This quarter, CERT NZ responded to 1,968 incident reports about individuals and businesses from all over New Zealand. This report shares information around these incidents as well as highlighting examples of work CERT NZ is doing to help. There are two parts to the report:
A Highlights Report focusing on selected cyber security incidents and issues.
A Data Landscape Report providing a standardised set of results and graphs for the quarter.
The average number of incident reports per quarter is 2,191 and average direct financial loss is $4.9 million. These figures are based on the previous eight quarters. For this quarter (Q1):
Number of incidents responded to
A total of 1,968 incidents were responded to in Q1 2023.
Breakdown by incident category
Phishing and credential harvesting remains the most reported incident category.
Reversal of fortune
A new scamming technique has caught out many New Zealanders.
Typically, scammers contact their target using a phishing email, text message or even a phone call. Phishing remains the number one cyber incident reported to CERT NZ.
However, in 2023, new methodologies are being used that have people actually approaching scammers.
Searching for scams
CERT NZ has seen scammers setting up malicious websites and using key search terms, to ensure their website appears high in the results of search engines, like Google. These websites usually mimic large organisations like banks, investment firms or large exporters.
How it works
A person goes searching for an investment comparison website or a website to purchase and export certain products.
The top results contain malicious sites alongside the legitimate sites, depending on the terms searched by the person, and serve as an initial point of contact between this person and the scammer.
Another domain set up by the scammer to make the email address look legitimate or a phone number. When the scammer gets a phone number, the interactions often move to platforms such as WhatsApp.
During the contact phase, scammers may even provide documents like investment comparisons or product catalogues. These documents look convincing and often includes branding of legitimate businesses and organisations.
Once people are convinced, they are provided with bank details to pay their ‘investment’ or the cost of the products they are looking to export. Unfortunately, these people may not realise this is a scam until the funds have been transferred and time has passed without any further contact from the scammer. This is often too late for the banks to be able to recover funds.
Anatomy of a real scam
In February 2023, CERT NZ was made aware of a major investment scam where someone searching terms such as 'term deposit comparison nz' on Google would be shown a search page that included ads paid for by scammers and linked to fake websites.
Staying vigilant is still the best defence. Healthy scepticism is a good way to keep yourself safe online. Treating every investment opportunity as suspicious will mean you are much less likely to lose funds to scammers. Investment returns that are too good to be true are always a red flag.
- Remember, a high return in a web search doesn’t mean a site is legitimate.
- Check email and web domains closely. You can look on an organisation's legitimate site for email addresses companies will use.
- Communicating over an app, such as WhatsApp, is a sign they may not be legitimate.
- Check the companies register for a business’s legitimate website.
New Zealand Companies Register External Link — companiesoffice.govt.nz
- Check the Financial Markets Authority (FMA) website for warnings for about malicious investment sites.
Financial Markets Authority External Link — fma.govt.nz
- Check with your bank and other organisations, such as the FMA, before investing any money. This will give you a good sense about whether a particular opportunity may be a scam or not.
- If the person you’re speaking to becomes agitated or angry when you say you might leave, that is a good sign you should.
- You are under no obligation to invest money, and if something feels wrong, you should walk away with your money in hand.
It’s not the nicest term but, thankfully, it’s not a scam involving animals. This term has been coined to represent a situation where aspects of different scams are combined to get the most from a target.
Most commonly, scammers will use the social engineering aspects of a romance scam to build trust with a victim before switching to an investment or cryptocurrency scam.
New dog, old tricks
The newest threat in the cyber landscape is artificial intelligence (AI), and how it’s being used by scammers.
Overall, the AI tools available to scammers haven’t yet significantly changed the mechanics of scams, but they have made the lives of scammers easier by simplifying some of the work required to create and run a scam.
The tools at their disposal mean attackers can quickly create more believable online content.
AI text generators can create far more realistic and error-free phishing scripts as well as descriptive content, while AI image generators can create a suite of photos of a particular person or a completely fictitious one. This makes it easier for scammers to create the type of fake profiles used in romance or investment scams at speed and in bulk.
Tools like ChatGPT can also be used during live chats, making the scammers seem even more legitimate.
AI makes some scams easier to pull off
- Phishing – more realistic wording in multiple languages
- Investment scams – realistic investment advice
- Romance scams – communications sound like a real person, including online chat, and can include realistic images.
AI doesn’t just help edit English, it can work across various languages. This means speakers of regional languages, who may not usually encounter cyber crime, are now potential targets.
CERT NZ is aware of scams occurring in te reo Māori. It’s unclear if these were created using AI but the threat of that happening is increasing.
The good news is while the tools make it easier for scammers, their methodologies are essentially the same. For example, they can set up a completely AI-generated social media profile, but they still need you to provide information, take some action on your device, click on a suspicious link or send them money.
As always, be wary of who you're talking to online, take a second to check any links or details, and don’t share passwords, authentication codes or personal information.
It’s also a good idea to lock down your social media profiles because scammers can take that information and feed it into AI tools to create more realistic fake accounts or use your publicly available information to target you.
AI banned for other reasons
AI is a tool and, like with any new tool, organisations must look at how it affects issues such as security, privacy, and data integrity.
AI tools have been banned in some organisations, but not always for security reasons. Some schools and other learning institutions have put a ban on AI to curb students using it to write assignment answers. Some organisations have created policy which blocks the use of AI to prevent documents with intellectual property from being uploaded and added to the AI learning database.
Scammed out of love
CERT NZ has again noticed an increase in dating and romance scams. These are some of the most financially and emotionally devastating types of scams online and they can be hard to spot.
Who to believe
Scammers can be so convincing that the first time a person realises they are being scammed is when they receive a warning from their bank.
If you attempt to transfer money to someone and your bank advises against it, this is a good indication the person you are transferring money to may be trying to scam you. Banks are able to see some information that scammers can’t hide, such as bank account activity.