New Zealand cyber crime trends and online safety in 2023

May 10th, 2023

Hervé Le Goff, a senior analyst in CERT NZ’s Threat and Incident Response team, was kind enough to offer his time this month to chat about the key cyber crime trends CERT NZ is seeing this year, and how Kiwis can keep themselves safe online. Thanks Hervé for your valuable insights.

What are the key trends you’re seeing in cybercrime this year – in NZ and globally?

Phishing and credential harvesting is always the biggest threat to New Zealanders and in 2022 there was a 16% increase to 4,315 reports. While most people disregard phishing emails as an annoyance, they can lead to further incidents, such as unauthorised access or fraud.

In 2022 New Zealanders lost $17.1 million to scams and fraud which was 86% of the financial loss reported to CERT NZ. There was a large push of scams involving unauthorised money transfer and this alone resulted in $5.9m is losses.

These sorts of scams involve the target clicking a link that looks like a legitimate site, often a delivery company or a government site (NZTA is a common one). The message will say they need to pay a small fee of some kind. The real scam is not that initial payment, but that the target has unwittingly signed up to a subscription that takes a sum out of their account regularly.

Malware reports had been on the rise following the Flubot text scam in 2020/21 but in 2022 it

dropped right off (an 88% decrease).

So far in 2023 we’re seeing more investment scams cropping up. These include scams about new job offers and even some that are using online search results to send people to fake investment sites.

How can Kiwis keep themselves safe online?

You need to always remain vigilant online. The new crop of scams is very clever in how they are

presented, and the scammers will often use a variety of techniques to fool you. For example, the investment scams I mentioned use search results, phone calls, fake documentation, and in some cases, even a fake website to log into showing your “balance” and pushing you to send more money.

Taking your time to make sure the messages you’ve received are legitimate will pay off. And when it comes to investments, you can check with the Financial Markets Authority (FMA) to see if the company is real or not.

For general online protection, CERT NZ recommends following four steps. Following all four will keep you safe online, but even just doing one is a good start.

  1. Use a unique, long, strong password for each of your online accounts
  2. Turn on two-factor authentication (2FA) where possible
  3. Keep all your devices, apps and software up to date, and
  4. Keep your personal information private.

To make it easier, you can use a password manager, that way you don’t have to remember all those passwords.

And if you get any suspicious emails, online messages or visit a website that may not be legitimate, report them to CERT NZ.

How can Kiwis support their friends and family to keep themselves safe online?

Anyone can be affected by cyber crime, even those who are technically savvy. We are aware that some people are reluctant to report incidents because they feel embarrassed and vulnerable. But by talking to friends or family, and sharing those four steps, you can help make everyone safer.

What are Government agencies doing to help protect New Zealand generally from increased direct threats?

CERT NZ works alongside other government agencies to keep New Zealanders safe from cyber crime. We offer free advice and confidential reporting.

Our website contains tips and advice for individuals. We also have a list of eleven Critical Controls for businesses to implement. These controls give businesses a steer on where to best allocate their assets.

For IT specialists, CERT NZ releases advisories for incoming threats, which contain advice on how best to mitigate them.

Concerned about insurance fraud?

Insurance fraud is not a victimless crime; it’s a crime that all policyholders pay for. You can report insurance fraud by visiting the IFB website. Reports can be made anonymously.