Kiwis hooked into $2.9m of cyber scams in Q1 alone
Pensioners were swindled out of $1 million by cyber scams in the first three months of the year, and online scams cost Kiwis almost $3 million in total. Phishing attacks - where an email or text is used to try to trick a user into handing over information, credentials or cash - was the most favoured con, the government's Computer Emergency Response Team (Cert NZ) says.
The one-stop shop responsible for tracking, monitoring and advising on cybersecurity incidents received 506 reports in the March quarter. It responded to 318 directly, referred another 182 to NZ Police, sent five to Netsafe and one to the Department of Internal Affairs. The largest category (196 incidents) were phishing scams. Another 168 involved other scams or frauds designed to convince a user to give up money.
Those attacks caused $2.9 million of direct financial losses, three-quarters of which were against individuals and the rest against organisations.
Older New Zealanders were the biggest dupes, with 44 incidents reported by people over 65, accounting for $1 million of direct financial losses. A smaller group of people between 55 and 64 reported $724,000 of losses.
"It seems at this point in time, the baddies are getting quite a good return on their efforts."
"New data analysis this quarter shows that this has been particularly harmful for victims in the over-55s age group, who have reported losing more money than any other age group," Cert NZ director Rob Pope said in a statement. "In quarter one there has been a real focus on taking down phishing websites where we can, including working alongside key partners such as banks and financial institutions whose brands are so often misrepresented in these campaigns."
The government committed an extra $970,000 a year of new operating funding over the next four years for Cert NZ, lifting its annual budget to $5.9 million for the June 2019 year.
Pope says the increased reporting is a good sign that the agency is building a profile and attracting public acceptance as the clearinghouse for cyber-security issues. Cert receives the complaints and either handles them directly or refers them to the appropriate agency.
The latest report is Cert's fourth, and while Pope said it's too early to draw granular conclusions from the data, it has been able to identify firm trends such as the prevalence of older targets.
"That prevalence of phishing still seems to the major malaise that's impacting New Zealanders," Pope said. "It seems at this point in time, the baddies are getting quite a good return on their efforts."
Over the past year, Cert has received 1,637 reported incidents, referring 474 to the police and two to the National Cyber Security Centre.
The March quarter report shows financial and insurance firms were the most targeted sector, with 92 reports accounting for 44 percent of organisation incidents, most of which were phishing attempts.
Cert wants to be more proactive in helping New Zealanders prevent cyber incidents, and has several programmes operating in the public and private sectors. However, "demystifying technology language" and humanising the issue is key to make people more comfortable in digital spaces and reporting issues to the authorities, Pope said.
"Our main focus is prevention so we're very very alert of the need to be more proactive," he said.
The agency was formed from the previous administration's cyber-security strategy, and Pope said it will play a role in a policy refresh, which he describes as a "stocktake". Communications Minister Clare Curran says strong cyber-security is essential to the government's goal of building a "connected nation, promoting and protecting digital rights, and harnessing digital technology for economic growth, community benefit and innovation".
Pope said establishing public buy-in is "exceptionally important" so it can map the "cyber-threat landscape". This can get confusing, with a number of different agencies involved. Last year, an assessment by the National Cyber Security Centre identified 396 cyber threats in the year ended June 30, which could have caused $640 million of harm to nationally significant organisations. The NCSC is a unit of the Government Communications Security Bureau.