the bank right away, but she lost $30,000. The bank refused to reimburse it because she had divulged the number to someone who she thought was working for the bank. Fortunately for her, the banking ombudsman found in her favour and the bank had to pay her back the $30,000, plus $1,000 for being slow to respond.

Scam centre kidnappings

The second case reported the same day was less local, but about people being trafficked to scam centres. Mark has talked about this in an earlier podcast. There are quite sophisticated operations with offices and staff, and escalation procedures for different levels of scams. For example, first contact, face to face conversations, and so on. In this case the victims are suspected of being lured into the scam centres through fake film jobs in Thailand. Once they arrive at the airport, someone greets them and takes their passport, and they are taken to a scam compound in Myanmar and forced by armed criminal organisations to participate in online scams including romance schemes, illegal gambling and fake investments. The majority of victims are from China, Taiwan, Malaysia and Singapore. I was pleased to read in the news on Saturday that the person mentioned in the article has now been rescued by Chinese and Thai authorities, along with several other victims.

Recovery scammerGoing back a few days, on 9 Jan we have a revictimisation scam. This is where a person who has already been scammed is contacted by someone offering to help them recover their losses. This is a second scammer, and it may be someone involved with the previous scam or someone who has seen a social media post about the scam. If you post that you have been scammed on social media, there is a pretty good chance you will get recovery scammers contacting you too. In this case, the woman lost a small amount through a fake investment. The recovery scammer however got a whopping $100,000, which the scammer said needed to be paid in tax for the ‘discovered’ significant investment profit funds to be released. The scammer even told them what to say to the cryptocurrency representative when they called to query the suspicious transactions.

Deep fake endorsement

On 6 January, a NZ doctor specialising in diabetes was deep faked. A convincing AI manipulated video was posted on Facebook in November claiming to be a lecture delivered by Sir Jim Mann. Much to the real Sir Mann’s distress, that video urged patients to stop taking the medication metformin for diabetes, and instead buy a scam gummy product. In the same article Mastercard’s deepfake scam educator, Stacey Edmonds, said that deepfake scams were becoming more common and advanced, and about 29 percent of kiwis have reported being targeted in the last 12 months. Unfortunately deep fakes tend to circulate online longer than they should, and not everyone reports them.

Spear phishing

Across the ditch on 29 December a couple in the Gold Coast were the victims of a ‘spear phishing’ attack that cost them their entire $250,000 house deposit. In Australia it is normal to have a conveyancer as well as a lawyer. Unfortunately, someone pretending to be their conveyancer started emailing them with pretty normal looking emails. They were corresponding with them for two weeks, and the conveyancer eventually confirmed they had received the funds the couple had transferred. All the details looked legit, including the amounts and stamp duty. Unfortunately, it wasn’t their conveyancer they were emailing, and they had in fact transferred their deposit to a scammer. The scammer knew something about the house purchase or mortgage settlement, and they used techniques that were targeted specifically at this couple. This could have originated with someone involved with the transactions, or compromised security by one of the parties – perhaps their email may have been hacked, or password guessed.

Fake investment

On Christmas Eve there was a report of a 67 year old who lost $80K in a fake investment. A person she knew recommended the investment in person, and she ended up making regular contributions. The online website looked legitimate, and she could track the progress of her investments, which appeared to be doing well. When she stopped contributions because she was unwell, they demanded $25K that was ‘owed’ - citing the contract that she had signed. They refused to take it out of her “investment” and pay it out. Ultimately her lawyer told her it was a scam. Her friend found out it was a scam earlier, but hadn’t told her because he was too embarrassed. Scammers can often count on this sort of psychology to keep people quiet.

House sitting and head tenant scammer

On 22 December a couple were going overseas and had someone from a house-sitting website stay in their house and look after their dog. The dog had been to the vet just prior to the trip, and was healthy. The house-sitter took the dog for a run, despite having been instructed not to do so. After the run the owners saw the dog’s distress and breathing difficulties on CCTV, but despite asking the pet sitter to intervene the dog died in her care. The pet sitter became very abusive, and would not leave the house unless the owners made a payment for alternative accommodation, which the owners refused to make. Eventually she did leave, with the help of a neighbour, but she left all the doors and windows open and the aircon on. It turns out this woman was well-known for being badly behaved, and was in the process of being banned from the housesitting site due to other complaints. She had also used multiple identities, and had a history of abusive behaviour. As a lead tenant in the past she had asked sub-tenants to pay rent and bond in advance, then harassed and bullied them until they left shortly after, forfeiting their payments.

Fake holiday home listing

This leads nicely into a fake holiday home, reported on 18 December. The owner had listed the house online, but not on booking.com where it was booked from. A scammer had lifted the photos from elsewhere, and posted it to the booking.com website, taking deposits for it. It took weeks for booking.com to take it down after she reported it, and my guess is the scammers knew about this slow response pattern from the website admins.

Finally, the festive season would not be complete without a bunch of online scam sales. Usually these happen on Trademe or Facebook Marketplace. On 9 December the police warned of scammers posing as buyers on online sales platforms. These scammers are usually after personal details like a victim’s bank account and logins. They do this by sending a fake courier link. When someone clicks the link they are prompted to enter payment details for the courier. These details go right to the scammer. They may then ask for a 4-5 digit code that has been sent, and may say that is for the courier or some such. As you may have guessed, that is actually the bank’s 2 factor authorisation code. Once that is done, the scammer can login to the victim’s bank account and take what they want. There’s more information on this in this 5 min Radio NZ clip.

What a haul in just 6 weeks!

If you need more information on how to keep yourself safe from scammers, then NetSafe is a great resource. This Radio NZ feature on cybersecurity also gives some good security tips. If you want a deeper dive, then I suggest Nobody’s Fool, mentioned at the start of the article. It’s a 2023 book, so reasonably up to date.