Responding to fraud and scams
We take fraud seriously at One New Zealand and we're committed to protecting our customers from the risk of fraud wherever possible.
Most online fraud happens when someone gathers enough information to pretend they are you. They might steal your mobile device and get information off it. They could contact you with an offer that sounds too good to be true, or ask you to urgently provide details to avoid a major problem, such as your account being locked. Some other fraudsters may send you an email that includes a link to a website or login page that looks exactly like the real thing, but lets them collect the information you enter for criminal purposes.
Here is more information if you think you have received a scam phone call or text message (SMS).
If you believe you have been the victim of a scam or fraud which could compromise or give someone else unauthorised use of your personal information, we recommend you take the following immediate steps:
- Contact your bank and alert them that your credentials may have been compromised – they will likely suspend your credit card, disable internet banking for a period of time, add or change authentication protocols for access to your account
- Change the passwords and PIN numbers on key services you use that contain sensitive personal information – such as your email account, IRD account, superannuation fund
- Contact the police and make a formal complaint about the matter
- Contact One NZ to tell us what happened and change your PIN
Tips for keeping your identity safe
These tips will help you avoid being a target for fraudsters. If you have a mobile device where you use or store your credit card or personal details online:
DON’T ✘ | DO ✔ |
Share passwords or PINs Give out any information about yourself – even if the person calling says they are from your bank or other business that you use. (One NZ will never ask you for your personal passwords, banking pin numbers or any personal information. We would only ask security ID questions that’s in our records to identify you) Publish your date of birth and address on your Facebook page or online directory, if you can do without it Post images of your identity documents (e.g. drivers licence) online Click on links or unexpected attachments you don’t recognise Allow anyone to have remote access into your computer or handset Respond to unsolicited communications, even if the person communicating with you knows a little bit about you | Be vigilant for scammers who might trick you or create a sense of urgency to make you act without thinking Set complex passwords that are hard to guess Change passwords regularly Use secure Wi-Fi connections Report lost or stolen phones straight away Set up a PIN for your voicemail Be cautious with sharing personal information online and on social networking sites, like Facebook. Ensure that you have adequate privacy settings for your Facebook profile or chat rooms |
Received a TXT asking you to confirm that you want to move your mobile number to another provider? This is often called ‘porting fraud’. If you have not requested your mobile be moved to another provider, then contact your bank immediately and alert them that your credentials have been compromised. After securing your bank account, contact your mobile service provider to get the move to another provider cancelled.
Buying online? Make sure the site address starts with HTTPS. This means the website is secure and your personal details and credit card details will be kept secure.
Lost or stolen device? Change all your passwords of the apps that have auto logins, for example email, social media and banking. This will prevent the person who picks up your device from accessing these apps and potentially hacking into your personal details.
Selling your phone? Do a factory reset to remove all your personal data first - find out how in our interactive user guides.
More information about some common fraud scenarios:
Avoiding scams and hoaxes:
Please remember to never give out personal information if you’re unsure who the caller is - this means do not share your bank account, credit card details, or passwords if you think you may have received a scam call.
When you report a phone or email scam to One NZ, we’ll investigate this and try to block the number or sender if possible.
Phone scams are an industry-wide issue, which all Telcos are trying to combat with the help of our industry association, the Telecommunications Carriers Forum (TCF). For more information, they have a lot of useful information on their website.
What to do if you think you’ve received a scam call
If you get an unexpected phone call that seems strange or suspicious, the best action to take is to:
- Hang up. Put down the phone - and do not share any personal information with the caller.
- Call the company. If a caller tells you they are from a particular company, ring the company (find their number online, don’t call back the number they called you from) and alert that company to the call you have just received. They will let you know if it was a legitimate call.
- Report it to us. Please report a scam or suspected scam to One NZ (if we are your telecommunications provider) so we can investigate the matter and block the number if necessary. The more information you can provide the better, which ideally includes the time, date and phone number that called you.
- Report it to Netsafe. All scams should also be reported to Netsafe, regardless if it was an internet, phone or other type of scam. Even if you were not tricked by the scam, reporting it can protect others. You can report a scam to Netsafe here.
My number has been fraudulently transferred from One NZ to another provider, or to another SIM:
Unauthorised Porting - If your phone has unexpectedly stopped working and is showing “NO SERVICE”, it’s possible that your number has been fraudulently ported to another carrier without your authorisation.
Unauthorised SIM Swap – SIM swapping occurs when a fraudster contacts your telco provider and is able to convince the employee that they are you, using your personal information. The fraudster is then able to port your number from your SIM card to their SIM card. They then receive all calls and TXT messages intended for you.
When you think about all of the information we have linked to our phone numbers (like our bank accounts, email and social media accounts) you can see how easy it would be for a fraudster to take over your identity.
