Latest Cyber Crime Statistics in New Zealand 2023

Niek has worked at Eftsure for several years and has developed a clear understanding of the cyber threat landscape and the controls Australian businesses put in place to combat these threats.

As the threat of cybercrime continues to escalate in Aotearoa, or New Zealand, greater awareness and preventative measures are crucial. According to the latest Cyber Security Insights 2022, CertNZ recorded an average of 2,166 reported cyber security incidents per quarter, averaging a loss of NZ$4.5 million per quarter.

This is alarming for both individuals and businesses. With a marked increase in cyber-crime reports, the problem appears to be getting worse.

As an executive, you understand the potential for cyber attacks to hurt your business, whether financial losses, reputational damage or data theft. To mitigate those risks, you’ll need a robust cyber-crime strategy, including training to educate your employees on best practices.

In our cyber crime statistics below, we delve into the current state of cyber crime in New Zealand, along with cyber-criminals’ most common tactics. By staying informed on the latest trends and statistics, you can equip your business with the necessary tools to protect against potential cyber threats.

Author’s Top Picks

  • CERT NZ’s latest annual summary shows that financial losses jumped up 19% to $20 million in Q3 of 2022.
  • Phishing and credential harvesting are the biggest loss in the cyber incident category with 924 reports out of 2069 total reports in Q3 2022.
  • IDCARE has seen a 40% increase in people seeking assistance for identity theft in the first five months of 2022.
  • Auckland remains the most targeted region for cyber-attacks, with 403 reported incidents in Q4 2022.
  • The financial and insurance services sector reported that over 80% of their cybersecurity incidents are related to phishing and credential harvesting.

Cybercrime Statistics

1. CERT NZ’s latest annual summary shows that financial losses jumped up 19% to $20 million in Q3 of 2022.

The cybersecurity government body CERT NZ reported 8,160 cybersecurity incidents in 2022. This included individuals, small-to-medium enterprises (SMEs) and large organisations from all over New Zealand. While financial losses have grown exponentially over time from 2017, the number of reported incidents has slowly decreased since 2021.


2. Phishing and credential harvesting are the biggest loss in the cyber incident category with 924 reports out of 2069 total reports in Q3 2022.

Phishing and credential harvesting have become the biggest loss for cybersecurity incidents in New Zealand due to several factors. One of the reasons is the increasing reliance on technology for business operations since the COVID-19 pandemic. This has led to a larger attack surface for cybercriminals to exploit, often using phishing techniques to gain unauthorised access to sensitive information.

3. In 2022, 22% of incidents were reported to CERT NZ, which saw a total financial loss of $20 million.

Scams and fraud accounted for almost $17.1 million (86%) of the overall direct financial loss in 2022. This is further broken down where $5.9 million went to scams involving unauthorised money transfers, $3.3 million went to dating or romance-related scams and $3.1 million went to scams involving a new job or business opportunity offer.

4. In Aotearoa, there has been a 150% increase in ransomware in the second quarter of 2021 compared to the previous quarter.

According to cyber-crime reports, ransomware is becoming more common around the world, impacting New Zealand, Australia and the United States all at the same time. Some of the most well-known ransomware strains include Bad Rabbit, CryptoLocker, Jigsaw and Ryuk. Generally, a ransomware attack occurs when the cyber-criminal encrypts a targeted individual’s computer and demands a ransom to be paid to recover their files.

5. As of 30 June 2022, the National Cyber Security Centre (NCSC) recorded 350 cybersecurity incidents affecting nationally significant organisations, a decrease compared to the previous year (404 incidents).

Lisa Fong, NCSC Deputy Director-General says, “It is likely that the Russian invasion of Ukraine has meant both criminal actors from the region, and other significant global threat actors are more focused elsewhere than on activities that have previously impacted New Zealand.”

6. Organisations that were hit the hardest were the financial and insurance services leading by 43 reports out of 134 total cybercrime reports. Followed by professional, scientific and technical 13 reports.

