The following media release has been received from the FMA.
The Financial Markets Authority (FMA) – Te Mana Tātai Hokohoko – is urging New Zealanders to remain vigilant and protect themselves from investment scams this holiday season. This comes during a period of escalating scam reports to the FMA.
Recently, the FMA has published five warnings about scammers pretending to be from financial institutions here and abroad that send false product disclosure statements (PDS) for term deposits and bonds. The quality of these documents is becoming increasingly sophisticated and offer interest rates that look realistic but are marginally higher than legitimate offers and have induced people to hand over money.
The FMA has issued 12 warnings about PDS scams in 2023, and they are now impersonating legitimate New Zealand companies, including local banks. By comparison, the FMA posted five warnings about this type of false PDS scam in 2022, most of these involved impersonating international or overseas companies.
The FMA believes people are being led to this scam by fraudulent investment comparison websites, an activity featured in previous FMA warnings. People searching online for information on available interest rates provide their personal information, such as their name, phone number and email address. Criminals use that information to contact the person by phone, claiming to work for a New Zealand bank or overseas financial institution, and then emails the person with links to impostor websites that feature the false PDSs.
The proliferation of recovery scams was another trend the FMA saw in 2023, with 36 reported in total. This type of scam involves criminals contacting scam victims claiming they could recover their lost funds. However, these scams were a ploy to access people’s bank accounts to steal more of their money.
2023 scam trends
The FMA has posted 82 warnings about suspected investment scams and imposter websites in 2023 and 22 warnings about unregistered businesses. That compares to 64 scam warnings and 14 unregistered business warnings in 2022. The financial harm caused by PDS warnings alone, both actual and near misses, totalled $3.35m in 2023 for those that provided this detail when reporting to the FMA.
The FMA also received 77 complaints relating to the falsifying of documents – 71 of those were scammers pretending to have a FMA licence. Most of the complaints originated throughout Europe.
In October the FMA updated and improved its “Report a Scam” function on its website which resulted in a marked increase in complaints from the public. Of the 331 scams reported to the FMA in 2023, 184 have come since this update. This compares to 211 scams reported to the FMA in the whole of 2022.
FMA Senior Responsible Officer for Scam Prevention and Co-ordination, Peter Taylor said: “While many New Zealanders will be enjoying a well-deserved break this holiday season, scammers won’t be. Whether it's an investment scam, phishing, impersonation or dating scam, we encourage all New Zealanders to remain extra vigilant this summer holiday.
“We also remind New Zealanders that there are plenty of well-regulated investment products available from legitimate financial providers, where their money is subject to the protections of the Financial Markets Conduct Act and the FMA’s supervision of these products and providers,” said Mr Taylor.
How to spot a fake investment offer from a legitimate one
Red flags to watch for and ways to avoid being scammed include:
- Check the site you’re using is genuine. Make sure the company is based here, has a New Zealand phone number and the website URL matches the company.
- Check the bank’s website and/or phone app. Banks post warnings about scams claiming to be them on these platforms to warn customers. If you suspect you are being scammed, report it to the bank.
- Check very carefully before sending any money or personal information to an investment opportunity, even if you think you’re investing with a legitimate or well-known financial institution.
- Do not put personal information into so-called ‘investment comparison’ websites. These are fronts for criminals, who use the information to contact new targets looking for genuine investments. Legitimate comparison sites provide the information on the web page without requiring any personal information.
- Do not respond to links, emails or contact details supplied by callers. Check for yourself with the bank or contact the institution through obtaining a creditable source for the contact information.
- Banks and fund managers are licensed and regulated and will not call you out of the blue, offering a new opportunity that demands you immediately send them money.
- Pay attention, listen to your bank when it raises questions or concerns about your payment requests or money transfers – they will have seen other customers lose money responding to a similar opportunity.
- Talk with a trusted adviser, friend, or family member – often all it takes is a fresh set of eyes to raise red flags you may not have considered.
ENDS
1 Comments
Step one should always be: TRUST NO ONE
"Make sure the company is based here, has a New Zealand phone number and the website URL matches the company" is no guarantee. In fact these sites are often preferable as many people will have an implicit trust in NZ sites and companies, many of which have no actual business here. It is easy to setup a NZ company with an address and contact details even though you don't reside in NZ or do any business here. Many fraudulent companies have just picked random addresses or used accountants addresses and details (offered as a service) to give people a false sense of security.
Firstly check the business registry with any details provided if they appear they have gone to the trouble of registering but that is still no security. Second check the details listed with the registry and if they are used elsewhere and for other businesses. Third check and view the premises, and cold call the contact numbers with the registry, do they seem legit.
However all those steps are still no guarantee. Scammers and fraudulent companies are far more sophisticated than the article suggested. The idea they will not go to the trouble of buying a .co.nz domain (handed out like candy) and picked a NZ address is sadly a misconception. Many people can also buy anonymizing services for the WHOIS data and they have gone so far as to do similar for business registration.
Sadly the stories and reports of other victims sometimes obtainable by trawling the internet can be the only defensive check and even then it can be hard to find the root with more people drawn into the scam business that can change it's name and contact details as easily as you change clothes.
