Stay alert to email and online shopping scams this holiday season

Christmas and the summer holidays are just around the corner, but unfortunately not everyone sees it as the season of goodwill. For scammers, it’s an opportunity to try and hoodwink us in to buying items that don’t actually exist or in to clicking on links that then gives them access to our personal or financial information, or downloads malicious software.

6 November 2020

One of the ways scammers try and trick us is by taking advantage of our trust in the technology we rely on every day, and one of the techniques they use to do this is called phishing. There are two types of phishing that we need to be especially alert to in the run up to Christmas — email phishing and website phishing.

Both phishing techniques take advantage of the fact that, at this time of year, many of are searching online for that perfect Christmas gift or are placing and paying for orders to be delivered to our homes and workplaces. They’re becoming increasingly sophisticated in their attempts to trick us as they often very convincingly replicate the look and feel of the brands we know and trust.

Phishing consistently ranks as one of CERT NZ’s top reporting categories, with over 5,300 phishing incidents reported to CERT NZ. While phishing can be difficult to spot, knowing a bit more about the various techniques means we’re better able to recognise it and, importantly, avoid falling for it.

Phishing emails

A phishing email is where a scammer sends an email pretending to be from the likes of a bank, government agency or other legitimate organisation or business, usually asking the recipient to click on a link or open an attachment.

A common phishing email doing the rounds at this time of year is the ‘parcel delivery’ email.  These emails appear to come from well-recognised freight, courier or postal companies, and claim the recipient has a pending parcel delivery. The message asks the recipient to click a link or open an attachment to accept delivery, except it’s all false. It’s a trick to get our personal information the attacker can then use for other attacks, or to trick us into making a payment to have the non-existent parcel delivered.

How to check

It’s always exciting to hear a parcel’s being delivered, but it pays to do a couple of checks:

  • If you’re not expecting a delivery, don’t click the link or open the attachment.
  • Call the courier company to check that the delivery notice is legitimate.

Phishing websites

Phishing websites capitalise on the huge increase in online shopping the festive season brings, with scammers creating websites offering free gifts or amazing deals on popular consumer items at bargain basement prices. The websites can be hard to tell apart from the genuine websites they copy, and scammers often manage to exploit the search engine optimisation techniques so their websites appear high on a search result page.

As with phishing emails, the aim of website phishing is to get us to click on the link and provide personal and/or financial information, or they can lead to a scam where you’re tricked into buying an item or service that doesn’t actually exist.

How to check

A good deal is hard to pass up, but before you click to make a purchase or enter your details, check:

  • Does the website URL match the brand? For example, if you are looking at buying running shoes from an online store but the website URL is unrelated, it might mean that the site is a scam.
  • Ask someone. If you are unsure website is legitimate, verify by calling the business.

Protecting yourself from phishing

“We know that phishing can be hard to detect, but easy to fall for. At CERT NZ we recommend putting simple cyber security steps in place so that if you do experience a phishing incident, you can recover more easily and lessen the impact,” advises CERT NZ Director Rob Pope.

  • Use unique passwords for all your online accounts. This means that if you’ve shared your account login information, only that one account is exposed, and you only have to change the one password.

    Tip: If you have trouble remembering all your passwords, use a password manager. It’s like an online safe that securely stores your passwords, and you only have to remember one master password.

Keep your logins safe with a password manager

  • Add two-factor authentication to your online accounts, like your bank and email. It adds an extra layer of security. That way, if a scammer does get your login details, they still can’t access your account.

Add an extra layer of security with 2FA

  • If you are unsure or think you might have responded to a phishing attempt, report it to CERT NZ. We can help identify the issue and advise on next steps.

Report to CERT NZ

If you think you might have given personal and financial details:

  • let your bank and /or email provider know and ask what they can do to help
  • change the passwords for any online accounts you think might be at risk, and
  • get a free credit check done.

Find out CERT NZ's other top security tips