It’s no surprise to see that the financial and insurance services industry is the most targeted by cyber-criminals. These industries deal with large amounts of sensitive and valuable information such as credit card details, email addresses, names, and other financial records. Cyber-criminals find this type of information highly lucrative and profitable for identity theft and other illegal activities that can be used for financial gain.


7. The most significant common vulnerabilities and exposure (CVEs) disclosed in 2021/2022 was the Apache Log4j vulnerability.

Apache Log4j is a popular open-source logging framework used by developers to generate log files in Java-based applications. According to the Cyber Threat Report 2021/2022, NCSC discovered a vulnerability issue in Log4j which left global networks vulnerable to malicious cyber actors remotely accessing systems, stealing confidential information and more.

8. IDCARE has seen a 40% increase in people seeking assistance for identity theft in the first five months of 2022.

IDCARE is a not-for-profit organisation that looks after Aussies and Kiwis, providing free and confidential support to individuals who have experienced identity theft or cyber-related crimes. If you fall victim, IDCARE can assist you with personalised support and advice on recovering your identity and developing an identity recovery plan, as well as offer advice on any associated risks.

9. According to Dual Cyber, more than 50% of NZ small-to-medium enterprises (SMEs) experience cybersecurity attacks at least once a year.

One of the reasons why SMEs fall victim to cyber-crime is the lack of resources. SMEs often have limited resources for cybersecurity measures and may not have the budget to invest in robust security software or hire dedicated security personnel. However, there are other ways of mitigating risk, like implementing multi factor authentication (MFA) methods of encrypting sensitive information.

10. According to the NZ Law Society, fewer than 10% of businesses in New Zealand have cyber insurance.

New Zealand is a growing target for cyber-criminals. With more Kiwi businesses falling victim to phishing, credential harvesting, scams and unauthorised access attempts, cyber insurance premiums are increasing. Senior Broker Anna Parker from Frank Risk Management comments that businesses need to be careful about their insurance covers, as each insurer may or may not cover the full amount of cyber attacks.

11. Auckland remains the most targeted region for cyber-attacks, with 403 reported incidents in Q4 2022.

Auckland is the largest city in New Zealand and has a high concentration of businesses, government agencies and other organisations. This may be one of the reasons why it’s an attractive target for cybercriminals who seek to steal or reveal sensitive data. CERT NZ also states that Auckland has had the highest financial loss to online scams and fraud from June 2019-2020 with a total loss of $5.4 million.

Business Email Compromise Statistics

12. Out of 1,757 incident reports received by CERT NZ, unauthorised access ranks number three in the breakdown by incident category with 178 recorded reports.

While business email compromise (BEC) scams and unauthorised access are different types of cyber threats, they can both be used in a cyber attack. For example, a cybercriminal may use unauthorised access to gain access to an email account of an employee or executive, which they can then use to launch a BEC attack. They could send an internal email impersonating the CEO to deceive employees into committing fraudulent activities.

13. In 2020, the Financial Markets Authority (FMA) issued 61 warnings about investment scams of which 35% were imposter scams using legitimate businesses to deceive investors.

Imposter scams or impersonation scams are a type of BEC attack. Imposter scams involve a cyber-criminal impersonating a trusted individual or organisation, such as a senior executive or supplier. This allows criminals to trick targeted individuals into transferring money or providing credentials to gain access to accounts to reveal information.

14. There has been an 81% increase in business email compromise (BEC) attacks between the first and second half of 2022.

According to abnormal security, the average cost of a BEC attack in 2021 was around $120,000, while 35% of cyber-crime losses stem from BEC. Crane Hassold, director of threat intelligence at Abornal Security noted that “any time an employee has to assess whether an email is malicious, [it’s] an opportunity for them to make a mistake”.

15. The most commonly used communication methods by scammers to deceive businesses were email (41%), followed by social media (26%) and over the phone (24%).

