In association with

Avoiding scams and fraud

Both scammers and hackers want to con you and your business out of money or private information — but both work in different ways. To protect your business, be aware of common risks and make prevention a priority.

Hackers and cyber attacks

Hackers are behind cyber attacks. They often work anonymously by breaking into your computer or network. The best way to fend them off is to protect your computers, networks and other devices.

Scammers contact you to try and manipulate you into giving them something.

You can avoid their cons by knowing the common characteristics of a scam. This means being suspicious of any unexpected contact from someone asking for money or information.

To reduce your chances of being hit by either, everyone in your business needs to be aware of the risks and commit to safe practices. Make sure you set aside time to educate yourself and staff on new threats. Regularly check-in about any questions or concerns.

Defence against cyber attacks

Safeguarding yourself from cyber security threats can be easier than it seems. There are other quick and important practices you should follow when you:

  • encrypt, store and back up data
  • protect business data
  • protect personal information.

Some simple measures to significantly reduce risks include:

  • Backing up systems and data regularly.
  • Encrypting important systems and data.
  • Keeping all software up-to-date.
  • Installing security software to protect from viruses and other malicious programs.
  • Using strong passwords or passphrases that are hard to guess.

What to do if you've been hacked

If one of your devices alerts you to an update, don't ignore it.

If one of your devices alerts you to an update, don't ignore it.

The latest updates or versions often patch — or repair — any new vulnerability to cyber attacks.

Guard against cyber attacks


Spotting a scammer

Scammers are often inventing new ways to con people and businesses — but scams have common characteristics you can look out for.

Scams usually start when someone makes unexpected contact with you. This could be in person or by phone, letter or email.

In exchange for money or private information, they may:

  • make you an attractive offer, eg connections to angel investors if you pay an upfront finder’s fee
  • say you urgently need important products/services, eg critical software updates 
  • pretend to be someone they’re not, eg your bank.

If you think you’ve been scammed

  1. Stop all contact with the scammer.
  2. If you’ve given over any financial details, call your bank.
  3. Report the scam.
Always report scams and warn everyone you do business with about them.

Always report scams and warn everyone you do business with about them.

You can report scams and fraud to Netsafe or cyber security incidents to CERT NZ.

Report online incidents (external link) — Netsafe

Report an issue (external link) — CERT NZ

Train your staff

You can’t blame staff for getting things wrong if they don’t know the rules. Make sure all your employees — and anyone else who may have access to your IT systems — are aware of the common characteristics of a scam, any cyber security risks and how to avoid them.

It’s a good idea to:

  • Get staff to read the content on this page so they are familiar with common risks and how to avoid them.
  • Make sure staff know when it’s appropriate to share private information and financial details, and with who.
  • Set policies around payment for products and services.
  • Set out the dos and don’ts for new staff as part of getting them on board.
  • Keep regular updates about new security risks and scams.
  • Have an IT and social media policy.

Use the Workplace Policy Builder to create an IT and social media policy.

Workplace policies, made easy (external link) — Workplace Policy Builder

Set times for tasks like depositing money and making payments — it’s easier to spot suspect transactions.

Set times for tasks like depositing money and making payments — it’s easier to spot suspect transactions.

Banks never ask for passwords in person or by email — be wary if asked.

Banks never ask for passwords in person or by email — be wary if asked.

Common scams and how to deal with them

Here are some common ways scammers and hackers may target your business — but remember, different scams are always being invented. A good rule of thumb is if a deal sounds suspicious or too good to be true, it probably is.

Malicious spam emails

What is it?
Any unexpected email from someone asking you for money or personal information.

What to do:

  • Don’t reply — if you do, it confirms your email address is active and ready for further 'offers'.
  • Don’t open attachments from senders you don’t know — the same goes for clicking on links, which can infect your computer with malicious programs.
  • Don’t forward hoax emails — if you get an email that looks like a hoax, it probably is.

Steer clear of hoax emails

Hear tips from Paul Macpherson, head of security at Xero, on how you can stay safe when you use email — the vital tool many businesses rely on.

Video transcript

Watch the full webinar

Never reply to a spam email or letter — even if it made you see red. It’s safer to report or delete it.

Never reply to a spam email or letter — even if it made you see red. It’s safer to report or delete it.

Email hacking or identity theft

What is it?

Cyber criminals may intercept business emails and send false invoices to clients asking for payment to be made to their own bank account. Or they might pretend to be from your business for other reasons.

How to stop it

  • Make sure your antivirus software is up-to-date.
  • Don’t ignore pop-up reminders of updates from your software provider(s).
  • Educate staff on how to spot risky links and websites — and why they shouldn’t click them.

Blocked access to computers

What is it?

