Quarter One Cyber Security Insights 2023

This quarter, CERT NZ responded to 1,968 incident reports about individuals and businesses from all over New Zealand. This report shares information around these incidents as well as highlighting examples of work CERT NZ is doing to help. There are two parts to the report:

A Highlights Report focusing on selected cyber security incidents and issues.

A Data Landscape Report providing a standardised set of results and graphs for the quarter.

Highlights

The average number of incident reports per quarter is 2,191 and average direct financial loss is $4.9 million. These figures are based on the previous eight quarters. For this quarter (Q1):

$5.8 million in direct financial loss was reported in Q1. 30% of incidents reported financial loss.

1,968 incidents were responded to by CERT NZ in Q1 2023, up 12% from Q4 2022.

35% increase in unauthorised access from Q4 2022.

66% increase in direct financial loss from Q4 2022.

Number of incidents responded to

A total of 1,968 incidents were responded to in Q1 2023.

Year	Quarter	Incidents
2023	1	1,968
2022	4	1,757
2022	3	2,069
2022	2	2,001
2022	1	2,333
2021	4	3,977
2021	3	2,072
2021	2	1,351
2021	1	1,431

Breakdown by incident category

Phishing and credential harvesting remains the most reported incident category.

Graph – Breakdown by incident – Quarter 1 2023.

Incident category	Incident count	Percent change from previous quarter
Phishing and credential harvesting	946	+5%
Scams and fraud	625	+23%
Unauthorised access	240	+35%
Malware	28	-28%
Website compromise	13	-13%
Suspicious network traffic	2	+100%
Ransomware	12	-67%
Botnet traffic	3	+40%
Denial of service	2	0%
C and C server hosting	0	-22%
Attack on system	0	0%
Other	97	20%

Focus area: Investment scams

Reversal of fortune

A new scamming technique has caught out many New Zealanders.

Typically, scammers contact their target using a phishing email, text message or even a phone call. Phishing remains the number one cyber incident reported to CERT NZ.

However, in 2023, new methodologies are being used that have people actually approaching scammers.

Searching for scams

CERT NZ has seen scammers setting up malicious websites and using key search terms, to ensure their website appears high in the results of search engines, like Google. These websites usually mimic large organisations like banks, investment firms or large exporters.

How it works

A person goes searching for an investment comparison website or a website to purchase and export certain products.

The top results contain malicious sites alongside the legitimate sites, depending on the terms searched by the person, and serve as an initial point of contact between this person and the scammer.

Another domain set up by the scammer to make the email address look legitimate or a phone number. When the scammer gets a phone number, the interactions often move to platforms such as WhatsApp.

During the contact phase, scammers may even provide documents like investment comparisons or product catalogues. These documents look convincing and often includes branding of legitimate businesses and organisations.

Once people are convinced, they are provided with bank details to pay their ‘investment’ or the cost of the products they are looking to export. Unfortunately, these people may not realise this is a scam until the funds have been transferred and time has passed without any further contact from the scammer. This is often too late for the banks to be able to recover funds.

Anatomy of a real scam

Ad icon. In February 2023, CERT NZ was made aware of a major investment scam where someone searching terms such as 'term deposit comparison nz' on Google would be shown a search page that included ads paid for by scammers and linked to fake websites.

People who sent details to these sites were called by the scammers, claiming to be from the investment team at a New Zealand-based financial institution. These people were given professional-looking fake prospectus documents and details on how to transfer money to be ‘invested’.

Some individuals were also given a fake investment portfolio website to check their investments. This fake site was sophisticated and required a login before showing a balance specific to the target. By showing fake growth, the scammers were able to ask for further money.

This campaign was able to steal millions of dollars over the course of a month.

CERT NZ and Google worked closely to have these malicious URLs removed. CERT NZ also worked with local banks to communicate to the public that this was happening and to contact the banks directly regarding investments.

Red flags and what to look for

Staying vigilant is still the best defence. Healthy scepticism is a good way to keep yourself safe online. Treating every investment opportunity as suspicious will mean you are much less likely to lose funds to scammers. Investment returns that are too good to be true are always a red flag.

