Quarter Three Report 2020

CERT NZ’s Quarter Three (Q3) Report provides an overview of reports about cyber security incidents impacting New Zealanders from 1 July – 30 September 2020.


This quarter, CERT NZ received 2,610 incident reports about individuals and businesses from all over New Zealand. This report shares examples of the incidents and advice on how to best protect against them.

There are two parts to the report:

  1. A Highlights Report focusing on selected cyber security incidents and issues.
  2. A Data Landscape Report providing a standardised set of results and graphs for the quarter.

Quarterly Report: Highlights Q3 2020 [PDF, 775 KB]

Quarterly Report: Data Landscape Q3 2020 [PDF, 1.3 MB]

The average number of incident reports per quarter is 1,295 and average direct financial loss is $3.6 million. 

Number of incident reports by quarter

A total of 2,610 incidents reports were received in Q3, a 33% increase from Q2.

Full breakdown of incident reports for Q2 2019 to Q3 2020.

Breakdown by incident category

Phishing and credential harvesting remains the most reported incident category.

Breakdown of categories of incidents reported to CERT NZ in Quarter 3 2020

The top three reported incident categories in Q3 2020 were:

  • phishing and credential harvesting with 1,064 reports
  • malware with 886 reports
  • unauthorised access with 110 reports.

If you have experienced a cyber security issue, report it to CERT NZ.

For more on the New Zealand threat landscape in Q3 2020, see the CERT NZ Quarterly Report: Data Landscape [PDF, 1.3 MB].

Focus area: Distributed Denial of Service (DDoS) attacks impact Kiwi businesses


This year a number of DDoS attacks have impacted both high profile organisations and small business around the country. These attacks are malicious attempts to overload an organisations online systems and take their operations offline

Defending your organisation against DDoS attacks

Like many cyber incidents, there isn’t a one-size fits all approach to defending against a DDoS attack. That’s why it’s important to have the right defences in place.

Best practices to defend against a DDoS attack

Protecting New Zealand from DDoS attacks

As part of CERT NZ’s role in building New Zealand’s cyber resilience, we’re working to help reduce the amount of insecure systems in the country. That’s why we’re reaching out to ISPs to alert network owners of systems that can potentially be exploited by an attacker to cause a DDoS. 

Insight: Email users affected by Emotet

In Q3, malware reports increased by 34% making it the second highest incident category.

Malware is malicious software often spread through email attachments or links with the goal of infecting the recipient’s computer systems.


Protect from Emotet

To help prevent an Emotet infection, CERT NZ recommends:

In September, CERT NZ issued an advisory about Emotet. It includes information on protections as well as steps to take if you or your organisation has been affected.

Emotet malware being spread via email

Insight: Business email compromise

New Zealanders report close to a million dollars in losses

Business email compromise is one of the most common types of unauthorised access reported to CERT NZ. Our quarter three data shows this type of attack is increasing, with 27 reports of business email compromise, up 101% from quarter two, and $944,000 in direct financial loss.

Case study: Attacker intercepts business invoice

This quarter CERT NZ received a report from a business in the wholesale trade sector after an email account had been compromised.


Taking a few simple steps can help secure your business email accounts.

Protect from business email compromise

Update: Changes to the Privacy Act 2020 and vulnerable databases

The new Privacy Act 2020 comes into effect on 1 December 2020. These changes include the introduction of a privacy breach notification regime.

What this means for businesses and organisations

If a business or an organisation experiences a data breach where private information is lost or stolen, and believes this could result in serious harm, it is required to notify the Office of the Privacy Commissioner (OPC) and affected individuals as soon as possible.

Vulnerable databases and keeping your customer information safe

Unfortunately data breaches do happen, but the good news is there are measures you can take to help prevent an incident and keep your customers' information and data secure.