Cyber crime

NZ sees 66% increase in cyber-related losses

Bristol James
8 Min
Hacker reaches through device

Financial scams have pushed New Zealand’s cybercrime rate by 66% according to CERT NZ, with financial losses totalling about $6 million NZD.

The government agency also says cybercrime reports have increased by 12% this year. Though phishing and credential harvesting remain the most reported incidents, Kiwis are losing scores of money to scams and fraud – especially investment scams and romance scams.

Cybercrime is a growing problem worldwide, with the World Economic Forum listing it as one of the top 10 most severe threats to both governments and businesses. So what does that look like in New Zealand?

Lack of awareness despite growth in incidents

The sharp uptick in cyber incidents might simply be related to larger numbers of Kiwis logging on. CERT NZ has found that online shopping and transactions activity have doubled since 2019, prompting an acceleration of cybersecurity incidents.

The agency also says a lack of awareness is one of the major barriers keeping people from actively bolstering their online security. Its director, Rob Pope, asserts that the key to preventing cybercrime is vigilance.

“There are a number of barriers including awareness of what to do, how to do it and understanding why it’s important to being secure online… Our research shows that some New Zealanders see the cybersecurity steps as complicated and others aren’t aware of the risks.

“While only one in five people [in New Zealand] are concerned about general cyber security, that jumps to four in five when you ask specifically about the security of personal information online,” Pope said.

“While 70% of Kiwis wouldn’t share personal information with strangers online, over half the adult population has their social media accounts set to ‘friends-only’ or ‘private’ meaning anyone can view the information they share.

“We’re not pointing the finger at people in any way, but using the insights from this research is going to help us and the wider online security industry better reach New Zealanders and shift their cyber security behaviours in a positive direction.”

Vulnerabilities exploited

In the first half of this year alone, cybercriminals have targeted NZ businesses and organisations, testing security defences.

In June, NZ payments solutions provider Smartpay Holdings (SPY.NZ) disclosed that it had faced a ransomware attack and confirmed theft of customer information in Australia and New Zealand from its systems, after the company investigated the security breach. Smartpay immediately engaged cybersecurity specialist CyberCX and has been working with the government.

The following month, Russian hacker group ‘NoName057(16)’ claimed a denial-of-service (DDoS) attack on the New Zealand Parliament, Parliamentary Counsel Office (PCO) and Legislation on Telegram, which crashed the websites temporarily. The hacking group claims the NZ Parliament was on its hitlist in retaliation for the government supporting Ukraine.

While DDoS attacks have been taking place since the early days of the internet, a spokesperson for the NZ Government Communications Security Bureau (GCSB), National Cyber Security Centre, has said that mitigating the impact of such attacks in an increasingly digitised world demands a range of defence measures.

Consumers targeted

Scammers have also been taking advantage of Kiwis looking for love online, swindling millions of dollars over the past year according to Detective Senior Sergeant Chris Allan, Auckland City District Financial Crime Unit, due to a steady stream of reports from ‘people who have been scammed by a person they met via a dating website or app.’

“Once trust has been gained, the fraudster then requests financial assistance from the target.

“The method of payment request depends on the proficiency of the victim.”

“If the victim is able to open a cryptocurrency account, then buying and sending cryptocurrency is the preferred method of transmission,” NZ Police warned in a statement.

Based on a repeat pattern of events across all reports, NZ Police have found that the scammers typically move the conversation from dating platforms to WhatsApp after professing deep love and admiration for the victim at an accelerated pace.

“Those who carry out romance scams are experts at what they do and will seem genuine, caring and believable – unfortunately, they are present on most dating platforms,” NZ Police said.

Based on NZ Police reports, scammers have been reusing the same stolen photos on multiple dating profiles, recycling the same story about their fraudulent backgrounds but using different aliases for multiple dating profiles to keep their stories on track.

Example of a fraudulent drivers license
PHOTO: Fraudulent NZ Drivers License | SOURCE: NZ Police, Auckland City District Financial Crime Unit

“We have repeatedly seen the same stolen image used on doctored New Zealand drivers’ licenses.”

“We are advising everyone to be wary of any online approaches where something might seem amiss,” NZ police warns.

“Mum, I dropped my phone”: the latest NZ scams

The latest scam to hit NZ is the “Mum, I dropped my phone” phishing campaign.

Designed to elicit urgency and anxiety, the unsolicited  text message claims to be a recipient’s child or family member asking for help through a new mobile phone number as their phone has been ‘damaged.’ Responding to the phishing text message will enable scammers posing as family members to procure bank account and credit card details that can ‘help with the purchase a new mobile phone.’

Like the “Hi Mum” phishing campaign that targeted millions of Aussies in 2022, simply receiving the phishing text message does not put recipients at risk, but replying to it will increase the risk of being scammed.

CERT NZ has warned Kiwis away from responding to the message, advising that best practice is to contact the family member on their regular number first to verify.

While the approaches and tactics may be superficially different, the scam is similar to many of the phishing and social engineering tactics used against businesses, particularly its use of urgency and the impersonation of a trusted contact. When targeting organisations instead of individual consumers, cybercriminals will often use a business email compromise (BEC) attack.