Please immediately report either of these scenarios to:
- Customer Care on 0800 800 021 from any phone or by using our online chat at one.nz/chat
- Your Bank – to prevent unauthorised access to your accounts
- New Zealand Police, once the fraud is confirmed
I’ve received a bill for an account that I didn’t sign up for or I have default on my credit file for unpaid bills I know nothing about:
This kind of fraud happens when someone has used your ID or personal information without your permission to sign up a service with One NZ.
Some ways your identity can be stolen:
- You lose your wallet or it is stolen
- Your car or house gets broken into
- Your mail is stolen and that mail contains personal information
- Your computer has been compromised by malware or you have provided personal information to a website you’ve visited in a phishing attack
- Someone you know and who has access to your ID has used it for fraudulent purposes
If you suspect you’ve been a victim of a scam or fraud involving your One NZ account, please complete an online report by following the below link.
Identity Theft Report
There are transactions from One NZ on my bank/credit card statement that I don’t recognise
If you see transactions from One NZ appear on your bank or credit card statement and you don’t recognise these transactions, contact your bank immediately. Ask them to raise a dispute with One NZ and refund the charges back to you. The bank will then contact One NZ on your behalf.
Example of frauds and scams
Text Scams (TXT or SMS)
We’ll never do a ‘pass it on’ TXT campaign. If we want to let you know about a great offer, we’ll send you a TXT or PXT direct.
How to spot a hoax TXT
It's usually easy to spot a hoax as they fail the ‘Yeah, right’ test. They're usually about a deal that's too good to be true, or an early warning that every mobile in the world is about to blow up or be shut down by a virus, or that you've been randomly selected to win millions of dollars. Yeah, right.
They often try to sound important by using impressive-looking statistics and technical terms, or claiming the story has appeared on a reputable website.
Smishing
Sometimes referred to as smishing (phishing via SMS or TXT), this is a hoax where the fraudster sends TXT messages pretending to be from reputable companies or Government agencies to get you to share personal information. The messages often contain a link to a website. Indicators of a smishing scam:
- Usually begins with a TXT message that looks like it's from a genuine business - like a bank or phone company
- Poor spelling and grammar
- Usually an urgent call to action
- A link to click on, which takes you to a fake website
- Web address may not be in the proper format for the business website
- You’ll be asked for personal details that no credible business or organisation would ever ask for (remember, the company already has your details, they don’t need to ask for it again)
DON’T ✘ | DO ✔ |
Phone that number - you could be charged a lot of money | Take a screen shot |
Click on the web link – it could infect your device with a virus | Delete the message |
Enter and submit your details into a webform from a link like this. It will lead to your identity being ‘stolen’, which could result in money being taken from your bank accounts | Report this scam |
If you receive a phishing TXT, do not reply, do not click on the link and definitely do not provide any of your personal details. A reputable business will never ask you for your PIN or password by TXT.
Where to find out more
View some examples of hoax TXTs that other customers have seen.
Report a scam SMS/TXT to us
Please report any suspected scam or phishing SMS’s to us by using the form below so we can investigate the matter and block the number if necessary.
Report a scam SMS/TXT
Phone Scams
Report a scam to us
Please report any instances of suspected scam calls to One NZ via the link below (if we are your telecommunications provider) so we can investigate the matter and block the number if necessary. The more information you can provide the better, which ideally includes the time, date and phone number that called you.
Report a Scam Call
- Wangiri (“one ring”) scam
Wangiri calls are missed calls from international numbers you don’t recognise on either a mobile or a landline. Fraudsters making the calls hope you call back, ensuring the call is charged at premium rates, from which the fraudsters profit.
You are not specifically targeted with these types of calls. Fraudsters generate numerous calls to a range of mobile numbers and yours will just happen to be included.
DON’T ✘ | DO ✔ |
Return calls to international numbers that you don’t recognise | Report it to us (if we are your telecommunications provider) |
- Telco provider scam: One NZ calling
If you have received a phone call from someone saying they work at One NZ, and have some concerns about whether the call is genuine, do not disclose any personal information or account details, ask for the caller’s name and department and end the call. Call us on our published contact numbers to check on the status of your account and authenticity of the call.
- Technical support scam
These are typically made from a number made to resemble a New Zealand number, but are often generated from overseas. Tech support fraudsters might claim to be from a trusted provider (such as Microsoft) to sell support packages you don’t need and didn’t ask for or, more commonly, to gain access to your computer.
Once you give the fraudster access to your computer, they can steal your personal information in order to commit identity fraud, or some other illegal activity.
If you receive an unexpected phone call, be careful. Ask for their name, end the call and find a published number for the company and ring them back to check on the authenticity of the call.
