After falling victim to a scam over the phone, Russell Brown spent the day with One NZ’s cyber defence and fraud prevention teams to see the work they do to stop millions of scam attempts every year.
The only windows in the Cyber Defence Centre at One NZ’s Auckland headquarters are windows on the internet. An array of large screens bearing the names of various security vendors and their products – Check Point, Darktrace, Mandiant – show some of the bad things happening on the internet right now.
More specifically, they’re highlighting bad things that could be a threat to One NZ and its customers. There are a lot of those. One screen tracks suspicious email traffic and shows a 49% increase in emails containing phishing links in the past month – and this isn’t even the worst month.
“In December, we blocked 1.31 million scam attempts,” says Cyber Defence Centre Team Leader Ash Das, explaining the risk.
“Let’s say you receive a phishing SMS that contains a suspicious link and says, ‘Hey, you have a payment overdue, log into your bank and make the payment’. Somebody clicks on the link, enters their credentials or their credit card information and it’s all stolen. So we have a dedicated team who can look at the email pattern, and who can pick up the suspicious text messages.”
What happens next is relatively new. Last July, One NZ was the first internet service provider (ISP) to partner with the National Cyber Security Centre’s Malware-Free Networks service, a “threat intelligence” feed that reports suspicious URLs in scam emails and texts so that partners can block them – meaning that if you do click on a malicious link in a text, it won’t load. This cooperative approach, where government agencies, banks, security companies and ISPs like One NZ, share information in real time, is rapidly becoming the face of computer security in New Zealand.
“There are lots of threat feeds out there globally and most of the large security vendors will have their own,” says David Garrett, head of managed services at One NZ’s 60%-owned security partner DEFEND. “This one is new and New Zealand-specific. We’re seeing a lot more of the consumer-grade type phishing – the NZ Post and banking scams – and when we do see it, Ash and his team are able to feed that back up to the NCSC, where they manually curate the feed to make sure that what they’re putting in is definitely malicious. So it’s New Zealand-specific intelligence and there is a threshold.”
“We’ve never had this much visibility before,” confirms Laura Ross, One NZ’s Chief Security Architecture Risk Officer. “We’re seeing the number of possible attacks or malicious activities out there. Now we know the enormity of the issue that we’re facing.”
It’s far from the only monitoring and blocking One NZ does every day. The scam texts, emails and calls that get through to you are a tiny fraction of the overall number of attempts made. But they do get through and it’s worth making a habit of thinking about security. Even if, like me, you think you’re a fairly sophisticated user.
They got me when I was vulnerable. I’d come back in bits from a particularly difficult visit to the hospital where my mother was dying. A text message arrived warning of an attempted login to my banking app, with an 0800 number to call immediately. On a better day, I’d have immediately noticed the first red flag. The text, I realised later, came from an ordinary 021 mobile number and not a shortcode – the three, four or five digit numbers assigned to banks, telcos and other large users.
“Shortcodes can’t be spoofed, or impersonated,” says Jack Tye, One NZ’s Risk and Compliance Manager. “So if you get a message from a shortcode, you can be really confident that that is from a dedicated provider. We won’t send messages from 021 numbers out to our customers with regards to marketing or general contact.”
When I dialled the number, stressed and alarmed, I got through to a man with a very smooth, soothing manner. (That was another red flag, by the way: I got straight through without the usual hoopla of identifying myself, answering challenge questions or entering a PIN.) I gave out information I shouldn’t have and even briefly allowed remote access to my computer for a “malware scan”. Yes, these are things I would normally regard as very dumb, but it wasn’t a normal day and these attacks are as much about psychology as technology. Crucially, it all happened very quickly.
“Scammers are usually really quick and good,” says Tye. “These are professionals and they do this for their job. They really want you to hurry. So just taking a second, it’s not rude. If the salesperson or whoever is calling you is genuine, they won’t mind you taking a little bit of time to think about it. Don’t feel bad about taking your time.”
In general, he says, be vigilant about giving out information, especially if it’s someone calling you.
“If you’re not expecting a call, if you’re not expecting any contact at all, don’t give out any personal information. Only do so if you know you’ve requested a callback from us, or if you’re expecting a call from us. I know it’s really difficult, but trying to be vigilant is key.”
