Phone companies are warning customers about a "significant" outbreak of scam text messages, purporting to be from courier companies.
Internal Affairs says the "large scale attack" has broken records, with thousands of complaints over the past 24 hours.
A spokeswoman for 2degrees said its customers, along with those of Spark and Vodafone, are receiving messages from the fraudsters in a campaign that began yesterday afternoon.
Tye Telecommunications Forum, which represents phone companies and ISPs, is working with Cert NZ and Internal Affairs to block the malicious web links involved.
But in the meantime, customers are being warned not to reply to the text, or click on the link.
Blocking numbers the next is sent from is problematic, however. Cert NZ says if you click on a link in one of the malicious text messages, it will ask you to install what it says is an app for a delivery company - but which is actually a piece of malware called Flubot (which can only infect Android phones, not iPhones).
Flubot attempts to steal your credit card details, banking logon and other sensitive information stored on your phone, then steals your address book and uses it to send another wave of text messages to new victims from your number.
See examples of the scam texts below.
Note they include Australian phone numbers. Legitimate texts from businesses are usually sent from a short code, and rarely include a URL (a link to a web address).
Telecommunications Forum chief executive Paul Brislen says, "Customers who have already downloaded the app may need to restore their phone to basic factory settings in order to remove the malware and then change passwords to any apps you may have been logged in to at the time as a precaution." (See other precautionary measures and recovery options here.)
Vodafone is reminding customers to only download apps from a legitimate app store.
Nadia Yousef, a senior incident manager with the Government's Computer Emergency Response Team (Cert NZ), told the Herald:
"People can protect themselves by contacting the actual brand the scammers are impersonating and verifying the original request. For example, by calling the courier company on their publically listed number, rather than clicking the link in the text."
Yousef adds, "If people have been affected by online scams, we encourage them to report them to us as soon as they can. Reporting scams quickly can mean people get their money back. People can report to Cert NZ online, any time at www.cert.govt.nz."
If your phone does get infected, or you think you've inadvertently spilled your details to cyberthieves, there are two Crown-backed agencies who can help, and assist with contacting the right law enforcement authorities: Netsafe and Cert NZ. Reporting an incident to either, plus your phone company, helps to prevent more attacks.
Text messages or websites imitating real companies are often used for "phishing" - or tricking people into revealing personal details that can then be used for identity theft or fraud.
"Scams such as this are designed to take advantage of basic consumer behaviour. The groups behind them often run like businesses. Scammers will collect information from a range of online sources, such as data breaches, and then send scam emails to a large number of people," Yousef says.
"Even if only a small number of people click on the link, or pay the money that's requested, the scammers can still make a considerable amount of money with little effort.
"With the increasing level of sophistication of these scams, avoiding them can be difficult. So people should not feel embarrassed if they get fooled. This embarrassment can be a barrier to people seeking help and potentially getting their money back."