Investment Scam Alert: When “Remote Access” Becomes Full Control

On 15 August 2025, the Financial Markets Authority (FMA) issued a stark warning: scammers are now leveraging WhatsApp group chats (and other similar chat apps) to impersonate legitimate New Zealand financial institutions, luring victims into fake investment schemes. But this isn’t just another phishing attempt, it’s a full-scale compromise of mobile devices.

The Attack Vector: Social Engineering Meets Remote Access

Victims are invited into WhatsApp groups promising high returns and referral bonuses. Once trust is built, they’re asked to:

Disable key security settings (e.g., “Install unknown apps”)

Scan QR codes or click links to download malicious apps

Grant permissions that allow full control of their device

This isn’t theoretical. Once installed, these apps can access:

Camera, microphone, messages, and contacts

Banking credentials, personal files, and images

System-level controls to install further malware

Why This Matters for Compliance & Risk Teams

This scam highlights a growing intersection between consumer trust, mobile device hygiene, and enterprise risk. For regulated entities, it raises urgent questions:

Are your BYOD policies equipped to detect and respond to remote access threats?

Do your mobile device management (MDM) tools flag sideloaded apps or permission escalations?

Is your incident response playbook ready for compromised endpoints that originate from personal use?

What Organisations Should Do

Educate Staff & Clients: Share the FMA alert and reinforce mobile security best practices.

Review MDM Policies: Ensure sideloading and remote access tools are flagged or blocked.

Update DR & IR Plans: Include scenarios involving mobile compromise via social engineering.

Audit Device Compliance: Validate telemetry for permission changes and app installs.

Report & Collaborate: Encourage reporting to CERT NZ and the National Cyber Security Centre.

Final Thought

This scam isn’t just about financial loss, it’s about trust erosion, data exposure, and systemic risk. We must stay ahead of these evolving tactics and ensure our frameworks adapt to the human layer of compromise.