It doesn’t help that some large organisations which should know better – including my bank two days after I was scammed – still do call and ask for identifying information when you answer.
“Personally,” says Tye, “despite it taking up my own time when my insurer or my bank calls me to verify or validate something, I politely explain that I’m going to call them back on their main number. I am hypervigilant, so I will do that even when I’m expecting the call. I’ll call them back and we’ll go through their process, get through to the right person and I know that I’m talking to the right people and give them my information that way.”
Similarly, if I had looked up my bank’s real helpdesk number and called that rather than dialling the one in the scam text, I wouldn’t have had the worst day of my life.
There are other things you can do, including using multi-factor authentication to login wherever it’s available. And get into the habit of scrutinising where your messages actually come from.
“The display name on an email might say One NZ but when you actually look at the return address, the email address that it’s come from, and it’s a Gmail address or something, that’s generally the giveaway,” says Garrett. “Same with any URL that’s made available for you to click on, look at the end of it. Is it One.NZ – or one-hyphen-nz.io or .com, or something else? I try and drill it into my parents that those are the key things to be looking for when you get those sorts of messages. And, again, as Jack said, if you’re not expecting it, then certainly give it a second look, go direct to your bank’s website, log in that way.”
One NZ and other organisations have had enough success in the past year fending off scattershot scam attempts that the criminal organisations behind them have begun to ramp up the number of more targeted attacks.
“This is what happens with the ‘hi mum’ scam,” says Tye. “Hi mum I’ve got a new mobile number overseas, I need to get access to my bank and I need $500, can you send it to me? It’s really easy to send out those messages and very hard not to respond when you think your son or daughter is in peril. Even when it’s family members, make sure you speak to them on the phone if you’re going to give them any information, especially any money.”
Another thing you can do is be part of the solution yourself. If you get a suspicious email or text, there’s a form for reporting it on the One NZ website.
“If you’ve received a message, say from a scam sender that’s on our network, we can take a look at that. And if it’s found to be a scam, we’ll block that sender. Reporting does really help.”
These consumer-level scams are far from the only threat the One NZ team has to detect and manage. Distributed Denial of Service (DDOS) attacks are still with us, they are often more sustained than in the past, and depending on where they’re targeted they can interrupt network function for thousands of small users, or – as was the case for the NZ Stock Exchange in 2020 – particularly large ones. There has been a rise in so-called supply chain attacks, where an apparent email from a vendor might ask a customer to pay into a different bank account.
“So the customer goes and pays money into the different bank account and the vendor says hey where’s the $100,000, you just paid us, it’s gone somewhere else,” says Tye.
Messages and emails may also contain attachments or links that place malware on user devices. That malware might in turn be controlled by DNS tunnelling, a technique that co-opts the domain name system, the internet’s internal address book, to send commands. The unusual pattern of DNS use that involves is yet another thing the Cyber Defence Centre at One NZ monitors for.
That’s a pretty sophisticated kind of attack – but a key factor in the growth of this kind of crime is that the necessary technical elements are increasingly available as a service to criminal actors who previously wouldn’t have possessed the expertise themselves.
In case you’re wondering, the worst didn’t happen for me – I realised quite quickly what had happened, after trying to call the malicious 0800 number again. But the wait for the callback from the bank’s fraud desk, thinking I’d potentially lost not just our money but my dying mother’s savings? I wouldn’t recommend that to anyone. Nor the hours afterwards of changing and re-changing passwords, running repeated malware scans on my devices, looking in every corner where a keylogger might have been left and reinstalling operating systems just in case. Or the fear and shame that lingered for months.
So take a breath, and be vigilant. Be most vigilant when you’re at your worst, because that’s when you’re most vulnerable. Maybe it’ll never happen. But you really don’t want it to happen, ever.
Each time a team like the One NZ cyber defence team stops a scam from getting through the network, a person is potentially saved from an incident like the one I went through – and those numbers add up. For those scams that slip through the cracks? Remember to be vigilant, check for warning signs and take a moment to think before you give out your personal information.