Email is the most used communication method due to several reasons. One of them is anonymity. Email allows criminals to remain anonymous or use fake identities, making it easier for them to avoid detection and impersonate trusted brands or individuals. If you are looking to secure your email security, check out our email security best practices.

16. Only 2.1% of all known BEC attacks are reported to their employers, with a massive 98% left unreported in 2022.

It’s important to increase awareness of BEC attacks in the workplace. Many employees may not be aware of what a BEC attack is or how to recognise one. It’s important to promote a cybersecurity culture that recognises the risks of such attacks and empowers employees to put their hands up when something doesn’t seem right.

17. 101% more BEC scams have hit New Zealand businesses between July and September of 2020.

Businesses that are looking to mitigate the risk of a BEC attack can do so on the CERT NZ website. CERT NZ provides solutions around keeping software up to date, deploying complex passwords and adopting antivirus software to combat the threat of BEC attacks.

Business Identity Theft Statistics

18. In 2020, a report found one in five New Zealand adults surveyed said they experienced identity theft, which is 16% of over 193,000 Kiwis.

Identity theft is a type of cyber-crime where malicious actors steal an individual’s personal information such as their name, address and financial information to commit fraud or illegal activities. The consequence of identity theft can be severe to organisations, including financial loss, reputational damage and loss of customer trust.

19. According to the Department of Internal Affairs, as many as 133,000 Kiwis are victims of identity theft annually. That represents a $209 million loss on the economy.

Cyber-crime statistics show that the most commonly compromised information in New Zealand is identity documents. Passports are on top of the list, with 21.2% of NZ cases handled by IDCARE involving stolen passport numbers. This is followed by the driver’s licence category at 19.7%. Individuals and businesses are not doing enough to mitigate the risk of identity theft, we cover the 7 steps that you can take to act now.

20. David Lacey, the director of IDCAR, said that 22% of identity scams are carried out by phone.

Cyber-criminals are using phone calls to carry out identity theft scams by impersonating trusted companies like your bank or email software provider. In some cases, they may get you to reveal your information by pressuring victims. They may claim that there is an urgent issue with the victim’s account or that they need to verify your account to prevent fraud.

21. 81% of New Zealanders surveyed admit they are unsure of how to check if their identity has ever been stolen.

For individuals, you can monitor your credit reports and bank and credit card statements for suspicious activity. You can contact IDCARE for more assistance if you suspect your identity has been stolen. For organisations, you should consult your IT teams for any signs of unauthorised access or unusual activity.

22. Only 23% of respondents believe identity fraud to be a problem for their business, yet 61% thought it was a major issue in general.

Not all New Zealand businesses are doing enough to mitigate their risk of cyber-crime. But it’s the responsibility of every business to adopt best practices for protecting their data and systems, especially since vulnerabilities in one organisation can impact every other organisation in a supply chain or network.

Phishing Statistics

23. Phishing and credential harvesting continue to be the largest category of incidents affecting organisations reported by CERT NZ, accounting for 86 incidents (49%) during Q4 2022.

Phishing attacks typically involve sending fraudulent emails or messages that appear to be from a legitimate source but contain links to fake websites or attachments that contain malicious software (malware). Phishing is a type of social engineering tactic commonly used by cybercriminals. Other than phishing, individuals and businesses may also fall victim to baiting, scareware or pretexting.


One way cyber-criminals use phishing is by creating look-a-like email addresses that appear to be from a colleague or supplier. This could contain links to a fake invoice or requests to provide information. Fake emails are low-cost and effective for criminals.

25. The NCSC reported that phishing (4%) was one of the most recorded MITRE ATT&CK tactics and techniques observed in 2021/2022.

MITRE adversarial tactics, techniques and common knowledge (ATT&CK) framework is a curated knowledge base and model for cyber adversary behaviour. By mapping recorded incidents to MITRE ATT&CK, the NCSC gained insight that the most commonly recorded known method of gaining access to a network was by exploiting a public-facing application.

