CERT NZ report: New Zealanders lost $4 million to cybersecurity incidents in April - June, 2021

Dating scams and compromised business emails led to massive losses.
Dating scams and compromised business emails led to massive losses. Photo credit: Getty Images

People in New Zealand lost nearly $4 million through around 1350 cybersecurity incidents from April to June, a new report from CERT NZ has reported.

The Government's cybersecurity agency released its Q2 overview on Thursday showing a 30 percent increase in direct financial losses from the previous quarter.

Of the 245 incidents that ended up costing someone money, half were below $500 in value - but 13 were worth over $100,000, more than double the figure from Q1 (January - March).

The majority of those high-value losses were related to scams when buying or selling goods and services online, but three were related to dating scams and two to business emails being compromised.

One ransomware attack and another incident related to a cryptocurrency scam ended up costing more than $100,000 each.

That brings the total losses suffered by Kiwis in online incidents since 2017 to $59.9 million, but it's not all bad news.

"This quarter we continue to see New Zealanders impacted by cyber security incidents, and attacks increase in sophistication and complexity. However, this doesn't mean we're fighting a losing battle," said CERT NZ director Rob Pope. 

"There's also an upside of steady report numbers, and that's the positive shift we're beginning to see in New Zealanders' attitudes and collective responsibility towards experiencing a cybersecurity incident."

The report also showed general ransomware incidents had increased significantly, from 12 in Q1 to 30 reports in Q2.

Ransomware generally involves a piece of software that infects a computer system, encrypting all the data, with attackers demanding money to decrypt or unlock it.

High-profile ransomware attacks this year include the Waikato District Health Board being attacked in May, and the Colonial Pipeline shutdown in the US.

"These types of attacks can result in data loss and significantly impacted operations as the affected organisation often has to go offline to recover systems and files," said Pope.

And while paying the demands to get access to the system returned may seem like a good idea, CERT NZ strongly recommends not paying the ransom.

"Paying the ransom does not guarantee that your files will be recovered and if an attacker sees you are willing to pay, it may also open you up to future attacks."

Phishing and credential harvesting remains the single biggest type of cybersecurity incident reported, with 618 total reports in the quarter - but there was a five percent decrease from Q1.

Cryptocurrency scams increased 50 percent over the same period, with a total cost to Kiwis of around $500,000.

Overall, Pope felt Aotearoa was moving away from 'the shame' of being affected by such incidents and becoming more willing to report them and ask for help. 

"The more we all do this, the more awareness and knowledge we're building, and the more we're helping each other to keep secure online," he said.