NZ recalibrates cybersecurity strategy

So what is the government doing amid these growing cyber threats?

To ensure stronger cyber readiness and response, CERT NZ will be integrated into the National Cyber Security Centre’s (NCSC), as the New Zealand government aims to increase the agency’s operational scope in defending against cyberattacks.

According to NZ Minister for the Public Service Andrew Little and Minister for the NZ Digital Economy Ginny Andersen, the integration will be implemented in phases over the next few years.

“The cybersecurity threats New Zealand faces are growing in scale and sophistication.

“We’re committed to staying ahead of the hackers, to protect communities, businesses and our public services.

“A lead operational agency will be established to strengthen cybersecurity readiness and response as well as make it easier for people and organisations to get help,” Minister Little said.

In response to emerging cybersecurity challenges, the integration effectively positions cyber defence operations under the Government Communications Security Bureau (GCSB), NZ’s national security and intelligence agency.

“Creating a dedicated new lead operational agency ensures New Zealand is best positioned to fight back against the hackers we know cause real harm to individuals and to our economy,” Minister Andersen added.

AI: the future of hacking

Artificial intelligence (AI) is one of this year’s favourite tech buzzwords but, beyond the hype, there’s a serious reason that the cybersecurity world is taking notice of how scammers are using AI tools, according to CERT NZ’s Quarter One: Cyber Security Insights 2023.

“AI can be used to write more convincing phishing emails in various languages, to create malicious code, and to even impersonate people in live chats,” Pope said.

While AI-assisted scams have reached New Zealand, CERT NZ have not received reports specifically about AI so far. However, its analysts say that ‘it’s only a matter of time before it takes off.’ Elsewhere in the world, we’ve already seen AI-enabled scams and know that malicious AI tools are already available on the dark web.

Data retention issues make organisations softer targets

Since the Latitude Financial breach that affected customers in Australia and New Zealand, the NZ Office of the Privacy Commissioner (OPC) has identified that ‘data retention’ is emerging as a key issue. Liz MacPherson, the NZ Deputy Privacy Commissioner, has warned that there are consequences for holding onto data you no longer need.

“All businesses and organisations can learn from this: don’t collect or hold onto information you don’t need. Don’t risk being a hostage to people who make it their day job to illegally extract data,” Commissioner MacPherson said.

In an example with widespread ramifications for Kiwis, 2023 saw Latitude Financial becoming the latest victim to a  cyber-attack that compromised the personal information of applicants, current customers and past customers in Australia and New Zealand.

The attack is New Zealand’s largest data breach to date, with Latitude refusing to pay the ransom it received from the criminals behind the attack. Over one million past and present New Zealand drivers’ licences have been exposed as part of the incident as well as people’s passports.

“Some of the 14 million New Zealand and Australia records taken are up to 18 years old, which isn’t okay,” Commissioner MacPherson said. “There is no place for a ‘she’ll be right’ attitude to privacy and cybersecurity.  Cyber attackers are active. People are employed to be cyber attackers.”

Evidence supports Commissioner MacPherson’s claim that cybercriminals are organised and professional. In fact, we know that white-collar professionals are even recruited on the dark web with attractive salaries, paid time off and promises of “tight-knit teams.”

Making Kiwis aware of cyber risks

CERT NZ has found that 73% of New Zealanders hear about cybersecurity incidents, but the large-scale incidents that receive the most media coverage – like ransomware, DDoS attacks and data breaches experienced by businesses and organisations – are significantly different to the lived experience of individuals.

“While only one in five Kiwis are concerned about general cybersecurity, that jumps to four in five when you ask specifically about the security of personal information online,” Pope explained.

With Latitude Financial reporting $76 million in cyber incident costs in August, the knock-on effects for those whose data had been stolen in the attack back in March could have significant impacts for the foreseeable future, as the most common scams experienced by consumers arrive by email, text message and phone. Plus, stolen data can turbocharge scammers’ efforts against finance and accounts payable (AP) teams.

“Some Kiwis see the cybersecurity steps as complicated and others aren’t aware of the risks, according to CERT NZ research,”said Pope.

“We have an opportunity to change behaviours by making cybersecurity human and tangible with a positive message.”

Beyond awareness: stronger defences depend on stronger controls

As CERT NZ has emphasised, awareness and vigilance are some of the best defences against cyber-crime and scam attempts. But, for busy teams in complex organisations, even the most vigilant employee can be caught offguard by a clever scammer.

For finance leaders who want additional layers of defence, a multi-pronged approach is crucial. A combination of employee training, technology and the right financial controls can lower your business’s risk of falling victim to the latest scams and attacks. Getting the right financial controls, however, requires closer scrutiny of your existing processes, even if you’ve already implemented best-practice controls.

Get in-depth guidance on strengthening your anti-fraud controls
Ready to take action and lower your organisation's risk of falling victim to cybercrime? Download our Financial Controls Guide, a comprehensive look at creating, assessing and maintaining robust anti-fraud controls.

Related articles

The new security standard for business payments

End-to-end B2B payment protection software to mitigate the risk of payment error, fraud and cyber-crime.