Scamming is everywhere. It isn’t just a problem for targeted individuals: it’s an urgent issue of public trust.
“Two hundred million dollars goes out the door each year, and that’s a gross underestimate,” says Jon Duffy, CEO of Consumer New Zealand. “There are people in New Zealand losing money right now.”
He’s right: hardly a week goes by in New Zealand without a headline about some digital swindle, outrageous and elaborate or simple and mundane. Scammers are pretending to be Waka Kotahi. They’re pretending to be a child with a lost phone. They’re investment advisers with the deal of a lifetime. They’re banks, prompting you to ignore alerts about unauthorised spending.
CERT NZ, the unit of MBIE dedicated to cybersecurity, collects reports of scams, and has definitely seen an uptick. Senior threat analyst Sam Leggett says more people are falling victim to scams, and there are more scams in general. Getting accurate data is difficult, though, as many people don’t report scams, because they’re ashamed of being swindled or because they weren’t aware there was a way to report them at all.
What is being done about scams? The focus is often individual, teaching people to be more sceptical of being contacted at all. If CERT receives enough reports of a particular scam, they’ll issue an alert, as they did recently for the text messages purporting to be from someone who’s lost their phone and needs money for a new one. They try to spread the knowledge, working with community groups to educate people about scams. This makes known scams less effective, but it doesn’t stop new ones coming. In response to this education, the scams keep evolving: the wording changes, the institutions being imitated alter.
Throughout our interview, Leggett repeats his advice for not being scammed, and there are good tips. Reputable texts will come from shortcode numbers (four digits) as they will be using a sending service. Ask a suspicious caller questions that they would only know the answer to if they were from the service they say they’re from. Don’t trust easily.
There are institutional responses to scamming too. On The Detail, host Sharon Brett-Kelly got a glimpse of the fraud unit at BNZ, but her report didn’t include much detail about the action they’re taking, as professional scammers could use the information to get around blocks on their activity. As for banks themselves, they are meeting every fortnight at the moment to discuss their collective response to scams. If a particular institution is being impersonated, as with the Citibank or Waka Kotahi scams, then that organisation can reach out to its clients, asking them not to trust unsolicited messages from people claiming to be employees.
Scammers are usually based overseas, beyond the jurisdiction of the New Zealand police. There’s an entire YouTube subgenre devoted to revealing the mundane office blocks on the outskirts of big cities where scammers work. For many people, scamming is just a job. Taken in sum, the amounts of money stolen by scamming are staggering, but on an individual level, in the realm of international heists, the losses are small. Fifty dollars here, $300 here, $200,000 there. Devastating for individuals, but if you don’t know who took your money, and neither do the police or your bank, then there’s very little you can do.
But New Zealand is hardly unique in being targeted by scams, and responses could certainly go further. The banks in the UK have just signed up to a model of compensation where they will pay back customers who are defrauded from 2024. (There are certain conditions; if the bank warns you that you’re being scammed and you transfer money anyway, they’re off the hook). This adds an urgent financial incentive for banks to respond effectively to scams.
New Zealand currently has provisions for compensations if someone else has accessed your account or credit card without your permission, but if you give your details to someone who is tricking you into thinking you can trust them, the banks may not compensate you if they decided you didn’t act with “reasonable care”. New Zealand Banks Association chief executive Roger Beaumont has said that following the UK’s example would mean customers would have no incentive to protect their money. Is that fair?
“It’s a question of the ambulance at the bottom of the cliff or the fence at the top,” says Jon Duffy of Consumer. His organisation is regularly in contact with people who have lost huge amounts of money, and Duffy is an advocate for open banking – making it easier for consumers to control their financial information and switch providers if needed. “The New Zealand banking sector should have a look at their cuzzies in England.”
