Between 1 July and 30 September this year New Zealanders reported $3.3 million in direct losses from cybercrime to the government’s cyber security agency.
“With holidays on the way, our advice is to put protections in place now - like creating long, strong and unique passwords and adding two-factor authentication - so you can relax on the beach with peace of mind,” says CERT NZ Director Rob Pope.
Figures from the CERT NZ quarter three report show a 53% increase in all reports, to 2,072. Of these, 151 were malware attacks, up substantially from 32 reports in quarter two (1 March to 30 June) this year. Phishing and credential harvesting remains the most reported incident category (growing 73% this quarter), followed by scams and fraud (growing 25%).
"If we've seen anything over the last quarter, it's that the criminals behind these attacks are getting more and more sophisticated," said Pope.
"The FluBot text malware scam is a good example of this, as the messages were changing as fast as we could report on them."
"And common scams, like the tech-scam call, are gaining traction and catching out trusting New Zealanders."
The number of tech-scam calls reported to CERT NZ rose in the third quarter from 45 to 72. This is where a scammer will call, pretending to be from a telco or large tech firm, and say there's a problem with your computer and request remote access to attempt to steal whatever they are after, including money from your bank account.
"The best advice is to just hang up," Pope said. "It’s incredibly rare for tech companies to call you if there’s a problem. But if you're concerned there may be a genuine fault, hang up and call the company's public phone number."
"If you’re concerned scammers may have gained access to your computer, then immediately notify your bank and contact CERT NZ through our website or call centre. The sooner you contact us the quicker we can help, and more likely it is we can assist to recover any lost funds."
CERT NZ has continued to see networks of IoT (Internet of Things) devices being used in DDoS (denial-of-service) attacks in the last quarter. This happens when insecure internet-connected devices, like routers and WiFi-connected cameras, become infected with malware.
An infected IoT device can potentially be co-opted into a criminal botnet (short for "robot network"), without the owners even knowing. Botnets are collectives of infected devices that can be called upon by attackers to swamp a website or application with requests, overloading it so legitimate requests can't get through.
"By simply changing the default passwords that come with the device and updating the software, you can keep your new toys out of the hands of attackers," said Pope. "And if your device doesn’t really need to be connected to the internet, disconnect it."