FutureFive New Zealand - Consumer technology news & reviews from the future
New Zealand

Guides

#
cartech
#
crypto
#
drones
#
gaming
#
smartphones

Search

Worried person new zealand receiving scam message with bank card warning icons
#
Endpoint Protection
#
MDM
#
Phishing

Kiwis warned as holiday surge in SMS scams targets bank details

Mon, 17th Nov 2025
Author image
By Sean Mitchell, Publisher

Kiwis are being cautioned to remain vigilant as a surge in SMS-based scams targets mobile users across the country. As the holiday season approaches, cyber criminals are refining their methods, using text messages to deceive recipients into disclosing sensitive information or making payments.

Growing smishing risks

The range of SMS scams-often referred to as smishing-has broadened significantly. While traditional phishing has plagued email inboxes for years, smishing exploits the high level of trust many people place in text messaging. Messages frequently employ tactics such as impersonating banks, government departments, delivery companies, or even family members in distress. Common hooks range from claims of undelivered parcels to urgent alerts about bank account issues. Attackers aim to obtain personal and financial data or encourage users to install malicious software.

Deceptive delivery alerts

One widespread technique involves fake delivery notifications. Victims receive messages stating "We couldn't deliver your package - pay $1.50 to reschedule," often within legitimate-looking threads. Clicking the included link can direct the user to a fraudulent site requesting payment or prompt them to install a rogue tracking application, both of which can result in theft of payment details or device infection. According to Luis Corrons, Security Evangelist at Gen, "Remember, track parcels only through the courier's official app or website."

Refund and survey lures

Other scam messages entice recipients with the promise of refunds or prizes. For example, texts like "You are owed a refund for your flight- click here to claim" link to convincing replica pages designed to collect credit card or personal information, or to enrol users in costly services. Similarly, offers such as "You've won a phone!" or invitations to complete surveys may result in the victim submitting sensitive data or unintentionally subscribing to premium services. "Always verify refunds directly through your account or booking site, not via text links," said Corrons.

Impersonation and urgency

Fraudsters have become increasingly adept at creating urgency and appearing authentic. Many scams now leverage details such as the recipient's name or recent transaction history to increase credibility. Some messages pressure recipients to respond quickly or face account disconnection, additional charges, or missed opportunities. Impersonation extends to fake recruiter texts, tax refund notifications, and requests to move conversations to encrypted apps like WhatsApp, potentially exposing victims to additional risk.

OTP and account security threats

A notable attack targets one-time passwords (OTP) sent by banks or online services. Scammers prompt victims to relay codes received on their phone, enabling them to bypass account protections and seize control. Once access is gained, attackers may compromise email, financial, or social media accounts.

Sim-swapping and device takeover

Another method involves SIM-swap scams, where attackers gather enough personal information to transfer a victim's mobile number to a new SIM. This process allows them to intercept calls and texts, further jeopardising security across all connected digital accounts.

Detecting and reporting scams

Experts advise scrutinising unsolicited messages for telltale signs such as unusual web addresses, poor grammar, requests for urgent action, or prompts for payment and code sharing. Never click links in uncertain messages or call numbers provided within unsolicited texts. Instead, users should access services directly via official apps or verified websites and report suspicious SMS to their mobile provider for investigation.

Practical prevention guidance

"If you entered details: change passwords immediately; enable 2FA with an authenticator app; watch bank/credit statements and contact your bank if payment info was entered. If you installed an app (Android): airplane mode → uninstall → run a trusted mobile security scan; if banking details were involved, contact your bank and consider a full reset as a last resort," said Corrons.
Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
Norton launches Neo AI browser with expanded privacy features
Hands-on Review: Apple Watch SE 3 the sleek, stylish and irresistible option
Falling NZD makes Europe, US pricier while Asia draws travellers
myFirst unveils new connected tech range for children’s safety
Stop failed deliveries this holiday season: A data-first playbook for Aussie eCommerce

Top stories

Game review: Project Motor Racing (PS5)
Cricut debuts tattoo & magnet sheets at Harvey Norman
YouTube Recap brings annual viewing summaries to NZ
AI-driven scams to surge, warns Trend Micro in new forecast
The creative arms race: How AI and UA funding is changing the landscape of gaming