- Inland Revenue scam
If you receive a call from someone claiming to be from the Inland Revenue Department (IRD), and they’re trying to collect payment over the phone, this caller may be a fraudster. Typically they will demand money and create some urgency. If in doubt, ask for their name, hang up and contact the IRD directly to check on the authenticity of the call.
Email Scams
- Email phishing
One of the most common scams you'll come across online or on your mobile is 'phishing', when a fraudster poses as a legitimate institution to lure you into providing sensitive data such as personally identifiable information.
Indicators of a phishing scam:
- A phishing scam usually begins with an email that looks like it's from a genuine business - like a bank or phone company
- Email addresses are odd. For example, the email appears to be from One NZ, but doesn’t end with @one.nz
- Spelling is often poor and you may not be addressed personally (Dear Sir/Madam instead of your name)
- It might ask for personal details - like usernames, passwords and PINs - and will often ask you to take urgent action
- There's normally a link to click on, which takes you to a fake website. The web address may contain the name of the business but it will not be in the proper format for the business website
- If you click on the link, you’ll then be asked for personal details that no credible business or organisation would ever ask for. Remember that the businesses you’ve signed up with already have your details, so they don’t need to ask for it again
- Never enter and submit your details into a form like this. It will lead to your identity being ‘stolen’, which could result in money being taken from your bank accounts
- Phishing is sometimes done via TXT message – you might be asked to click on a link or call a number. Delete the message, never phone that number (you could be charged a lot of money) and never click on the web link – it could infect your device with a virus
- Some emails come with an attachment. Do not open the attachment as it could contain a virus that could damage your computer.
What to do if you’re being phished
If you receive a phishing email or a TXT, do not reply, do not click on the link and definitely do not provide any of your personal details. A reputable business will never ask you for your PIN or password by TXT or email.
- One NZ bill scam
We’re aware of an email scam sent to unsuspecting New Zealanders, masquerading as a My One NZ bill.
We have blocked, and are continuing to block, URLs contained within this email but we urge customers as well as all online Kiwis to be vigilant and double check emails to ensure the sender is legitimate before clicking on the links.
The scam emails look like a One NZ Bill from the sender: donotreply@one.nz - and takes people who click on the “Pay My Bill” link to a non-One NZ website.
If you receive an email that looks suspicious, please check the sender's address. If you are unsure, please login to your One NZ account and check your account balance.
Where to find out more
View some examples of hoax emails that other customers have seen.
Facebook and online scams
Fraudsters reach out to prospective victims via various methods like email, social networking, text messages, phone call scams and instant messaging (e.g. Messenger services with Facebook, Windows Live and Yahoo, Skype, Google Talk, WhatsApp, WeChat).
Report a One NZ scam to us
Please report any instances of suspected scams, which claim to be from or representing One NZ, to us via the form below so we can investigate the matter and block the sender’s URL if necessary. The more information you can provide the better.
Report a suspected online scam
- Fake Facebook pages
We are aware of a current scam where fraudsters impersonate genuine NZ companies by setting up a fake Facebook pages. These often relate to the sale of electronic goods but could be other popular items.
These pages may be advertising goods at a lower than normal retail value, luring victims to pay for goods they will never receive.
Remember, if a deal seems too good to be true, it probably is. If in doubt, contact the main advertised number for the company to check on the promotion’s authenticity.
- Romance scam
Some fraudsters deceive people by pretending to have romantic intentions towards others in order to gain their affection and trust. Fraudsters target people on sites used for social introductions, like dating sites, social networking sites, classified sites, and dating apps. The fraudster typically expresses strong emotions in a short period of time. This lures the victim into the scam and creates an emotional attachment to the fraudster and the victim then feels guilty saying no to the fraudster (who is usually asking for help involving money).
We are aware of fraudsters engaging unsuspecting victims to be “money mules” for them, providing assistance with money laundering and purchasing goods online (with stolen funds) and shipping those goods overseas.
Remember, all scams should be reported to Netsafe regardless if it was an internet, phone or other type of scam. Even if you were not tricked by the scam, reporting it can protect others. Please report a scam to Netsafe here.
WhatsApp and Voicemail
Our security teams are working to block these attempts at fraudulent activity and ask customers to remain vigilant and contact us directly if they receive strange or multiple verification messages for their WhatsApp account, or are locked out of their voicemail accounts. We also suggest turning on two-step verification for WhatsApp (available through the app's Settings -> Account menu), which will allow customers to set up a PIN and recovery email address. Customers can also update their Voicemail security by calling Voicemail or dialling 707, selecting option 4 'other settings', and then the change your PIN function.
