Have you been pwned?

I have just returned from a Accountants and Tax Agents Institute of NZ (ATAINZ) Workshop in Auckland, where members of the ATAINZ congregated for a day of learning and community connection. Given I am a people person, it was lovely to catching up with others in person and really being able to connect on a level you just cant get over the internet.

It was great to have our ethical responsibilities as a member of ATAINZ covered in one of the first sessions, with scenarios on how to deal with certain situations.  Acting ethically is a requirement of our industry and being to have a robust discussion on some of the situations we may find ourselves in was very interesting.

This topic flowed really nicely into a presentation from Jo McGregor from Inland Revenue (IR) on the ever rising Identity Fraud and Cyber Crime.

Given we all live and breathe via the Internet and the wealth of data that can be found in here, it is no surprise that Cyber Crime has been on the increase for some time now and is now the most prevalent crime in NZ.

With the release of the Artificial Intelligence (AI)  tool Chat GPT, which accesses all things on the internet (so please DO NOT put any personal details into this system, this is NOT a secure site to use for personal information), you can create a phishing site in under 4 minutes.   Phishing sites mine for personal information to obtain log in or personal details which they then sell the information on the dark web where identity theft happens.  They may also use the information to get into other sites you may have and redirect refunds (like from Inland Revenue) or take funds from banks or other sites you use.

Cyber crime is easier than ever.  We now have the invention of Fraud GPT, the dark webs dangerous AI for cybercrime.  You can buy identity lists right off the internet..

Fraud Gpt
Fraud GPT

Inland Revenue is the most impersonated organisation in NZ, and we need to be very aware that phishing emails and texts are the most used option by fraudsters to gain our details.  They send you to a site that looks very like the My IR log in site, and when you put your details in, it doesn’t work, so you keep trying, and every time your actions are recorded at their end, allowing them to log into your actual site.  From there, they can change bank account details for refund, change tax returns to create or increase refund sizes, redirecting these funds into their own pockets.   Most of the time, you wouldn’t even know they have been there.

IR Impersonation Message

You now have ability to turn on your Multi-factor Authentication (MFA) for your MyIR site and I fully recommend everyone does.   I have requested they make this mandatory, which as you can imagine, as much as they would love to, would create havoc for those who struggle with technology (and probably are the ones who need it most).  Having activated Multi-factor Authentication or 2 Factor Authentication (2FA) is it can be called, will stop this in its tracks.   Within your MyIR page at Inland Revenue, go to Manage My Settings at the top right of the page, then under Security, you can turn it on.


What is Multi-factor Authentication (MFA)

MFA  is a digital guardian that stands as a sentinel at the gateway to websites we log into that hold personal information. Like a vigilant keeper of secrets, it requires multiple keys, ensuring that only you gain access and this is usually by a one time code sent to your phone or via an app.  We have a blog on MFA you can access here.

To be able to use MFA or 2FA, you will need to use an authenticator app.  Therefore a smart phone with an app downloaded is needed.  PC Magazine discusses the best authenticator apps for different scenarios in its August 2023 post.  If you are unsure, check out the 2FAS which is recommended by them due to having cloud back up (helpful if you lose your phone!).  You will need to download an app from the Android or Apple store.

Why would I use MFA?

Using MFA stops cyber crime in its tracks.

  • 65% of people reuse the same password.
  • The average person reuses the same password as many as 14 times.
  • 44 million accounts are vulnerable due to compromised or weak passwords.
  • Even if a cyber criminal does not gain access to one site, with password reuse, it is a vulnerable target.

How do I know if my identity has been pawned?

To check if there have been any breaches of your email address, check out HAVE I BEEN PWNED?  It made for interesting reading when I tested my addresses, and I would recommend if anything comes up for you, that you do go and change your password and add MFA if the site allows for its use.  If you use that same password elsewhere, then you would best change your passwords everywhere.

How do I keep track of all these passwords?

I would recommend using a password manager to track all of your passwords, that way you only have to remember one password (make sure its not an easy one) to get into that system, and please have MFA turned on. This is your second level of security.  Cybernews have recommendations on password managers here. 

What do I do if I have been the victim of a cyber attack?

Contact the team at IDCare in the first instance.  IDCARE is Australia and New Zealand’s national identity & cyber support service. They have helped thousands of Australian and New Zealand individuals and organisations reduce the harm they experience from the compromise and misuse of their identity information by providing support.


We are here to support you

How can we help?

  • This field is for validation purposes and should be left unchanged.

Need support with your business? We Can Help You