Quarter Four Report 2021

CERT NZ’s Quarter Four (Q4) Report provides an overview of reports about cyber security incidents impacting New Zealanders from 1 October – 31 December 2021.

This quarter, CERT NZ responded to 3,977 incident reports about individuals and businesses from all over New Zealand. This report shares information around these incidents as well as highlighting examples of work CERT NZ is doing to help. There are 2 parts to the report:

A Highlights Report focusing on selected cyber security incidents and issues.

A Data Landscape Report providing a standardised set of results and graphs for the quarter.


The average number of incident reports per quarter is 1,733 and average direct financial loss per quarter is $4.0 million. These figures are based on the previous 8 quarters.

Incident numbers 

A total of 3,977 incidents were responded to in Q4 2021.

Incidents responded to by CERT NZ

Bar graph of cyber security incidents responded to by CERT NZ by quarter.

Breakdown of incident category

Malware is the most reported incident category, with 1,707 reports in Q4. A 1030% increase on the previous quarter.

Breakdown by incident category

Bar graph of reported cyber security incidents broken down by type.

Focus area: Log4j vulnerability

In December a critical security vulnerability in an open-source software component called Log4j was made public.

How the Log4j vulnerability works

How log4j works

What is Log4j

Log4j is a Java-based logging software component used to carry out numerous tasks, including recording and communicating warning or error messages. Common examples include recording what types of devices are accessing your website or when someone tries to access a missing file on your website resulting in a “404 error” message.

How does the vulnerability affect systems?

The Log4j vulnerability, known as Log4Shell, allows attackers to run their own malicious code on a system. The results of this attack can vary and could include a system being controlled remotely, data being stolen, or the system being locked down with ransomware. Once the system is infiltrated, other systems within the organisation can be targeted.

CERT NZ response

CERT NZ was the first government organisation internationally to release advice on the Log4j vulnerability. This information was quickly picked up and circulated by international agencies and media, helping raise awareness of the risk and share advice to help protect against compromise.

Our Incident Response team worked with local and international agencies, to establish an incident coordination and response function, and shared information about how the incident was progressing.

Log4j RCE 0-day actively exploited

How to protect your systems

As Log4j is widely used, you may not know if it’s part of your system. CERT NZ recommends that you talk to your IT team or IT service provider to make sure they’re taking the right security steps to help reduce risk.

Insight: Flubot fallout continues

In Q4, Flubot made up two-thirds of the 1,707 malware incidents reported to CERT NZ. Flubot (which we covered in Q3 2021) began affecting New Zealanders in September. It was sent through text messages containing a malicious website link that if clicked on, downloaded malware to the recipient’s phone. Reports of Flubot spiked in the first part of Q4, with a total of 1,107 reports across the quarter.

Q3 report 2021

Insight: Financial losses from scams and fraud increase

This quarter, CERT NZ received 568 reports about scams and fraud with an associated direct financial loss of $5.9 million, an increase of 269% from last quarter. It is the highest direct financial loss from scams and fraud in a single quarter to date.

Of the scam and fraud incidents reported, the 3 scam categories with the highest direct financial loss in Q4 were ‘buying, selling or donating goods online’ ($2.3m), followed by ‘investment scams’ ($1.8m) and ‘a new job or business opportunity’ ($1.1m).

Buying, selling, or donating goods online

Scammers are opportunistic and always looking for ways to exploit New Zealanders’ uptake in online shopping, and this was reflected in the busy holiday season.

Reported financial losses from ‘buying, selling or donating goods’ online per quarter

Bar graph of reported financial losses from ‘buying, selling or donating goods’ online by quarter.

What to look out for

To help work out if an online store is genuine, check:

  • the domain name owners’ address is registered in New Zealand

Whois lookup External Link — New Zealand Domain Name Commission

  • the store is a registered New Zealand company.

Search the companies register External Link — New Zealand Complanies Office

Be wary of websites that do the following.

  • Don’t list a physical address or have unusual contact information
  • Don’t display terms of trade (including return policies) or fully disclose costs (such as shipping and delivery).
  • Have significantly lower-priced goods. This should raise your suspicion that you might not get what you expect. If a deal is too good to be true it, probably is.
  • The URL doesn’t seem to match what they’re selling. For example, if Bob’s Sporting Goods (bobssportinggoods.co.nz) is selling luxury handbags.
  • Negative online consumer feedback and reviews.

If you think you have been affected by a scam, please report it confidentially to CERT NZ and immediately notify your bank if you’ve made a payment or shared payment information.