It can be relatively easy for criminals to deceive your employees into clicking on a phishing link, especially if the email or message appears to be a trusted source. To mitigate this risk, you must verify the authenticity of the sender before entering any information or clicking on any links/attachments.

Ransomware Statistics

27. As of Q4 2022, ransomware statistics spiked which resulted in a total of 36 reported incidents. Compared to Q3 2022 6 reported incidents.

Ransomware is a destructive attack for organisations, particularly because it locks down the victim’s computer systems, making them inaccessible until a ransom is paid to the attacker. This can cause major disruption in business operations, loss of revenue, decreased productivity and more.

28. Two-thirds of 55% of New Zealand businesses said they were able to resolve a ransomware attack before significant damage was done.

When it comes to ransomware attacks, the reality is that it’s difficult to accurately determine the number of businesses that have been targeted and the full extent of the damages caused. This underscores the considerable difficulties faced by businesses, cybersecurity experts and government officials in grappling with the consequences of cyber-crime in the country.

29. Rental, hiring and real estate services were impacted by ransomware attacks (50%) the most compared to other industries. This was followed by wholesale trade and the professional services sector.

CERT NZ reports that at least 65% of cybersecurity incidents could have been prevented by two-factor authentication (2FA). You can incorporate 2FA by creating a strong and unique password that involves special characters, letters and words, as well as another method of authentication such as text message or email.

30. The most commonly recorded known method of gaining initial access to a network was by compromising infrastructure via a botnet (11%).

Botnets are often created by infecting large numbers of computers with malware, which allows the attacker to control the targeted computers remotely and use them for various activities. This might include sending spam or launching a denial-of-service (DDoS) attack. The botnet is used to distribute malware to carry out a ransomware attack.

31. According to ransomware statistics, 110 incidents of ransomware accounted for 27% of all cybercrime incidents, a 14% increase year on year.

According to the NCSC, their ability to detect and prevent cyber-attacks has resulted in avoiding or minimising damages worth NZ$119 million for critical organisations in NZ over the past year. They attribute much of their success to the Malware Free Networks service, which involves sharing threat intelligence with partners including internet service providers.

Learn how to drive a cyber-crime strategy in the 2023 Cybersecurity Guide for CFOs.
A cyber-crime strategy helps lower the risk of cyber-incidents happening in the first place.

Eftsure’s guide helps CFOs understand the latest threats and how to create a strategy that fights a new generation of cyber-criminals and scammers.


Cybercrime is any criminal activity that involves using computers, mobile devices or other electronic devices for purposes such as fraud and theft. Cybercriminals use digital devices to attain access to a user’s personal information.

Cybercrime is a serious issue that individuals and businesses are still struggling to combat. There are many different types of cyber crimes and they all continue evolving, such as business email compromise, business identity theft, ransomware, malware, phishing, social engineering, phone scams & more.

According to the CERT NZ 2022 report summary, New Zealand individuals, small and large organisations have reported a combined financial loss of $20 million from cybercrime.

CFOs have a fiduciary duty to safeguard their organisation’s finances. With cyber-crime representing an increasingly significant risk to those finances, it’s important to implement digital controls. Not only are finances affected but also increase insurance premiums, impact credit rating & valuation, cost of business disruption, reputational costs and impact cash flow.

A sub-committee of the board should be established with all relevant executives to ensure comprehensive staff training programs, appropriate policies and internal controls, and technologies are adopted organisation-wide to help prevent losses from cyber-crime.

In most cases, cyber criminals’ objective is to attain financial gain from either individuals or businesses. This is achieved either by gaining access to types of data such as financial information (credit cards, invoices, bank details) company information (emails, usernames, passwords) and more.

Subscribe to our blog

Subscribe to the eftsure blog to receive updates when we post.

The new security standard for business payments

Eftsure provides continuous control monitoring to protect your eft payments. Our multi-factor verification approach protects your organisation from financial loss due to cybercrime, fraud and error.