Online scams and fraud

Your online security is important to us. Work online scams and malicious cyber activity via email, text or through social media have been increasing globally. Obtaining your personal information and financial details is a common practice of online scams and we encourage you to stay vigilant. We are proactively monitoring the risk of customers being taken in by scams or other unauthorised or fraudulent schemes. Please see below some helpful information and tips to help protect yourself and your family.

WHAT IS IDENTITY THEFT AND HOW CAN YOU AVOID IT?

Identity theft is the illegal access and deliberate misuse of someone’s identity, most commonly to gain unauthorised access to that person’s financial accounts.

To reduce the risk of identity theft you should:

• Update your details through your online account or call your provider.
• Secure your home’s letterbox, as criminals can use the personal details in your mail to gain access to your financial accounts.
• De-identify or shred documents that contain personal information before discarding them.
• Be wary of cold callers that are seeking information about your personal, banking or other financial information, especially your online access details.
• Protect your passwords, do not share them with others and avoid using the same password for multiple websites.
• Take care with the personal information you share on social media.
• Notify Mercer immediately of any change to your name, address or other contact details.

If you think you may be a victim of identity fraud, please call us immediately on 0508 637 237 from 9am-7pm Mon-Fri.

PHISHING

Phishing is the most common method used for stealing a person’s identity. Phishing scammers may approach you by telephone, email or text message, pretending to be from well-known and reputable organisations such as banks, government departments, or companies you commonly deal with.

These scams are designed to trick you into handing over usernames/passwords, financial account information or credit card details.

A phishing email may contain a link to a hoax website that looks similar to the real organisation’s website.  It may also contain attachments or links infected with viruses or malware which once opened, allow the scammers to monitor your computer’s activities and capture your login information.

Phone scammers may ask you to reveal your login details due to an urgent issue that has occurred on your financial account.

Mercer will never ask you to disclose your access details.

HOW TO SPOT A PHISHING SCAM

• Spelling, terminology, punctuation and grammar
  Letters and e-mails featuring spelling mistakes, unusual terminology or poorly constructed sentences can be an indicator of a phishing scam.
• Sender’s email address
  The email address may be subtly different to that of the company the sender is claiming to represent, for example ‘mercerfianancialservice.co.nz’ instead of ‘mercerfinancialservices.co.nz’.
• Generic greetings and sign offs
  Phishing emails are sent to large lists of recipients, often containing thousands of email addresses, and will feature generic greetings, like “Dear Mercer customer”, instead of addressing you personally.
• Dubious links and fake websites
  Hovering over a link with your mouse will reveal the web address it is directed to.  This will enable you to decide if the email or website is legitimate.
• Creating urgency
  Phishing emails will often express urgency to encourage you to click on a link or download an attachment in order to avoid a problem (such as impending account closure, or a stalled transaction requiring confirmation). Always evaluate an email carefully before taking any action.
• Malicious attachment
  Attachments are given names that appear legitimate such as 'PDF’, ‘Office document’, or other types of everyday files. But once clicked, the attachment will run a program or script which will infect your computer with scammer software.
• Phishing by SMS
  Scammers are increasingly turning to SMS as a method of phishing for customer information, which is known as ‘smishing’. Always stop and carefully review an unsolicited text message before clicking any links in an SMS.
• Social media
  Criminals use social media to gather personal information. Be careful when sharing your personal details with someone you’ve met online. Never provide your financial details to anyone via social media.

SMISHING

Smishing is a cyber-attack that targets individuals through SMS (Short Message Service) or text messages. It is a combination of the words "SMS" and "phishing." In a smishing attack, cybercriminals send deceptive text messages to lure victims into sharing personal or financial information, clicking on malicious links or downloading malware.

The goal is to trick recipients into providing sensitive information or taking actions that can compromise their security. Smishing attacks can be carried out over mobile text messaging platforms and can be assisted by malware or fraud websites. It is important to be cautious and vigilant when receiving text messages from unknown sources to avoid falling victim to smishing attacks.

HOW TO SPOT A SMISHING SCAM

• Suspicious sender
  Be cautious of text messages from unknown or unexpected senders. Scammers often impersonate well-known companies or organisations to gain your trust.
• Urgency or threats
  Smishing messages often create a sense of urgency or use threats to manipulate you into taking immediate action. They may claim that your account is compromised or that you will face consequences if you don't respond.
• Requests for personal information
  Be wary of any text message that asks you to provide personal or sensitive information, such as passwords, social security numbers, or banking details. Legitimate organisations typically do not request such information via text message.
• Poor grammar or spelling
  Many smishing messages contain grammatical errors, misspellings, or awkward phrasing. This can be a red flag indicating that the message is not from a legitimate source.
• Suspicious links
  Avoid clicking on links in text messages, especially if they are unexpected or seem suspicious. These links may lead to phishing websites or download malware onto your device
• Unusual requests
  Watch out for unusual requests in text messages, such as asking you to confirm a purchase you didn't make or requesting payment for a service you didn't request. These are common tactics used by smishing scammers.
• Verify with the sender
  If you receive a text message that seems suspicious, contact the supposed sender directly using a verified phone number or email address to confirm the legitimacy of the message.

VISHING

Vishing, short for "voice phishing," is a type of scam that involves fraudulent phone calls. In a vishing attack, scammers impersonate legitimate organisations, such as banks, government agencies, or tech support, and attempt to deceive individuals into revealing sensitive information or performing certain actions.

During a vishing call, the scammer may use various tactics to gain the victim's trust and manipulate them into providing personal information, such as credit card numbers, social security numbers, or login credentials. They may claim there is a problem with the victim's account or offer a too-good-to-be-true opportunity to entice them into sharing sensitive data.

Vishing attacks often employ techniques like caller ID spoofing, where the scammer manipulates the caller ID to display a legitimate organisation's phone number. This makes it appear as if the call is coming from a trusted source, increasing the likelihood of the victim falling for the scam.

To protect yourself from vishing scams, it's important to be cautious when receiving unsolicited phone calls, especially if they request personal information or financial details. Remember that legitimate organisations typically do not ask for sensitive information over the phone. If you receive a suspicious call, it's best to hang up and independently verify the caller's identity by contacting the organisation directly using their official contact information.

HOW TO SPOT A VISHING SCAM

• Be sceptical of unsolicited calls
  If you receive a call from someone you don't know or weren't expecting, especially if they claim to be from a financial institution or government agency, be cautious. Legitimate organisations typically don't initiate contact in this manner.
• Caller ID spoofing
  Scammers may manipulate the caller ID to make it appear as if the call is coming from a trusted source. However, don't solely rely on caller ID as an indicator of legitimacy.
  
• Urgency and threats
  Vishing scammers often create a sense of urgency or use threats to pressure you into taking immediate action. They may claim your account is compromised or that you'll face legal consequences if you don't provide information or make a payment. Legitimate organisations usually don't use such tactics.
• Requests for personal information
  Be wary of callers who ask for personal information like social security numbers, credit card details or passwords. Legitimate organisations typically don't ask for sensitive information over the phone.
• Verify the caller's identity
  If you receive a suspicious call, hang up and independently verify the caller's identity. Use official contact information from the organisation's website or other trusted sources to reach out and confirm the legitimacy of the call.
  
• Trust your instincts
  If something feels off or too good to be true, trust your gut. It's better to be cautious and sceptical than to fall victim to a scam.
  

Received a fishy email, letter or text?
If you’ve received an email, letter or text message from Mercer and are concerned about its authenticity, please call 0508 637 237.

More information

You can find more information about identity fraud and phishing scams at the following websites:

The Department of Internal Affairs website 

New Zealand Police website