22 April 2020
Rotorua Lakes Council is urging the public to be extra vigilant when checking emails following reports of convincing ‘phishing’ emails being sent to Council customers and suppliers.
Council has become the victim of a phishing attack targeting staff and compromising a number of email accounts, enabling a third party access to information to then further target Council staff, customers and suppliers.
A ‘phishing’ scam is an email from a third party which pretends to be a legitimate organisation in order to gain personal information from a large audience. The scam operators use this information to impersonate or defraud people.
Council won’t know the extent of the external spread of the phishing emails but is working to determine the internal exposure and block all instances of phishing within the organisation. Council is aware that some external contacts have received phishing emails that claim to be from the organisation’s accounts department. From reports, these emails target Council’s customers and suppliers, are very convincing and ask the recipient to click on an unspecified link.
Council Chief Executive Geoff Williams says that Council is dealing with the attack internally and taking every measure available to ensure it doesn’t happen again.
“We extend our apologies to anyone this may have affected. This is certainly the last thing we want or need at a time like this.
“Our Information Solutions team is dealing with the outcome of these phishing emails internally, increasing security awareness training and improving external protection mechanisms and our staff are actively contacting their networks to warn against these scam emails.
“This type of attack is an increasing issue for organisations, especially given the virtual environment we find ourselves working in at the moment. We want to assure the community and our suppliers that the council has robust security measures in place and this was a case of human error rather than a reflection of the level of security within our systems.
“These emails are especially sophisticated which led to a staff member inadvertently clicking on a suspicious link. It is important to the organisation that our community is aware of what’s going on so they can guard against any emails that may end up in their inbox and potentially stop the spread to others in our community.“
With dog registrations and rates information being sent out to the community in the coming weeks Council wants to remind everyone to be extra vigilant when checking their inboxes. People should treat all links as suspicious unless they are able to verify them, particularly if receiving emails from Council email addresses.
A key way to be sure about an email you receive is to check the senders email address and the subject line. In the reported cases, the sender’s email addresses have not looked like normal Council addresses.
Some other things to look out for are poor grammar and punctuation, the sender says that the action they need is urgent, requests for a financial transaction and not specifying where the link is leading you. You can hover your mouse over the link, or copy and paste it into a text editor to inspect the actual link destination but do not click on it.
If you are unsure about an email that you have received, please forward the email to email@example.com. This will enable Council staff to verify the email and also gather intel about the type of emails the scam operators are using and create better awareness within the organisation.
What is a phishing scam?
Phishing is when someone tries to get personal information (like bank account numbers and passwords), from a large audience, so they can use it to impersonate or defraud people. These emails can look very real, and some will even use the branding and logos of a legitimate organisation to make the email seem genuine.
How does phishing work?
Phishing attempts often look or sound genuine because the scammer is impersonating a trusted organisation or person. They could be pretending to be from your phone or internet company, a law firm, your bank or even the government. The scammer asks you to update your details, provide details, complete a survey, make a payment or another request that gives them access to your personal information.
Are phishing emails obvious?
The short answer is no. Some phishing attempts look obvious, while others don’t. Phishing scams are becoming more difficult to spot as scammers become more sophisticated.
How can I protect myself?
- Be cautious about emails asking you to update or verify your details online
- Be cautious of emails saying you’ve won prizes from competitions that you don’t remember entering
- Be cautious of emails that try to get you to act quickly by threatening you with legal action or loss of an account
- Ignore any emails asking you to provide personal information like passwords, or banking information
- Remember legitimate organisations like banks will never ask you to send them your password
- Only open email attachments when you’re expecting them, even if you know who the sender is
- If you’re unsure if an email is from a legitimate organisation, you can contact them to ask. If you do contact them, make sure you go through their official contact channels – don’t use the phone numbers, websites or email addresses included in the email
For more information about phishing scams and what to do if you have received a phishing email visit www.netsafe.org.nz