Remember, a high return in a web search doesn’t mean a site is legitimate.
Check email and web domains closely. You can look on an organisation's legitimate site for email addresses companies will use.
Communicating over an app, such as WhatsApp, is a sign they may not be legitimate.
Check the companies register for a business’s legitimate website.

New Zealand Companies Register External Link — companiesoffice.govt.nz

Check the Financial Markets Authority (FMA) website for warnings for about malicious investment sites.

Financial Markets Authority External Link — fma.govt.nz

Check with your bank and other organisations, such as the FMA, before investing any money. This will give you a good sense about whether a particular opportunity may be a scam or not.

Remember

If the person you’re speaking to becomes agitated or angry when you say you might leave, that is a good sign you should.
You are under no obligation to invest money, and if something feels wrong, you should walk away with your money in hand.

Pig butchering

Illustration of money falling next to a bullseye with arrows lodged in the very centre circle. It’s not the nicest term but, thankfully, it’s not a scam involving animals. This term has been coined to represent a situation where aspects of different scams are combined to get the most from a target.

Most commonly, scammers will use the social engineering aspects of a romance scam to build trust with a victim before switching to an investment or cryptocurrency scam.

Insight: AI

New dog, old tricks

The newest threat in the cyber landscape is artificial intelligence (AI), and how it’s being used by scammers.

Overall, the AI tools available to scammers haven’t yet significantly changed the mechanics of scams, but they have made the lives of scammers easier by simplifying some of the work required to create and run a scam.

The tools at their disposal mean attackers can quickly create more believable online content.

Image of a dog on skateboard wearing an AI badge.

AI text generators can create far more realistic and error-free phishing scripts as well as descriptive content, while AI image generators can create a suite of photos of a particular person or a completely fictitious one. This makes it easier for scammers to create the type of fake profiles used in romance or investment scams at speed and in bulk.

Tools like ChatGPT can also be used during live chats, making the scammers seem even more legitimate.

AI makes some scams easier to pull off

Phishing – more realistic wording in multiple languages
Investment scams – realistic investment advice
Romance scams – communications sound like a real person, including online chat, and can include realistic images.

Other languages

Image of the words Kia Ora.

AI doesn’t just help edit English, it can work across various languages. This means speakers of regional languages, who may not usually encounter cyber crime, are now potential targets.

CERT NZ is aware of scams occurring in te reo Māori. It’s unclear if these were created using AI but the threat of that happening is increasing.

How to stay safe

The good news is while the tools make it easier for scammers, their methodologies are essentially the same. For example, they can set up a completely AI-generated social media profile, but they still need you to provide information, take some action on your device, click on a suspicious link or send them money.

As always, be wary of who you're talking to online, take a second to check any links or details, and don’t share passwords, authentication codes or personal information.

It’s also a good idea to lock down your social media profiles because scammers can take that information and feed it into AI tools to create more realistic fake accounts or use your publicly available information to target you.

AI banned for other reasons

A no access symbol. AI is a tool and, like with any new tool, organisations must look at how it affects issues such as security, privacy, and data integrity.

AI tools have been banned in some organisations, but not always for security reasons. Some schools and other learning institutions have put a ban on AI to curb students using it to write assignment answers. Some organisations have created policy which blocks the use of AI to prevent documents with intellectual property from being uploaded and added to the AI learning database.

Insight: Dating and romance scams

Scammed out of love

Illustration of smart phone with a dating site profile on the screen.

CERT NZ has again noticed an increase in dating and romance scams. These are some of the most financially and emotionally devastating types of scams online and they can be hard to spot.

Who to believe

Scammers can be so convincing that the first time a person realises they are being scammed is when they receive a warning from their bank.

If you attempt to transfer money to someone and your bank advises against it, this is a good indication the person you are transferring money to may be trying to scam you. Banks are able to see some information that scammers can’t hide, such as bank account activity.

Illustration of a fish with a stick of lipstick and the words Catherine, 32.