Quarter Two: Cyber Security Insights 2022

CERT NZ’s Quarter Two (Q2) Cyber Security Insights provide an overview of reports about cyber security incidents impacting New Zealanders from 1 April to 30 June 2022.

This quarter, CERT NZ responded to 2,001 incident reports about individuals and businesses from all over New Zealand. This report shares information around these incidents as well as highlighting examples of work CERT NZ is doing to help.

There are 2 parts to the report:

An Insights report focusing on selected cyber security incidents and issues.

A Data Landscape report providing a standardised set of results and graphs for the quarter.


Number of incidents responded to

A total of 2,001 incidents were responded to in Q2 2022.

Chart: Breakdown of incidents by quarter from quarter 3 2020 to quarter 2 2022.

Breakdown by incident category

Phishing and credential harvesting remains the most reported incident category.

Chart: Breakdown of incidents by category from 1 April to 30 June 2022

Focus area: 'Phone spoofing' impacting bank customers

In quarter two, CERT NZ became aware of a spike in scam calls where attackers were pretending to be from a bank to try and trick recipients into sharing financial information, giving access to their bank accounts or allowing remote access to their devices or PCs.

New Zealand banks have worked with telecommunication providers and the New Zealand Telecommunications Forum (TCF) to block their numbers from being spoofed.

CERT NZ and New Zealand banks are now aware that scammers have further evolved the approach by changing out one or two numbers to closely imitate the banks’ phone numbers.

How is this happening?

Phone spoofing diagram: The scammers uses  intermediary software that generates signals to hide their phone number. Then the number the scammer chooses is displayed on the caller ID instead.
  1. The scammers use intermediary software that generates signals to change the displayed caller ID.
  2. Once the attacker has the target on the phone, they use social engineering tactics to try and get the financial information or access they are seeking.
  3. To sound more plausible, attackers are often using scripts and dialogue similar to those used by the bank call centres. In many cases, they pretend to be from a bank’s fraud centre and say they’ve detected unauthorised access of the recipient’s account. In some cases, they use fear or urgency to get the recipient to act.

How to tell if you're being called by a scammer

If you receive a phone call from a person claiming to be from your bank, even if the phone number looks similar to the bank’s phone number, there are some red flags that can help you identify if the call is legitimate.

With a bank scam call, the scammer will usually do one of the following:

  • Ask the recipient to download remote access software under the pretext of being able to walk the customer through a necessary process.
  • Trigger a SMS code that is sent to the recipient’s phone. This is a code to either gain access or authorise a transfer, but the attacker will say it is a 'cancellation code' or something similar, and ask the recipient to read it out.
  • Ask for the recipient’s bank account log in information or full credit card number.

What to do if you think it’s a scam call

  • CERT NZ strongly recommends ending the call and hanging up if you have any concerns about the legitimacy of a call.
  • Then find the bank’s phone number from the bank’s website or on the back of your bank card and call them. This way you'll find out if the original call was genuine.
Image with 2 speech bubbles suggesting 2 things you can say to help end a call. 1. “I’ve got another call coming through. I’ll call back soon on the 0800 number” and 2. “There’s someone at the door. I’ll call the bank back soon. Goodbye."

In some cases, when a recipient tries to end a call, the scammer will use fear and urgency tactics to try and convince the recipient to stay on the call and respond to the request.

Protect yourself and your bank accounts from scam calls

  • Enable two-factor authentication (2FA) on your bank account. This adds an extra security layer on top of your password, like a code sent to your phone. That way if an attacker gets your login details, they still won’t be able to access your account. Never share these codes with anyone. Your bank will never ask you for a 2FA code.

    Two-factor authentication
  • If you have clicked on a suspicious link or received a call where you’ve provided a 2FA code, contact your bank immediately and report the incident to CERT NZ.

  • Never give out account information, credit card details or remote access to your devices. Your bank will never ask for this information.

How CERT NZ is helping combat phone spoofing

CERT NZ works with other New Zealand organisations, like financial institutions, to combat scam calls. We share information and insights to better understand who is being targeted and the tactics scammers are using.

Insight: Romance scams

At the heart of scams and fraud

Scams and fraud are consistently one of the most reported categories to CERT NZ.

In quarter two, New Zealanders reported over 500 incidents about scams and fraud, and 92% of these reports (486) were about individuals – with a total direct financial loss of $3.2 million.

Of the types of scams and fraud reported, ‘buying and selling of goods online’ is consistently the most reported. This quarter, ‘dating and romance scams’ was the second most reported, with the number of incidents in this category steadily increasing across the past four quarters.

Chart: Romance scams reports by quarter from quarter 3, 2020 to quarter 2, 2022.

Romance scams

A romance scam is when a scammer takes advantage of someone looking for a relationship online.

Scammers will use dating websites and apps or social media to build a relationship with someone. Once they’ve gained the person’s trust, the scammer will start to ask for money, gifts, personal details or they will make unusual requests that can be used to commit fraud or to exploit the individual.

More recently, CERT NZ has seen reports where romance scammers are building trust to try and trick the individual to buy into crypto investment scams. The scammers often use fake profiles to make it harder to track them down.

Preventions, checks and red flagsRed flag icon.

  • Avoid giving out too much personal information online, including on social media or by email.
  • If you’re unsure about a connection, reverse image search can help identify if the image has been used elsewhere or doesn’t match the identity of the person they are claiming to be. You can do this by uploading the image to a search engine.
  • Avoid responding to requests for financial help, making investments or sending money. This includes sending money to enable them to meet you in person.
  • Sometimes there are multiple scammers working together, look out for inconsistency in communication style.
  • If the contact is not willing to meet up or talk via video call, or comes up with a series of excuses to avoid meeting, they could be a scammer.

If you think you may have experienced a romance scam or are concerned about a connection you’ve made, we can help. Please report confidentially to CERT NZ.


Insight: Unauthorised Access

Reducing the risk of internet exposed services

This quarter, CERT NZ received 230 reports about unauthorised access. This is when an attacker gains access to an account, a service or a device usually through vulnerabilities in software, or weak or stolen credentials.

How to reduce risk to your business

Many New Zealand businesses, small and large, use internet-exposed services.

The following mitigations may require some technical ability. If you are unsure whether they relate to your business, CERT NZ recommends checking with your IT provider.

Commonly targeted internet-exposed services are:

  • NAS devices
  • RDP
  • Databases
  • Device and service management interfaces
  • IoT devices