This is our seventh information security bulletin, all about the recent phishing attempts and what to do if you suspect you’ve fallen victim to phishing.

New phishing campaigns impacting New Zealanders

Recently there has been a surge in compromised accounts being used to send phishing emails from trusted or known contacts. These emails are being sent using Microsoft OneDrive/SharePoint sharing invitations and redirecting users to malicious websites.

If you click the link in a file sharing invitation email and are directed to a login page, make sure to check if the domain in the address bar matches the expected account login page (e.g. login.microsoftonline.com or login.live.com) before entering your information. Check this every time!

Just getting the email doesn’t put you at risk, but if you click the link or enter any information, your risk increases. You could be affected if you have you have provided login details and/or two-factor authentication codes to unfamiliar domain. Check for any unfamiliar logins, which may be from an odd location or an unknown device; and make sure to check for any unfamiliar email rules, which could delete, move, mark as read or forward messages.

What is phishing?

Phishing is a type of email scam where the sender attempts to get you to provide them with personal information, especially financial details. Often the sender will pretend to be a trustworthy organisation, like a bank or a government agency. Phishing emails will ask you to either click a link and enter personal information, open an attachment in the email, or buy a gift card or voucher.

These emails often look legitimate, using the same design and logos as the company or organisation they’re pretending to be. While it used to be relatively easy to spot a phishing email due to spelling errors or poor grammar, these scams are a lot more sophisticated now and will often use the same tone of language as the organisation they are purporting to be.

How do I spot a phishing email?

• Reputable companies and organisations will never ask you to provide personal information by email – any email you get that does this is a huge red flag.

• Double check the sender’s email address to see if it looks legitimate. Companies like banks won’t have email addresses that end in gmail.com or hotmail.com.

• Be wary of any unexpected emails.

• Any anomalies in the email’s tone, language or signature that differ from the sender’s usual style could point to a phishing email.

• Check where links lead by hovering your mouse over the link to see what the domain is – often a suspicious link will point to an address which isn’t related to the content of the email or the wording on the link.

What happens if I open the attachment?

Opening an attachment from a phishing email allows the sender to infect your computer with malware – malicious software. Malware can allow the senders to access your personal information without you knowing. Malware can spread through your programs and files, corrupting them and slowing down your computer or causing your computer to stop working. If you have malware on your computer, you are more vulnerable to other attacks, like ransomware.

What do I do if I receive a suspected phishing email?

If you suspect you have received a phishing email, do not click any links or open any attachments, these are typically in the form of payment requests or remittances. Contact the supposed sender through a different communication channel (e.g. call through to their contact centre – making sure to get their phone number from their website, not from details in the email) to verify whether the email is authentic or not. Report the email to your IT department and/or relevant authority (e.g. CERT NZ).

Want to know more?

CERT NZ is regularly updated with the latest scams targeting New Zealanders, you can view their alerts here https://www.cert.govt.nz/individuals/alerts/

We also highly recommend signing up to Cert NZ’s regular email updates by clicking on the ‘Subscribe to updates’ button at the top of every page on their website.

We are here to help! You can email us to ask for copies of past security bulletins. You can also review our outsource provider statement at the bottom right-hand corner of every page on the site at www.quotemonster.co.nz. More information about relevant certifications, policies, and procedures will be shared in future information security bulletins. We recommend you keep these with other compliance documents.

Please contact us on 09 480 6071 or at info@quotemonster.co.nz if you have any concerns or questions.

Stay vigilant and safe.

ISB 07-202406

This is our sixth information security bulletin, all about avoiding phishing scams. As a valued user of quotemonster.co.nz, we want to ensure that your personal information remains secure, and your privacy is safeguarded. With phishing scams becoming increasingly sophisticated, its crucial to stay vigilant. Most commonly an account is compromised through re-used credentials, or, by unwittingly granting access to the account, often when clicking on a link in a phishing email.

This ISB is to alert you to a concerning trend in email-based phishing scams that have recently come to our attention. These sophisticated scams pose significant risks to personal and organisational data security.

1. Nature of the Scam: Recent incidents have involved emails that appear as replies from someone you know, to an email that may at a glance look like it was written by you, or someone in your business. These emails are entirely fabricated, yet may convincingly mimic legitimate correspondence. Alarmingly, these emails are occasionally sent from actual email addresses previously used by clients or associates, which are no longer active but have been compromised. In our case, we received one from an adviser who was once active in the industry, but is now deceased, which helped to raise the alarm.

2. Spotting the Scam:

• Unexpected Replies: Be cautious of email threads that you do not recall initiating.

• Email Address Verification: Double-check the sender's email address, especially if the content seems unusual or unexpected.

• Content Inconsistencies: Look for anomalies in the email's tone, language, or signature that may differ from the supposed sender's usual style.

• Suspicious attachments: There will often be a PDF or Zip file attached with a generic or meaningless name. Never open an attachment if you are unsure about what is in it.

• Suspicious links: Be very cautious of clicking on links. We have included one for Cert NZ in the next section. If you hover your mouse over the link you should be able to see that it links to a web address with a domain that ends in ‘.govt.nz’. This is the NZ government’s domain, which is where you might expect that link to lead, and you can be pretty sure that it is safe to click on.  Often a suspicious link will point to an address which is not related in any way to the content of the email or the wording on the link. Don’t go there!

3. Preventative Measures:

• Close Unused Accounts: Ensure that all inactive email accounts are properly shut down to prevent unauthorised access.

• Secure Login Credentials: Regularly update passwords and keep them confidential. Use strong, unique passwords for each account.

• Storage of Login Credentials: Ensure your login credentials are stored in a secure password manager, such as LastPass, these applications will also help generate strong passwords.

• Activate Two Factor Authentication (2FA): Add an extra layer of security by activating 2FA.  

• Activate Spam Filtering: Microsoft allows you to enable spam filtering and will automatically pick up spam or phishing emails when detected. These will not catch everything, but they definitely help.

• Educate and Inform: Continuously educate your team about these scams and encourage vigilance. CERT NZ provides some valuable information on the subject and has a scam check that you can use to check if a text, email, social media page, phone or website looks suspicious.

4. Immediate Actions: If you suspect that you have received a phishing email:

• Do not click on any links or download attachments.

• Contact the supposed sender through a different communication channel to verify the email's authenticity.

• Report the incident to your IT department or relevant authority (e.g. CERT NZ).

We urge you to take these warnings seriously and implement the suggested measures to safeguard your information. As always, we are committed to keeping you informed about potential threats and providing solutions to enhance your security.

Want to know more?

We are here to help! You can email us to ask for copies of past security bulletins. You can also review our outsource provider statement at the bottom right-hand corner of every page on the site at www.quotemonster.co.nz. More information about relevant certifications, policies, and procedures will be shared in future information security bulletins. We recommend you keep these with other compliance documents.

Please contact us on 09 480 6071 or at info@quotemonster.co.nz if you have any concerns or questions.

Stay vigilant and safe.

ISB 06-202402