Quarter Three Cyber Security Insights 2023

CERT NZ’s Cyber Security Insights report for quarter three (Q3) provides an overview of cyber security incidents impacting New Zealanders from 1 July – 30 September 2023.

This quarter, CERT NZ responded to 2,136 incident reports about individuals and businesses from all over Aotearoa. This report shares information about these incidents as well as highlights examples of work CERT NZ is doing to help. There are two parts to the report:

A Highlights Report focusing on selected cyber security incidents and issues.

A Data Landscape Report providing a standardised set of results and graphs for the quarter.

Highlights

Number of incidents responded to

A total of 2,136 incidents were responded to in Q3 2023.

q3 incident

Breakdown by incident category

Phishing and credential harvesting remains the most reported incident category in Q2 2023.

q3 breakdown

Focus Area: Investment Scams

If there's one thing a scammer likes, it's a large sum of money in one place. This is why New Zealanders looking to maximise returns on their savings are being targeted. Scammers create 'investment opportunities' that look legitimate and lucrative, reeling in potential targets.

Because the goal is to steal a lifetime's worth of savings, investment scams frequently have high losses. In Q3, CERT NZ received 11 reports where individuals reported losing over $100,000.

“LOOKS ALL RIGHT!”

For the scammer to pull off a plan of this scale, it is crucial that they build trust. This is done through well-planned communication and an appearance of legitimacy.

To make everything look legitimate, scammers set up physical and email addresses, phone numbers, messaging apps and online groups. Historically, scammers would contact targets via an unprompted email or call. They may lead with a lucrative investment opportunity or strike up casual conversation to establish a rapport. But, more recently, these conversations are increasingly taking place over a text message or messaging apps. They could also take a passive approach, putting up an advertisement online and waiting for someone to contact them.

Sometimes, scammers will use just one 'persona', such as an investment advisor or overseas investor. At other times, they may create multiple accounts pretending to be an entire team of people.

Once they've turned the discussion to investment, they present some kind of business to invest in, to lend it legitimacy. They may create entire websites or even investing apps. Websites may be entirely fictional or based on real companies.

The difference of a dash

Fake Websites can have URLs that closely resemble the website of an actual company. For example, in this case study report that CERT NZ received, the website the scammer provided has a difference of a dash: [www.investment-group.com instead of www.investmentgroup.com].

Investment scam case study

The person (we’ll call them Alex) saw an advertisement for a trading platform that claimed to leverage AI tools and expert advice to find investment opportunities. The ad touted very high and reliable returns – almost too good to be true. They had a professional website and appeared to be licensed overseas, and so Alex registered an account.

Alex was then added to a WhatsApp group of ‘other investors’, who were all in on the scam. The group shared regular trading news highlighting investment opportunities, asking for thousands or tens of thousands at a time. Some of the companies mentioned were real ones. However, instead of being invested in these companies, the money was going to the scammers.

The scam continued for close to 18 months, until Alex wanted to get out. The scammers claimed that, to withdraw the money, a large fee needed to be paid first. Alex felt trapped and unsure of what to do.

After reporting to CERT NZ and talking to the bank, Alex was able to recover some of the money, but most of it was already gone.

What to look for

Large investment scams work on a high-trust model. The scammer must appear knowledgeable, reliable and competent. Building that illusion requires patience and some smart steps.

Scammers use positions of authority to pressure you into trusting the information without verifying it (pretending to be an expert or several experts using multiple emails or accounts)

Scammers may use urgency to push you into acting before thinking your investment through or talking it out (claiming to have time-sensitive opportunities like 'pre-IPO investments')

Scammers create a sense of peer pressure to push you to participate (scammers may create entire group chats talking about 'successes').

Scammers create a sense of complacency to keep you invested. This may be by showing your 'investments' going up in value despite not existing, or offering alternative investments instead of getting your money out.

Scammers create a sense of fear and confusion to dissuade people from getting support, often by claiming there is a large fee before you can withdraw your money.

