“I was bashed on the head and I’m messaging you in tears.”

William Chen - former art director of Metro and Cuisine - was on holiday in Malaysia when he got the above Facebook message from someone who appeared to be his friend, who was also his travel agent.

His “friend” was on holiday, in the Philippines, where he had been mugged. He needed money to pay his hotel bill and catch a flight to the airport - within hours.

Chen said he was suspicious, but time was pressing, and the language and phrasing of the messages seemed to ring true. He now thinks the scammer researched his friend’s social media posts so he could mimic his phrasing. “Emotional blackmail” was used, he said. He wired $800 before clocking it was a scam. He never saw the money again.

Chen told the Herald his story - and agreed to have his mug snapped for a Cyber Smart Week 2023 photo exhibit - in the hope it would encourage others to tell their stories, and raise awareness.

William Chen is one of the online scam victims featured in "Exposed: Through the Lens of a Hacker", a photo exhibition arranged by Cert NZ for Cyber Smart Week 2023. Photo / Steven Boniface

Rob Pope, director of the government’s Computer Emergency Response Team (Cert NZ), has often described reports to his organisation for financial losses from online fraud - $4.2 million in the June quarter - as “the tip of the iceberg”.

A Netsafe survey estimated that some $470m per year is lost to online fraud. But many people are just too sheepish to come forward and admit they’ve been taken in by an internet scammer.

A photographic exhibition on this week: Exposed: Through the Lens of a Hacker, features portraits of real people - Chen among them - who were targeted by hackers. It aims, in part, to help remove that stigma (although Pope also underlines that any approach to Cert NZ is treated confidentially).

It’s fair to say there’s still a touch of smirch. Some of the people photographed are identified by first names only, and some of the portraits are shot at an angle that obscures the subject’s identity.

Tiana King in "Exposed". Photo / Steven Boniface

But Cert NZ senior Sam Leggett says the exhibition also has a wider brief. The victims are snapped in everyday situations (by Steven Boniface) to show that cybercrime can happen anytime - often when they’re distracted by events in real-life, and their guard is down.

A case in point is writer and broadcaster Russell Brown. As a former tech journalist and longtime host of the Public Address community of bloggers, Brown knows his way around a keyboard. But, with his nerves shot after a visit to his dying mother in hospital, he was taken in by a scam text purporting to be from his bank (Westpac, which managed to block the fraudsters before any money was lost). Brown is set to speak at the exhibition’s opening tonight.

“It’s easy to think older people are more susceptible. But our reports show it really can be anyone,” Leggett says.

The exhibit also seeks to convey that, alongside financial losses, there is mental and emotional harm that’s harder to tally.

“Cert NZ doesn’t often talk about the human-level impacts of online attacks,” says the agency’s manager of engagement and partnerships Jane O’Loughlin.

“But this Cyber Smart Week, we want to expose the hidden toll these attacks can have, alongside tips to help protect New Zealanders and educate them about online security.”

More victims’ stories

Jaelyn

Jaelyn was the target of a phishing scam. She was sent a text saying she needed to log into her ridesharing app to authenticate the account. It seemed simple enough. So, she clicked on the link and provided the required details.

Within a week she was charged for more than $1000 worth of food and ride transactions through the app, which she never ordered. Instead of authenticating her account, which she thought she was doing, she had actually provided full details which allowed someone else access to her account. After much back and forth, Jaelyn got some of her money back – but lost her online confidence.

Megan

Megan was the target of a marketplace scam. She was trying to sell a jacket online and the buyer asked if she could reduce the price and include shipping. They also asked if she’d be open to pay through the site itself, which she’d never heard of before.

She clicked on the link they sent and she provided her bank account username and password. She immediately received a payment alert saying that money had been taken out of her account. Fortunately, her bank messaged her to say the payment had been blocked and she didn’t lose any money. She could have lost so much more.

• “Exposed” is free to the public and is running at the Tuesday Club, 42 Airedale St in the Auckland CBD from Tuesday, October 31 to Thursday, November 2, 10am to 4pm.
• Cert NZ’s Cyber Smart Week runs from October 30 to November 5 and will feature webinars and events, with a focus on raising the importance of being secure online.

Cert NZ tips

• 
  Use long, strong and unique passwords. Consider song lyrics, coloured with special characters. Use a password manager to help you remember.
• Enable two-factor authentication (a confirmation message via text or app if there’s a log-on from a new device or a settings change).
• Only trust website with a padlock next to their URL (web address) in your browser, and a URL that starts with “https://” - denoting a secure server - rather than “http//”
• Be suspicious of any link in a text message (especially a text message that arrives from a regular mobile number rather than the four-digit short codes used by most legitimate service. providers). Use an independently sourced phone number to verify information
• Don’t use public Wi-Fi for online banking or online shopping payments.
• Ditch older devices and software, which often no longer get security updates.

See more Cert NZ safety tips and guides here.

Chris Keall is an Auckland-based member of the Herald’s business team. He joined the Herald in 2018 and is the technology editor and a senior business writer.