sign up log in
Want to go ad-free? Find out how, here.

Kiwis kiss goodbye to $6.6 million in cyber scams and incidents, a record quarterly high - CERT NZ emphasises the importance of online vigilance

Business / news
Kiwis kiss goodbye to $6.6 million in cyber scams and incidents, a record quarterly high - CERT NZ emphasises the importance of online vigilance
Cyber security
Image: perspec_photo88. Licence: CC BY-SA 2.0.

In a busy fourth quarter of 2021 for cyber trolls, New Zealanders reported 3,977 cyber incidents, a 92% increase on the third quarter, according to CERT NZ.

Direct financial loss arose from 425 of these cases, totalling a whopping $6.6 million across all incident types. That's double the loss in the third quarter, and the highest quarterly loss since CERT NZ started capturing this data in 2017.

The majority ($5.9 million) went down the gurgler in the 'scams and fraud' category, the specific troll tricks and the amount Kiwis lost to them were:

  • $2.3m lost to scams relating to buying, selling and donating goods online
  • $1.8m lost to investment scams
  • $1.1m lost to scams about a new job or business opportunity
  • The remaining $0.7m was lost to other scams, not in those categories

The majority (76%) of the 3,977 incidents were reported directly to CERT NZ, but some came through other channels such as the Department of Internal Affairs, Police and the Commerce Commission.

"The increase in reports demonstrates that New Zealanders are becoming more aware and better skilled at recognising cyber security incidents.

“This also gives us a greater understanding of the extent and type of incidents that are occurring. We’re encouraged that both individuals and businesses are more willing to report, and we hope the messages about being cyber smart continue to spread," said Rob Pope, director of CERT NZ.

CERT (Computer Emergency Response Team) is a New Zealand Government organisation profiling cyber threats, while supporting and advising affected businesses and individuals. 

It is also the central reporting point for online Covid-19 scams, misinformation and other mischief, providing details to the Ministry of Health and the Department of Prime Minister and Cabinet.

Besides financial loss, during the quarter CERT responded to incidents where other types of loss had occurred including reputational loss, data loss, technical damage (websites, email servers etc.) and operational impacts including time lost responding to issues.

Meanwhile, CERT NZ was still mopping up the fallout from the FluBot scam text campaign, which made up two thirds of the 1,707 malware incidents reported during the quarter.

Malware related incidents were up a staggering 1,030% compared to the third quarter total of 151, and the flu bot scam accounted for the increase as it was at its peak during the fourth quarter.

Well known for sending fake courier delivery messages, FluBot was an evolving beast that initially sent malware links which, when downloaded, blitzed the user's contacts with similar messages.

It later diversified into phishing with a link prompting users to enter their personal details and credit card information to have the 'parcel' released for a small fee of less than $5.

"If the recipient pays the fee, they are unknowingly signed up to a subscription that will charge them a higher amount (approximately $85) usually within three days," said CERT NZ.

Reports attributed to organisations, rather than individuals, made up just 5% of the total reports and were down from 15% from the previous quarter, with phishing and credential harvesting the most troublesome issues for business.

Phishing is when hackers trick someone into disclosing personal information, for example credit card details, on a site which may look legitimate. Credential harvesting is the unauthorised collection and use of usernames and passwords. 

Another threat that remaining on CERT NZ's radar was the Log4j vulnerability, a security hole in an java-based software component used by many business, particularly in website management software. It was first made public in December.

An update to rectify the issue was provided but organisations remained vulnerable to data theft, unauthorised remote control or ransomware if they had delayed installing it.

"With so many software applications and services using Log4j, many companies still may not know it’s bundled together into the software they use," said CERT NZ.

CERT NZ, which released advice and guidance on Log4j,  stated that no harm has yet been reported but recommended businesses contact software vendors to find out if they use Log4j and implement the fixes they provide, which would likely include updating to the latest version.

In a final piece of advice, Pope reminded the denizens of cyberspace to use strong passwords and not to trust any sites that seem too good to be true.

“Vigilance is the key word. We need New Zealanders to be aware that scammers are out there and to be careful with their personal information, especially around financial data.”

$6.6 million direct financial loss was reported in Q4 2021. Source: CERT NZ

We welcome your comments below. If you are not already registered, please register to comment.

Remember we welcome robust, respectful and insightful debate. We don't welcome abusive or defamatory comments and will de-register those repeatedly making such comments. Our current comment policy is here.


A target of scammers.

Lonely, depressed or confused. Those with cognitive disabilities. 


Time to kick cryptocurrencies to the kerb, all they do is cause misery.

They allow the criminal underworld to have an easy and undetectable way to pay for crimes.

Make it incredibly easy for people to be extorted out of money through cyber crime.

Create massive amounts of completely unnecessary carbon emissions, in a world that is heating up way to fast anyway.


Lol, if you haven't been able to see the use cases of Bitcoin clearly presented by Canada, Ukraine and Russia in the last few months then all I can say is HFSP.

They allow the criminal underworld to have an easy and undetectable way to pay for crimes.

You know that the blockchain is literally a public ledger of every single transaction that happens right? 



It's virtually untraceable, unless it was a very big crime the amount of effort to trace it, wouldn't justify the effort being put in to trace it, and even if you do trace it back to a wallet, the money would likely have been moved out of the wallet by then anyway.

Also unlike opening up a bank account, you don’t have to provide any identifying information to start a bitcoin account. Bitcoin is effectively anonymous, and law enforcement can’t freeze your bitcoin account like they could your bank account.

Hence it's the way all the ransomware etc ask to be paid, they wouldn't be using it, if it wasn't working for them. 


You nailed it, now apply that to the billion of people world wide that don't have access to banking facilities, or unjustly get their accounts censored because they disagree with the current political party that is in power. 

All of your arguments are exactly arguments for it as well, it is a neutral tool just like a knife or a car, and the benefits faaaar out weigh the costs. 

Obviously we have a differing opinion on this so happy to leave it as an agree to disagree.  


Yeah fair enough, I'm sure there are some positives about it as well, they really need to sort out the carbon emissions issue with it though, sounds like some are working on it a bit.

A little bit like the dark web, there are some positives to it for people in oppressed countries for example, but a heck of a lot of obvious negatives as well.


Disagree. Banks (Swiss etc) and bags of cash have allowed criminals to transact for generations. Crypro is just a new new medium, and one not controlled by the likes of Blackrock etc. Crypto is more a vote of no confidence in the existing banking system, its security, impartiality, and confidentiality.

Some more noise recently about banking laws being changed to allow a bank "bail in". Post GFC a number of countries changed the law to allows banks to convert depositors funds into shares to recapitalise in an emergency. Already in Australia, UK, Canada, EU and good old NZ. If banks have insufficient equity, or cannot recover their loans successfully, then surely its is the banks shareholders responsibility to recapitalise, or to fail. Passing the buck to the depositors borders on a criminal act. Why Crypto indeed.

Have global banks leveraged well beyond their means...?