Ransomware — a type of malware software designed to harm other software — stops systems and computers working until a password is entered. You’ll get a ransom demanding payment, usually to an overseas account, in return for a password. Ransomware also infects smartphones, often through apps downloaded via social media.

What to do:

  • If in doubt about an email or text, delete it. Don’t click on the links.
  • Make sure software systems are up-to-date, particularly antivirus and malware protection software.
  • Don’t open attachments you weren’t expecting or that come from sources you don’t know. 
  • Don’t download apps from sources you don’t know.

Phishing — or asking for passwords

What is it?

Scammers use emails and texts to get you to reveal PIN numbers and passwords for things like banking, Inland Revenue and social media — and to send false invoices.

How to avoid it:

  • Be sceptical — don't reveal your passwords, PIN numbers or sensitive information in a text or email. Instead, go to the website the person says they represent to check if it’s genuine.
  • Check the authenticity of emails you weren’t expecting or that promise something too good to be true. Scam email addresses may be different — though often similar — to genuine addresses. The email address may also be genuine but compromised if a scammer has hacked into someone’s system and is sending emails on their behalf. If in doubt, mark the email as junk mail or spam without opening it. Then delete it from your spam folder.
  • If an email seemingly from your bank asks you to click a link to log in to your account, don’t click it — open a browser window and type your bank’s web address in. If the URL is different in the email but the website looks like your bank’s, it’s a clone designed to catch people out. 

Fake IT support

What is it?

Someone calls you out of the blue, saying your computer has a virus or you need to upgrade software. They tell you to download software that will help or ask for your login details to fix it. But there’s no virus or service. The software hacks your computer or the hacker logs in to your systems to steal information.

How to avoid it:

  • Do not click on links or type in any web address you’re asked to enter. 
  • Do not give login details to anyone who contacts you out of the blue.

If it happens to you:

  • Hang up the phone.
  • Immediately unplug your computer from the internet if you've downloaded the software.
  • Run your antivirus software.
  • Use another computer to change all your passwords.
  • Alert your bank — they might be able to get your money back.
Don't use the same password or passphrase for any of your systems or staff.

Don't use the same password or passphrase for any of your systems or staff.

Cyber criminals will get access to ALL your information in one hit. And don’t use P-A-S-S-W-O-R-D or other easily guessed passwords.

Ongoing payments for fake products or services

What is it?

This involves sending fake invoices to trick businesses into joining something, eg online directories or renewing intellectual property registrations. If you pay the first invoice, you’ll be invoiced for the fake listing until you spot the error.

If it happens to you:

  • Tell the company invoicing you — by email or in writing — you didn’t authorise what you’re being invoiced for and won’t pay. 
  • Talk to a lawyer if they threaten legal action. 
Call your bank straight away if you’ve sent credit card details or paid money to a suspicious trader.

Call your bank straight away if you’ve sent credit card details or paid money to a suspicious trader.

Asking for payment in advance

What is it?

Scammers may contact you with an attractive opportunity in exchange for an upfront fee — but the scammer never delivers their promise. A common example is promising grant information that either doesn’t exist or can be easily found on government websites.

How to avoid it:

  • Before you pay money to a business or person who has contacted you out of the blue, do some research on the product/service they are offering.

Fake surveys

What is it?

Scammers may call to ask you for information about your business for a survey or directory. The information they ask for may seem harmless, but they could be collecting details to appear legitimate when they make contact with you later on.

How to stop it:

  • Make sure staff who answer telephone calls are familiar with what information they can give out — and how to recognise this type of phone call as potential scam.

Internal fraud

What is it?

Staff fraud is rare, but there are warning signs to watch for, including situations when an employee:

  • controls a financial process from start to finish — without being checked by people qualified to do so
  • has large debts and/or appears to be living beyond their means
  • has financial responsibilities and is reluctant to take annual leave.

If you're suspicious, check it out

If you aren’t sure if the person who has contacted you is genuine, a little investigation can put your mind at rest.

Depending on how they made contact, there are a number of ways you can check their legitimacy:

  • Never assume a company is based in New Zealand because its website address ends “.nz”.
  • Check payment pages are secure. Look for the padlock symbol used on websites, and make sure the URL begins with “https” — the “s” stands for secure. Only make payments if it’s a transaction you initiated. Remember, a padlock symbol doesn’t necessarily mean the website is legitimate.
  • Do an online search for the company’s name online and the word “scam”. You may find stories from people caught out by a similar scam.
  • Always check contact details, especially if it’s only a mobile number or an email. Do an online search on the company name to check if the contact details given match those on its website. This is because scammers sometimes pretend to be from legitimate companies or organisations. 
  • If you call and can’t get through, or it goes to an overseas call centre, it may be a scam.

Search for a company (external link) — Companies Office

Rating form

How helpful did you find this information?

Rate this