Quarter Three Report 2018

CERT NZ’s Quarter Three Report provides an overview of the cyber security events reported between 1 July and 30 September 2018. It also gives advice on how to prevent or mitigate these events.

This quarter, CERT NZ received 870 incident reports. This is the highest number of reports to date. The reports show that a broad cross section of New Zealanders and organisations are impacted by cyber security issues. They also show a significant increase in both incident type and financial impact compared to Q2.

Some examples include:

  • financial losses increased by 35% to $2.9 million
  • reports related to scam and fraud were almost double what we saw in Q2. This was due to a large number of webcam scam reports
  • reports of unauthorised access increased by 28%
  • although we received reports across all age groups, the 65+ age group experienced the highest value of direct financial loss. The total loss for this age group was $930,000 this quarter, compared to $123,000 in Q2.

Quarterly Report: Highlights [PDF, 721 KB]

Quarterly Report: Data Landscape [PDF, 2.6 MB]

Results in numbers

Number of incidents reported by quarter

We received 870 reports in the third quarter of 2018.

This is the highest number of incidents reported to CERT NZ since its establishment.




Results by type

Scam and fraud had the highest increase in number of incidents reported this quarter. This jump was led by a large number of webcam scam reports.

Breakdown by incident category

Bar graph showing number of different incident types

Unauthorised access reports

Bar graph showing number of unauthorised reports this year

Reports of unauthorised access continue to increase. We received 91 reports this quarter, a 28% increase on quarter two.

More than a third of these reports related to attackers being able to access business and personal email accounts through weak account passwords.

Case study: Business compromise leads to advisory

An IT provider noticed that one of its clients was receiving emails pretending to be a recognised supplier.

The emails contained fake invoices and were attempting to trick the client into paying the invoiced amount into the attacker’s account.