Online scams are bigger
than most people realise

Attackers send emails impersonating trusted brands — banks, PayPal, Apple, Amazon — with urgent messages about account suspension, unusual activity, or prize claims. The email contains a link to a convincing fake site designed to harvest your credentials or payment details.

• ✕Sender email doesn't match the company domain
• ✕Urgent language: 'your account will be closed'
• ✕Link URL is slightly different from the real site
• ✕Generic greeting ('Dear Customer') instead of your name

A New Zealand victim received what appeared to be an ASB Bank security alert. The email, design, and login page were pixel-perfect replicas. They entered their credentials and lost $14,000 before the fraud was detected.

Criminals pay for Google Ads targeting searches like 'bank login', 'PayPal sign in', or 'IRD myIR'. The ad appears above legitimate results and links to a convincing fake site. Victims trust it because it appeared in search results.

• ✕Small 'Sponsored' label above the result
• ✕URL is slightly different from the real domain
• ✕Site asks for full credentials immediately
• ✕No padlock or unusual SSL certificate

A Melbourne user searched 'CommBank login' and clicked the top result — a sponsored ad. The fake site collected their banking details and one-time password, resulting in $8,200 transferred out within minutes.

Scam storefronts are built to look like legitimate retailers, often offering heavily discounted goods. They appear in search results, social media ads, and even Google Shopping. After payment, goods either never arrive or are cheap counterfeits.

• ✕Prices significantly below market value
• ✕Domain registered recently (check with WHOIS)
• ✕No physical address or phone number
• ✕Only accepts bank transfer or crypto

A UK consumer found a website selling designer trainers at 70% off. The site had reviews, a returns policy, and a secure checkout. They paid £320 and received nothing. The domain was 4 days old.

Text messages or social media DMs claim to be from delivery companies, government agencies, or friends. They contain links to fake sites requesting personal information, payment of fake fees, or login credentials.

• ✕Unexpected parcel delivery notification you didn't expect
• ✕Message claims you owe a small fee to release a package
• ✕Link goes to an unfamiliar short domain
• ✕Message creates urgency or a deadline

Thousands of New Zealanders received texts claiming to be from NZ Post about an undelivered parcel. The link led to a fake NZ Post site that collected card details and charged a 'release fee' of $3.50 — then used the card for larger purchases.

Rather than stealing money directly, attackers steal login credentials to email accounts, social media, or banking portals. Once inside, they can lock out the owner, harvest contacts, send phishing messages to friends, or drain linked accounts.

• ✕Unexpected 'verify your identity' request
• ✕Login page URL is slightly off
• ✕Request for your two-factor authentication code via email or SMS
• ✕No HTTPS or outdated SSL

A Canadian small business owner clicked a 'Google Workspace security alert'. The fake login page captured their credentials. Within hours the attacker had emailed all clients fraudulent invoices, resulting in $45,000 in fraudulent payments.

Among the most damaging attacks: a fake bank login page that looks identical to the real one. Victims enter their user ID, password, and then their SMS one-time code — handing over everything the attacker needs for full account access.

• ✕URL includes the bank name but on a different domain
• ✕Site asks for full password rather than partial characters
• ✕Requests your SMS code before you've done anything
• ✕No 'last login' information shown after sign in

A retired teacher in Brisbane received an email from 'CommBank Security'. She logged into what looked exactly like her bank — including her account balance shown correctly (scraped in real-time). The attackers transferred $67,000 in minutes.