After trusting no one the second step is to trust no one with your core contact details. Get at least 2 phones (one for family & friends, one for companies etc), have multiple email addresses (one for each service/ website etc) because there should be one master number/ email that is never given out to businesses. Even banks, insurance, legal companies cannot be trusted and if they have your contact details then anyone who can hack their system does as well (legal companies leak like a sieve, banks and insurance have promotional partners that leak like a sieve etc). Family can sometimes not be trusted either with email addresses as customers of Spark had multiple hacks on their accounts which fed user data and contact lists so not only the customer but also the family of the customer were made more at risk.
Third never trust any organization that calls you first. Even if you get a call from the IRD never trust it and get the name of the person you are speaking to, let them know you are going to call back via the main line then hang up call the main line and ask for them by name. ... but then a call from the IRD is enough to make anyone suspicious, especially if they offer help. I was most surprised to find out it was a valid call from the IRD for business accounts and they do cold calls. It really threw me as Even Orgs That Say They Never Contact You May Contact You On Occasion for No Major Reason. Banks do this often as their partners and other services they offer can use your number. Banks have long been spreading into the insurance, investment, kiwisaver branches. Increasing sales is a major part of those businesses.
There are limits of course. DHBs have long prevented caller id and it is hard to give your name and contact details to medical orgs when they are prone to losing them, leaking them and you have to get cold calls from them and related businesses in regards to referrals and test results. While you may setup a call filter to block all incoming cold calls from unknown numbers it can also filter out your medical related calls so it is tricky to setup adequate filters and target them appropriately.
A good start is blocking all unknown cell phone numbers, and blocking all calls from overseas not in your contacts list (this done at a minimum and there are many call blocking apps that can set this up). You may need to go further like blocking any NZ business and residential numbers not in your contacts list as scammers can easily get these and even easier they can spoof them. For years after selling property and having the real estate agency leak my secondary contact details to a third party I received calls from NZ business and residential numbers from scam companies. I would have some fun with them but now I just block them all. But then the issue becomes attempting to reach out to organizations you have to get cold calls from proactively instead of waiting for them to call you. If you are waiting for something from a business, org etc setup followup call dates to remind yourself to check in with them,
Anyone in security will tell you it is easy to setup a scam site or business with valid contact details. Never trust anyone and the less advanced the technology generally the easier it is to secure. As the more connected nature with less barriers to sharing contact details, private data and money actually makes us less secure. A good example of this was paywave. People sacrificed security for a minor convenience, likewise airdrops, hotspots, mobile payment systems etc. Security is a cat and a hawk who will sell you out to the cat game.
"Check the bank’s website and/or phone app" FFS I just demoed to a support worker how easy it was to clone a bank website and setup with a valid looking url with UTF8 characters. She had no idea that the url characters and the styles can be copied or mocked up. The sense that scammers will not use digital characters that look exactly similar to the original ones is a super false sense of security I can drive a 747 through. Any child or teenager can do that part; to make a valid looking url link and site. Wake the F up. Manually type your bank url and never follow links or even trust pre provided ones. Nowadays mobiles have started cutting off all url information past the domain name so people are even more vulnerable and less aware of the exact site or page they are looking at (this setting you can and should deactivate with any means as it is a security and usability failure to not know or have the full url information). Sadly the same can be done for apps and has been done with apps that can scrape the data from other apps. There is very little that can be trusted the more convenient the technology. Don't use the banking apps as they are less secure than the websites and many have even dropped 2 factor security, some only use a pin number on the app and the screen information can be read by other apps or even people who can look at your phone and the finger marks.
"Talk with a trusted adviser, friend, or family member – often all it takes is a fresh set of eyes to raise red flags you may not have considered" Even in a tech family this is of no use to anyone. Find a security tech and ask them how easy it would be to scam using a similar system or if there could be risks and bugs with a trusted system. Join the New Zealand Information Security Forum NZISF as they have excellent meetups to discuss existing security concerns across a range of NZ industries (and pre covid they had excellent breakfast sessions... really good info, nice big kiwi breakfasts). Any industry that handles NZ private information and financial data should already have a team member going to these and reporting back to your company as a whole with advisories. Not doing so would be a really lax attitude to take. Wilful ignorance is almost indistinguishable from corporate malice in the eyes of customers.
I did accessibility and security reviews of NZ exchanges (like Dasset) and banks trading investment sites and found serious flaws. Even ANZ had severe issues with its trading and investment sites. One issue they had was withholding the government contribution on people's kiwisaver accounts, even though they should have been getting the full amount when they switched to ANZ, but the display of account information obfuscated transactions to hide these details. After informing ANZ of it they only fixed months later but still were obfuscating the transaction information to customers so many customers are confused, especially as the information is presented in inaccessible forms. This is a common issue across many investment websites. Some of the issues may be unintentional bugs, they may only lose what may be considered an insignificant amount to some people but add all those people up and there is a big issue. Some things however are active and present scams and easily can make themselves look valid. In fact the scam sites often have better accessibility and better UI than valid ones as the scammers are driven about improving the ease of transactions and user access & trust in their websites. It is really that bad in the industry that the less functional a system the more likely it is valid (also the more likely it can have bugs in the backend).
.
We welcome your comments below. If you are not already registered, please register to comment.
Remember we welcome robust, respectful and insightful debate. We don't welcome abusive or defamatory comments and will de-register those repeatedly making such comments. Our current comment policy is here.