Another helpful model used overseas is the “total impact of fraud”, which assesses the way that having fraud everywhere doesn’t simply hurt individuals, but damages the trust that businesses and the public sector need to function effectively. Consumer’s surveying, incidentally, has found that trust in banks is plummeting in Aotearoa. Why, then, is the response to scams usually focused on educating us as individuals?
“You need to be mindful of digital security, as if it was a house,” says Leggett. “You don’t want to leave your windows open and unlocked, you lock the door when you leave, you might install an alarm system. Using good passwords, being mindful of the data you make accessible on social media, installing two factor authentication on important accounts is sort of similar – our lives are so entangled with the digital world.”
While this kind of defence is obviously one kind of deterrent, is there any point in focusing on getting really good at installing deadbolts if the thieves roaming the neighbourhood have moved on from doors and are now trying to pry open your skylight? There are more and more resources like this to learn about scamming – awareness of scamming in general, if not of specific tactics, is high, not least because nine in 10 New Zealanders have been targeted by a scam in the last year. CERT NZ’s work is preventing people from being taken in by scams: it’s just that new threats are constantly emerging.
The “total impact” model points out that preventing fraud from taking place is a much more efficient use of resources than trying to reimburse people and regain trust after the fact. Individuals have a responsibility to be sceptical, but so do the services around them that scammers use to steal money and trust.
Trust is something valuable, and scamming erodes it. Trust makes it possible to wander onto trains in New Zealand without having to go through an x-ray scanner, as often happens overseas. Trust makes it possible for me to send my sister money via a banking app and trust that it will arrive; to answer a security question about my first pet on my RealMe and trust that the government service I’m accessing is keeping that information secure. It’s this trust that scammers exploit. If you trust the messages that come from your phone and computer, even if they are simply strings of ones and zeros floating through radio waves towards you, then it’s much easier to trust more of the digital communications you receive, legitimate or not.
And when scamming is everywhere, everyone is affected. “Scams are really, really bad for business,” Duffy points out. “Scams take millions of dollars out of our economy while we’re wanting to increase our exports.”
The sole focus on the individual is problematic, he says. “You can get educated about a scam and then it changes the next day – there’s an element of victim blaming that irks me.” If it’s an individual’s responsibility to be sceptical of people contacting them, then if that individual gets scammed it’s their own fault. Duffy suggests that the burden of scams could afford to fall a little more on banks, whose record profits are currently subject to a Commerce Commission inquiry.
“Banks have benefitted massively from the shift to digital services,” Duffy says. “They’ve closed branch offices. They’ve done away with cheques. Everyone has the app on their phone, and their costs of administering have gone down.” Plus, outsourcing work like help centres adds to the security vulnerability: once customers get used to solving banking problems with the help of people on the other side of the world, a scammer has an in.
Asking questions about how to trust in a moment when scamming has never been easier and more prevalent is urgent – especially because technology coming down the line could make scamming even more widespread. Generative AI technology is an obvious example, with its ability to create more convincing personas and storylines. Other digital security concerns can contribute: with access to information from data breaches – text, videos, voices and pictures that seem like people you know – scammers can be that much more convincing, and make it that much harder to trust legitimate communication.
In a world where scams are everywhere, we’re all vulnerable, no matter how many reports we file to CERT NZ. I feel like I’m digitally savvy now, able to avoid obvious fraudulence. A few months ago, I got a message from a friend who I hadn’t heard from for years, asking me, “What’s your email address.” Blank words, unexpected communication; I was leery of a scam. “What do you need it for?” I asked, cautious. “I want to send some photos of my new baby to friends off of social media,” she replied, giving me an update on other aspects of her life, how her house build was going. I felt bad for not trusting her initially, but isn’t that what digital communication – and scams, scams everywhere – has taught me to expect?
Scams get more sophisticated all the time: that’s why it’s easy to get taken in, no matter how educated we are, how many tactics we learn. If we want a future where it’s possible to keep trusting – and I really do – I know I need to be suspicious of texts and calls and messages now. I also want responses to scamming that go far beyond my responsibility as an individual.