CERT NZ says New Zealanders lost more money to cyber scams in the September quarter than in any quarter since the Government cyber security agency started tracking this data in 2017.
There were 2,069 incidents reported to CERT between July and September, with $8.9 million in direct financial losses reported. That total's well ahead of the $6.6 million losses reported for the fourth quarter of 2021, the previous high, which stemmed from 3,977 incidents. Losses reported to CERT across the eight quarters before the September quarter totalled $36.1 million.
CERT says 314 people lost between $100 and $1000, with 12 people losing more than $10,000 in the September quarter. Some $7.5 million was lost to scams and fraud, with $4.8 million of this lost through unauthorised money transfers.
CERT says a key reason for the losses is an increase in unauthorised money transfers, unauthorised access and scams involving buying, selling and donating goods.
"The most common scam is related to buying, selling, or donating goods. Reports in this category are up 50% from the previous quarter. While the average loss isn’t high, it’s a constant threat and one that isn’t easy to combat beyond realising that sometimes a deal is too good to be true," CERT says.
CERT received 375 reports about buying, selling and donating goods online in the September quarter. The majority of reports were about purchasing goods that either didn’t show up or an inferior product was delivered.
For the September quarter, individuals reported more than $570,000 in direct financial loss through unauthorised access. CERT says losses extend to anyone digitally connected to the compromised account, because the access exposes the account holder to risk and also their contacts, including friends and whānau.
"Many of the incidents reported were social media accounts being compromised and the real account holder being locked out. The attacker then pretended to be the account holder, trying to trick friends or family of the account holder into giving them money with either an urgent request or a fake investment opportunity," CERT says.
Meanwhile CERT says it's getting more and more common to see websites that imitate well-known brands by making a slight change to the URL in order to trick people. And other areas with notable losses include scams for cryptocurrency and non-fungible token (NFT ) investments, being asked to pay
upfront for something, and romance scams. While only seven reports of crypto scams were made, they averaged more than $65,000 each.
CERT also highlights upfront payment scams where scammers target social media sites. For example someone might be contacted with the offer of rental accommodation. To secure it they must pay up front. CERT describes this as a scam that preys on an individual’s needs, with scammers often finding their targets by reading public posts.
“While it’s easy to be overwhelmed by the large total loss figures, our data shows that most people are losing between $100 and $500, which is a real sting in the pocket for most of us. We want New Zealanders to take notice of these numbers and use that as motivation to do some quick, simple actions that will stop them, and their whānau, from being the next targets,” CERT NZ Director Rob Pope says.
“As we come into the holiday season, New Zealanders will be looking online for bargains and scammers know it. We’re asking everyone to be cautious when they’re shopping online or perusing online marketplaces and be suspicious of anything that seems too good to be true.”
“People should also turn on two-factor authentication, as this is still the best way to stop baddies accessing your accounts. This includes social media accounts as well as banks,” Pope adds.
CERT emphasizes that the impact of scams isn’t just financial. They also cause stress, confusion, embarrassment and, potentially, reputational damage for businesses. Whilst financial loss is the simplest loss type to quantify, reports to CERT often also include other types of losses impacting businesses such as operational, reputational and data loss.
In the September quarter 21 businesses reported unauthorised access with a direct financial loss of almost $170,000. For businesses, one of the most common types of unauthorised access is business email compromise when an attacker gains access to an employee’s email account without their permission to carry out malicious actions such as invoice scams, intercepting communications changing details like banking details on an invoice, and distributing phishing emails or malware.
"Just like a social media account, this can affect any contacts linked to the email account including clients, customers and suppliers," says CERT.