This quarter, CERT NZ responded to 2,069 incident reports about individuals and businesses from all over New Zealand. This report shares information around these incidents as well as highlighting examples of work CERT NZ is doing to help. There are two parts to the report:
A Highlights Report focusing on selected cyber security incidents and issues.
A Data Landscape Report providing a standardised set of results and graphs for the quarter.
The average number of incident reports per quarter is 2,166 and average direct financial loss is $4.5 million. These figures are based on the previous quarters.
Number of incidents responded to
A total of 2,069 incidents were responded to in Q3 2022.
Breakdown by incident category
Phishing and credential harvesting remains the most reported incident category.
Focus area: Financial loss
You don’t know what you’ve lost till it’s gone
New Zealanders lost close to $9 million to online incidents in quarter three this year, more than any previous quarter. Over 600 individuals carried most of this loss, including almost $7.5m lost to scams and fraud alone.
While those totals are eye-catching, it's important to note that most people (314) lost between $100 and $1,000, and those amounts can have a large impact on individuals.
Financial loss incidents
Scams and fraud
As always, scams and fraud accounted for the largest financial loss. Romance scams, fake job offers, investment and even rental property scams, are becoming more prevalent, especially in social media marketplaces.
While many people think of scammers as trying to get access to their bank account the more devious scams don’t need to. A new wave of scams is stinging people for an ongoing subscription disguised as a small one-off fee.
The most noticeable fraud subcategory was the $4.8m New Zealanders lost to unauthorised money transfer. This is a separate incident type to unauthorised access.
Unauthorised money transfer example: A recent scam claiming to be from NZ Post asked recipients to put in their credit card details to pay a small fee to release a package from Customs. The transaction went through but also signed them up to a subscription of anywhere from $40 to $80 a month.
Types of scams and fraud
Other areas with notable losses include scams for cryptocurrency and non-fungible token (NFT) investments, being asked to pay upfront for something, and romance scams. Only seven reports of crypto scams were made, but, these averaged to over $65,000 each, showing this type of investment scam is still losing New Zealanders thousands of dollars.
Upfront payment scams persist, with scammers targeting Facebook and other social sites. We’ve especially seen this on social media where a user may be approached with the offer of rental accommodation or something similar, and to get it they must pay up front. It’s a scam that preys on an individual’s needs, and often scammers find targets by reading public posts.
The most common scam is related to buying, selling or donating goods. Reports in this category are up 50% from the previous quarter. While the average loss isn’t high, it’s a constant threat and one that isn’t easy to combat beyond realising sometimes a deal is too good to be true.
It’s not just the money
Financial loss is the simplest loss type to quantify, however, reports to CERT NZ also often include other types of losses. These can be areas that affect businesses such as operational, reputational and data loss. Reputational loss, for example, can create long-term damage to a business or organisation. CERT NZ encourages businesses to think about these other kinds of losses when creating cyber security and incident response plans.
When doing anything online that requires money or personal details, act with an abundance of caution. Scammers want you to do things quickly and without thinking, by creating urgency.
Many scam tactics can be fended off with a small bit of research, taking your time to consider if an offer is legitimate, or contacting a company directly rather than clicking a link in a text message.
If you believe you have been the target of an online scam, contact CERT NZ and, if you have lost money, contact your bank, immediately. The sooner you report it the more likely the loss can be minimised or even reversed.
Insight: Buying and Selling
This quarter, CERT NZ received the highest number of reports related to buying, selling and donating goods online for a single quarter (375). Most reports were about purchasing goods online that either didn’t arrive or an inferior product was delivered instead.
You may think you’re ordering collectible sneakers but receive a pair of cheap sunglasses. So how do you know before you buy?
The scammers are clever and use every trick in the book and hope bargain hunters will fall into their traps.
More and more, CERT NZ is seeing websites that imitate well-known brands but with a slight change to the URL, in order to trick people. We have seen quite a few cases of adding ‘outlet’ or 'nz' to the domain name of a well-known shop (for example, www.HughsShoesOutletNZ.com).
Gone are the days when looking for the padlock symbol next to the web address (URL) was the sign of a safe website to buy from. The lock and a URL containing 'https' mean the connection between your web browser and the website server is encrypted, it doesn’t mean the site sells legitimate goods.
So what do you look for?
- A good place to check is the contact page on the website. Fake sites may not have a contact page, or if they do, the contacts may be overseas phone numbers or emails that don’t align with the brand.
- Check external reviews and feedback of the site. Googling the name of the site and 'reviews' may find more info than what's presented on the site itself because scammers are unlikely to leave bad reviews up.
- For more info on the site you can use Whois.com, a website that will tell you who the domain is registered with, when it was registered and how long it was registered for. You can also establish if a website is legitimate by checking domain names at the Domain Name Commission register.
- Scammers are also setting up websites for brands that don't sell online or otherwise have a strong web presence. Suddenly see something for sale online that was supposed to be an instore purchase only? There’s a good chance it’s a scam. The letters NZ in a website’s URL do not mean the site is necessarily based in Aotearoa, and this can mean they are not required to follow New Zealand consumer law.
Report all dodgy websites to CERT NZ. We can investigate them and potentially get them taken down. If the seller is using a platform such as Amazon or Facebook to sell their goods, then you can report them to that platform. If you have been caught out by a scam website, contact your bank, to see if you can get the charges reversed.
Insight: Unauthorised access
Unauthorised access shut down with two steps
In quarter three, close to 300 reports were received about unauthorised access, a 28% increase on the same quarter last year, with a direct financial loss to New Zealanders of $734,00.
Unauthorised access reports steadily increasing
Unauthorised access is when an attacker gets access to an account without the account holder's permission, and can affect both individuals and businesses. Usually, this is for financial gain or to gather personal information.
It can happen in several ways but most often it’s due to easily guessed passwords or login details that have been leaked, stolen or gathered through a phishing campaign.
The best way to protect from unauthorised access is by enabling two-factor authentication. This is an extra layer of security on top of your password, usually a code generated by an app on your phone or a digital fingerprint.
How unauthorised access can impact individuals
This quarter, individuals reported over $570,000 in direct financial loss through unauthorised access.
How unauthorised access can impact businesses
In quarter 3, 21 businesses reported unauthorised access, with a direct financial loss of almost $170,000.
The impacts of unauthorised access can seem overwhelming; however, protecting from this type of incident doesn’t need to be. There are some simple measures you can put in place to strengthen your business's online security. By taking these steps, it also means you’re protecting your contacts from being affected too.
- Enable two-factor authentication (2FA), to add an extra layer of security to your accounts. This means that, even if an attacker gets hold of your password, they still won’t be able to get in.
- Use strong, long and unique passwords on all your accounts. If you’re a business, encourage staff to use a password manager to help them remember all their passwords.
- Don’t give out personal information online, whether on social media or by email.
- Verify payments with an SMS or call to the person or business that sent you the invoice.
Change your password immediately if you receive a temporary code for an account you weren’t trying to log in to. It could mean someone has your password and is trying to access that account without you knowing.