Overseas scammers using a fake website nearly identical to
the Inland Revenue Department's are preying on Kiwis in one
of the most sophisticated attacks NZ officials have seen.
IRD is working with the National Cyber Security Centre and
the New Zealand Police e-crimes division to remove the site
and others like it.
The latest scam appeared last week, sending out emails with a
link to the bogus website for customers to lodge online tax
refunds, with the promise of quick payment for refunds of
$600 or less.
The branding and layout of the site mimic the real IRD one,
and it instructs potential victims to give their IRD numbers,
bank and credit card details and personal contact and address
information - including their driver's licence number.
An IRD spokeswoman said the scam came after a similar attack
last month, but was the most complex the government agency
had dealt with.
"It's the first one we have had as sophisticated as this,"
she said. "Although the pages look very similar to those on
the Inland Revenue website, they are most definitely fake.
"It is important that people are aware that this is a
deliberate attempt to use the Inland Revenue logo and brand
to steal confidential and personal information."
She said the websites were based overseas and the latest
batch had emerged with slightly different designs and URLs
after last month's sites were shut down.
The agency had more than 400 emails from people alerting it
to the scam since Thursday, and got more than 1190 about last
The head of consumer information at the Ministry of Business,
Innovation and Employment, Jarrod Rendle, said he had known
of scams with fake IRD emails for some time.
"However, this latest one appears to be more sophisticated,
as the website appears genuine," he said.
Meanwhile, today is global Safer Internet Day and an emphasis
is being placed on staying safe with social media.
Symantec Security Response is encouraging people to revise
their security settings as social media become a more common
target for scams, spam, and phishing attempts.
Basic tips include getting familiar with the privacy settings
and security services of by each social network and
application and using strong passwords and different
passwords for each site.
More high-tech advice promotes using two-factor
authentication, where an added security feature - usually a
randomly generated number - is required with your password to
access a service.
Never enter your personal details into a website unless you
are sure it is genuine.
If you get a suspicious IRD email, send it to firstname.lastname@example.org and
report the scam at www.scamwatch.govt.nz
Never visit your bank's website by clicking on a link. Type
in the website address yourself.
Don't reply to any spam emails or click on any links or open
any files they contain. Don't call any numbers in spam
Check your account statements and credit card bill to make
sure no one is accessing your accounts. Order a credit report
every year to make sure no one is using your name to borrow
money or run up debts.
If you have given money or personal details to a scam,
contact your bank or credit card provider immediately.