Kiwis lose $17m to cyber security incidents in 2020, phishing most-reported attack

New Zealanders have reported losing almost $17 million due to cyber security incidents in the past year.

In 2020, CERT NZ, the cyber security government agency, received 7809 reports of cyber security incidents affecting New Zealanders, an increase from the 4740 reports made in 2019.

Its latest report released on Wednesday shows a 65 percent increase in reports of cyber security incidents over the past year, with $16.9 million in direct financial losses.

Phishing and credential harvesting, where an attacker collects personal data to perform a variety of online crimes such as fraud, was the most reported form of attack during 2020. These types of incidents were up 76 percent compared to 2019 and accounted for 41 percent of all reports made.

Rob Pope, director of CERT NZ, says more Kiwis spent time online last year due to COVID-19, which gave cyber attackers more opportunities to target people.

"Unfortunately, these figures are not surprising. Cyber attackers are opportunistic and use anything topical as a hook to try and trick people into sharing personal or financial details," he says.

The amount of money Kiwis are losing to cyber security incidents is also on the rise. In 2020, cyber security incidents left New Zealanders $16.9 million out of pocket, the highest annual figure recorded by CERT NZ since it launched in 2017. In total, $53 million of direct financial loss has been reported to CERT NZ since reporting began.

The top three incident types reported to CERT NZ in 2020 were:

  • 3410 phishing and credential harvesting reports, up 76 percent on 2019
  • 1920 scams and fraud reports, up 11 percent on 2019
  • 1560 malware reports, up 2008 percent on 2019.

"Most cyber attacks are financially motivated. However, our figures do not paint the full picture of the types of loss Kiwis have experienced," Pope says.

CERT NZ figures show 14 percent of cyber security incidents reported in 2020 were associated with some type of loss, including financial, operational, reputational, or data.

"From a financial perspective, the impacts of a cyber attack can snowball. A business may lose revenue because its website has gone down, meaning it's unable to trade online. This greatly impacts individuals' livelihoods and therefore has a knock-on effect on the economy," Pope says.

"Businesses also incur additional costs recovering from a cyber incident, like hiring IT professionals to mitigate any further security issues, which can take months or even years to fully restore. This can result in loss of customer trust."

For individuals, Pope says there can be "serious ramifications" if their personal data has been stolen and used fraudulently. Along with having to get new personal identification documents, they could experience a detrimental effect on their credit rating which could make it difficult to secure a mortgage or financial loan.

"While the effects of a cyber security incident can be devastating, it may have been possible to avoid these significant losses by taking some simple steps," he says.

"This includes taking measures like good password practice, implementing two-factor authentication as an extra layer of security on logins, making sure software on devices are up-to-date, regularly backing up data, and thinking about how and where you share personal information."

If you or your organisation experiences a cyber security incident, you can contact CERT NZ online or call 0800 CERT NZ.