A Hastings family caught in a social media global data breach has been put at risk for years to come after they were the targets of a "convincing and credible" identity theft scam.
Hastings Citizens Advice Bureau manager Deborah Grace is warning people to be alert to the scam, seemingly originating from Malaysia.
The scam involved a stamped letter from Malaysia addressed specifically to the target, with official-looking, glossy brochure from a supposed travel company celebrating a 15th anniversary with two scratch card inside.
At least one of those cards purports to be a winner, promising a price of US$200,000.
"What's actually happening is you are encouraged to ring a number in Kuala Lumpur and you're answered by the claims department who say before they can hand over money they need some details."
Those details included instructions to fill in the back of the scratch card with name, address and a copy of the driver's licence, for age confirmation.
"So you email them - and then you wait for the money, but the money never comes because obviously, it's a scam. Then they call back and say they need more proof, which is your marriage licence or birth certificate, so get them in the post to us - it's identity theft.
"It's convincing and credible but it's fraud, a scam and social engineering."
The brochures and scratch cards were made to look official by the use of logos from leading international companies.
There had been three reports of the complicated, long-term scam reported in Hastings - all on the same day.
Grace had already spoken to one family who had been taken in by the sophistication of the scam.
"They really believed this. People think Christmas is sorted and I had to break their hearts."
While the family had changed their bank details and had not lost money - there was still a risk of big problems coming back to bite them.
"There's still a huge risk for them in years to come with identity theft - they sent them everything.
"There could still be implications from this are pretty huge for anyone. There could be risk for years to come and they won't know."
Grace's investigations had shown the family had been targeted after their address was harvested after an online data breach from a genuine subscription to a social media music site (not Spotify).
She urged anyone receiving similar documents to not respond in any way - and not to send any identity documents or bank details.
"Hopefully anyone who gets one of these will just bin it or shred it."
Anyone concerned should contact CAB free of charge or report the scam to CERTNZ website.