Kiwis lost more than $6.5 million to online scams in final quarter of 2021 - CERT NZ report

Kiwis lost more than $6.5 million to online scams in final quarter of 2021 - CERT NZ report

The Government's online security organisation has reported Kiwis lost more than $6.5 million in direct financial losses through online scams in the final quarter of 2021.

Director Rob Pope said the overall numbers were some of the highest seen in the four years CERT NZ had been operating, but it wasn't all bad news.

"The increase in reports demonstrates that New Zealanders are becoming more aware and better skilled at recognising cyber security incidents," he said.

"It also shows that New Zealanders know where to turn for guidance when they need to get back up and running - which is a good thing and something we want to see more of."

One of the big downsides, however, was the 103 percent increase in direct financial losses in the quarter up to $6.64 million from just $3.28 million in Q3 of 2021.

That came from a total of 414 incidents, CERT NZ said.

The majority of financial losses, 65 percent, were below $500; but 10 cost over $100,000 each, up from seven in the previous quarter.

Of those 10 incidents, four related to a new job or business opportunity scam, three related to a buying, selling or donating goods online and one was related to cryptocurrency investments.

While not all those who reported incidents provided their age, the data clearly showed those aged over 55 lost the most money.

In Q3 2021 the amount lost for the two age bands above 55 was just $493,000. That increased to $4.5 million in Q4.

Direct financial losses also doesn't cover the impact of data and operational losses on businesses, Pope said.

"While we work with partner organisations to recover some of these funds, the best course of action is always prevention.

"That's the reason CERT NZ promotes steps like using long, strong and unique passwords, turning on two factor authentication and keeping software up to date," he said.

The total number of reports to the agency jumped by 92 percent in the quarter, the agency said, from 2072 to 3977.

The biggest increase was malware incidents, which was up a staggering1030 percent to 1707 compared to the previous quarter.

Flubot - the text message scam impacting Android phones - made up two-thirds of those incidents, although none of those ended up in any direct financial loss, CERT NZ said.

"However, those who received the text messages, even if they didn't download the malware, had their phone number logged by the attackers and many are now the targets of further text-scam campaigns," it reported.

"These subsequent text scams use similar content to the initial Flubot messages, for example parcel deliveries that prompt the recipient to click on a link to confirm delivery."

There were over 150 reports of follow-on scams, with the key difference being the link went to a phishing page instead of trying to trick people into downloading malware.

"The phishing page prompts the recipient to enter their personal details and a credit card number to pay to have the parcel released (typically less than $5).

"If the recipient pays the fee, they are unknowingly signed up to a subscription that will charge them a higher amount (approximately $85) usually within three days."