One NZ’s Top 10 Tips for staying safe online:
Cyber-attacks can impact anyone with an internet or phone connection, whether they’re an individual or a business, so we all need to take steps to protect our data and stay safe online.
1. Back-up your data
In recent years storage has increased in size and decreased in price so backing up your data, both at work and at home, is more accessible than ever. Hackers are not always out to steal your data. Sometimes the end goal is to encrypt or erase it or threaten to do so. Regular backups mean you always have a recovery option so if they encrypt your data, you don’t have to worry.
Top tip: Back-up your data both at a physical location and on the cloud for an extra layer of protection.
2. Keep your devices and apps up to date
Keeping your software and apps up to date is often overlooked, especially on home computers and mobile devices. Software and app developers publish updates on a regular basis with security patches to keep up with the latest security threats. It’s essential that you keep every device updated, including IoT devices like home assistants and wireless speakers. The next time you see a notification to update your software, don’t click ‘Remind me tomorrow’.
Top tip: Turn on automatic updates for your operating system and in your App store.
3. Practice good password management – longer is stronger!
Good password management is essential for online security. It’s fundamental to use strong passwords to prevent them being breached by cyber attacks.
- Choose passwords that are at least eight characters long, using a phrase based on at least 3 random words helps.
- Don’t reuse passwords on multiple sites, if one gets compromised, they all do.
- Your passwords should contain a combination of upper- and lower-case letters and symbols
- Reset your password when you forget it and change them regularly as a general refresh.
Top tip: To make password management easier, use a password management tool or account vault such as LastPass or Password Safe, or save passwords in your browser account (e.g. Chrome)
4. Use multi-factor authentication
Two-factor or multi-factor authentication adds something you ‘have’ to something you ‘know’ in addition to a standard password. With two-factor authentication (2FA), instead of entering your username and password, you will instead be required to complete an additional form of authentication. This could be as simple as a PIN or more complex like an authentication app on your phone. Most mobile devices today have two-factor authentication via a biometric identifier such as a fingerprint or facial recognition. In future, expect iris (eye) recognition to be an additional option on more devices.
Top tip: Using two factor authentication is like having a deadlock as well as a key on your door. Enable it.
5. Install anti-virus protection and host-based Firewall
Anti-virus (AV) protection software is the most prevalent solution to fight malicious attacks. AV software blocks malware and other malicious viruses from compromising your device and data. Use anti-virus software from trusted vendors and only run one AV tool on your device.
Using a host-based firewall is also important when defending your data against malicious attacks. A firewall helps screen out hackers, viruses, and other malicious activity that occurs over the Internet and determines what traffic can access your device.
Top tip: Both Windows and Mac OS X come with built in firewalls so take the time to invest in a trusted anti-virus software for all your devices.
6. Be careful with removable storage drives
Malware can easily be spread through infected flash drives, external hard drives and even smartphones. In the workplace, businesses should have policies to restrict access to removable media devices and scan any device for malware before plugging it into a computer. On particularly sensitive systems, consider disabling removable media altogether. At home, also ensure that your antivirus software will scan any removable media before it connects to your device.
Top tip: Ideally the removable media device should be encrypted, if not ensure any sensitive data is encrypted before being copied to the device.
7. Monitor user accounts and privileges
This applies more in the workplace than at home, however you should be aware of who has access to your device and network (including your home network) and ensure they are secure. In the workplace, employees should only be allowed access to the information they need to do their job. Limit the number of privileged user accounts and monitor user activity. Have a list of all accounts an employee has access to and remove their permissions when they leave the company.
Top tip: Conduct regular access reviews across your network and devices to ensure access is appropriate for your users roles.
8. Embrace training and awareness
Cyber security training and awareness is an essential part in keeping your information and network secure. Workplaces should hold a mandatory cyber security training session for every staff single member and include anyone with access to the network. At home, you should educate yourself around the latest scams and phishing attacks as keeping on top of the latest threats will help to keep your data and devices secure.
Top tip: The more security aware that people are, the stronger the human defence will be.
9. Patch patch patch! Security patches that is
Apply security patches as soon as they are released on all your devices. In the workplace, close critical and high vulnerabilities, and configure systems securely. Prompt patching is essential for effective cyber security. When a new patch is released, attackers will quickly identify the underlying vulnerability in the application and release malware to exploit it. If a criminal hacker can successfully attack before the target patches the vulnerability, there is a high risk of a system being compromised.
Top tip: Always apply the latest security patches promptly.
10. Don’t think it won’t happen to you
Thinking that it will never happen to you is the first step down the rocky road towards a cyber-attack so it’s important to stay vigilant and deploy as many defensive mechanisms as possible to stop potential cyber-attacks to your business or to your personal devices. Do not be the weakest link!
Top tip: Be cyber aware, as cyber criminals do not discriminate.