2021 Report Summary

The CERT NZ 2021 summary gives an overview of what we’ve seen and done in 2021. It includes key figures about reports, incident types, financial loss, and vulnerabilities. It also captures a few of the highlights of what we've been doing to help improve cyber security in New Zealand.

What we’ve seen

Reported incidents

In 2021, 8,831 incidents were reported to CERT NZ, a 13% increase on 2020. Individuals, small businesses and large organisations from all over New Zealand submitted incident reports.

Bar graph showing cyber security incidents, by year, reported to CERT NZ. from 2017 to 2021.

Top incident categories

The top three incident categories in 2021 are:

  • 3,709 phishing and credential harvesting, up 9% on 2020
  • 1,930 malware reports, up 24% on 2020
  • 1,897 scams and fraud reports, down 1% on 2020
Bar graph showing the top cyber security incidents, by type, from 2017 to 2021.

Financial loss

15% of incidents reported to CERT NZ included direct financial loss, with a combined total value of $16.8 million.

Bar graph showing the summary of financial losses, by year, from 2017 to 2021.

Top types of scams and fraud

Scams and fraud accounted for almost $11.9 million (71%) of the total financial loss reported in 2021.

Of that loss:

  • Almost $3.9 million was lost to scams when buying, selling or donating goods online.
  • Over $2.1 million was lost to scams about employment and business opportunity offers.
  • Over $2 million was lost to unauthorised or falsified money transactions.
  • Other scams and fraud $3.9 million.
Bar graph showing the summary financial losses from scams and fraud in 2021.

Vulnerability reporting

Vulnerability reports are an opportunity to prevent a cyber security incident before it occurs. Vulnerabilities reported to CERT NZ range in severity and complexity.

64 vulnerabilities were reported to CERT NZ in 2021, with 27 being managed under our Coordinated Vulnerability Disclosure (CVD)* service.

*The CVD service is used when the person reporting the vulnerability doesn’t want, or has been unable, to contact the vendor directly. CERT NZ evaluates the scope and severity of the reported vulnerability before making the decision to apply the vulnerability disclosure coordination role.

What we’ve done

Get Cyber Smart

Cyber Smart Week is CERT NZ’s nationwide awareness campaign. In 2021, we worked with more partner organisations to reach more people than ever before – 290 Cyber Smart Partners.

International Engagements

In 2021, CERT NZ was a key part of four international working groups sharing best practice and improving our ability to understand and respond to cyber security risks, including the COVID-19 vaccine roll out.


Advisories are our early warning system for New Zealanders. We triage incident reports we receive, and information about international cyber threats to get timely, actionable advice out to New Zealanders so they can protect themselves online.

In 2021, CERT NZ issued:

  • 9 advisories to individuals and businesses
  • 23 advisories to IT specialists


Total website visits for 2021 was 374,589.

Our most popular page for IT specialists was our advisories page. For individuals, our Report an Issue was the top page and for businesses it was Protecting from ransomware guide.


Reporting form for businesses and individuals

Protecting from ransomware