Sniffing out investment scams

  • Before you invest in something that sounds lucrative, check for investment alerts by the New Zealand Financial Markets Authority (FMA) or other equivalent overseas agencies. Many of the reports that come to CERT NZ involve ‘companies’ that these agencies have issued investor alerts on.
  • Check the company's New Zealand Business Number (NZBN) against its registered name. This can be done on the NZBN website.
  • Watch out for signs of peer pressure or created urgency. If something feels wrong, get a second opinion from someone outside the group.
  • Remember — if it seems too good to be true, it probably is.

The FMA website has advice for avoiding investment scams, including finding a reputable advisor and warnings about known fake investment websites.

Warnings and alerts External Link  — Finacial Markets Authority

Insight: Artificial Intelligence

Artificial intelligence is a powerful technology, with the potential to revolutionise many aspects of our lives. But AI can also be used for malicious purposes and, unfortunately, scammers are increasingly using AI to create more sophisticated and convincing scams.

Image and video generation

AI can generate realistic images or videos of people and places. It can create fake photos of a real person, or generate images of someone who doesn’t actually exist. These images can be used to create entire social media accounts or dating profiles that look genuine. Scammers can then use these fake accounts to trick people into giving them money or sharing personal information.

Chatbots

Chatbots are computer programs that can simulate conversation with people. Most people have seen or even used one. Companies like banks and airlines use them to answer common questions that customers may have. But scammers, too, can use chatbots to create fake customer service representatives and trick someone into giving away personal or sensitive information, or into making a fraudulent payment.

Voice imitation and generation

Reports overseas have noted where scammers used AI to imitate a person's voice, generally someone in authority or a loved one, to trick someone into parting with money or sensitive information. We have not had a case of voice imitation reported to CERT NZ but, as AI tools get more sophisticated, this type of scams remains a possibility.

Staying safe

AI scams are a growing threat, but the same tactics that you use to protect yourself from other types of scams can also be used to protect yourself from AI scams. Be wary of unsolicited messages, never give out your personal information to someone you don’t know and be sceptical of offers that seem too good to be true.

Be wary of requests from people you have only ever met online, and, if a request for financial help or sensitive information comes from someone you know, verify it with that person through a different means of communication.

Insight: Job Scams

Online scammers use fake job advertisements to trick job hunters into sharing personal information such as their address, passport details, employment history or even financial details.

Fake job advertisements can look just like real ones. They may be posted on genuine job listing platforms or shared with victims directly through unsolicited emails or direct messages. Like other scams, these offers are often too good to be true. The fake roles are usually part time, completely online and come with very good compensation.

Malicious methods

The methods of these scammers can change a bit between each scam. Once a person starts interacting with a scammer around a job opportunity, they will often get asked to engage on alternative platforms like WhatsApp. The scammer may also request sensitive, personal information much earlier than one would expect for a genuine job offer.

In some cases, the scammer will claim that the next stage of the interview process is an in-person interview and ask their target to deposit funds into a travel account for flights and accommodation, funds they claim will be refunded after the interview.

Once a scammer has obtained someone’s personal information, they can use it to conduct a range of criminal activities, including online fraud and identity theft. This can have serious repercussions for the affected person, including financial loss or negative impacts on their credit rating.

Unfortunately, victims often don’t realise it is a scam until they have provided their sensitive, personal information or deposited money, at which point the scammers will usually cut contact with the victim.

Spot it early

It can be difficult to tell the difference between a genuine job listing and a job scam, but you can look out for specifics.

Scammers often create fake websites with a URL similar to that of a genuine company. If in doubt, verify the company’s webpage and navigate to the job listing from there.

Check that the recruiter’s email matches the company’s domain name. As with URLs, some scam emails may look like they have come from a real company, such as jobs@example-test.com, when the real company’s email is jobs@exampletest.com.

Red flags

  • The job listing is only on a single board. 
    Most recruitment agencies and organisations post their vacancies to several job boards to reach as many people as possible.
  • Communication moves quickly to an instant messenger service.
    It’s becoming more common for job interviews to take place over the phone or via video calls. However, you should be wary if your first interview is on an instant messenger service. 
  • The employer contacts you out of the blue or offers an interview or a job straight away. 
  • The potential employer wants your personal information or bank account details early in the recruitment process. 
    A genuine employers won’t need your bank account details until you have accepted a job.