Education is the best way for firms to fight online criminal attacks, reports Francis Cook

Last year, Netsafe reported 8570 cyber attacks, costing firms and individuals $13.4 million.

But that's just the attacks reported - about 4 per cent of all the breaches across New Zealand. A more accurate figure for the cost of cybercrime would sit at $250 million-400 million - and it's all avoidable.

Netsafe's Chris Hails says it can only report on the attacks it gets information on, but cyber breaches and attacks are on the rise in NZ.

Security breaches on rise, says expert
Two-thirds of emails contain security risk


Most businesses don't report on breaches and fraud because insurance covers fraud, and admitting to being defrauded is often considered "embarrassing".

And NZ has no mandatory breach disclosure for cyber attacks, so firms do not need to report cyber crime. An industry source, who prefers to stay anonymous, says it's well known that cyber attacks are hushed up. That means information about new threats does not get spread as readily as it does in other countries. So, if Company A was attacked but did not disclose any information, Company B and C will remain uneducated and be unprepared if they are also attacked.

A police spokesperson says there's no reason to believe cyber crime is more likely to be unreported than it is in other countries. But even if a business reports the crimes, it is still very difficult to get prosecution.

Kiwis are falling for the most rudimentary attacks on a huge scale, and it's costing businesses millions of dollars. The average cost of each reported attack last year was $12,995 - and the largest was $2.1 million.

Because of its global nature (perpetrators are most often based overseas), cyber crime presents challenges for all law enforcement agencies.


Social Engineering - "Human Hacking"

Our main vulnerability, says Hails, is "email system compromise". A recent example was the chief financial officer at Te Wananga o Aotearoa falling for a phishing scam when she received an email from somebody posing as the chief executive asking for money. She sent $100,000 offshore at the scammers' request. She later resigned.

The Fire Service was scammed out of $52,000, blaming the "lack of judgment" of two staff members who thought they were sending the money to Turkey at the request of their boss.

The people who need the most training in this department are executives: the company leaders who have access to secure information and the authority to move money.

Attacks on top brass are often referred to as "whaling" as they're aiming to land one "big fish".

Security worker and Kiwicon organiser Adam Boileau says social engineering, particularly in the form of email scamming, is a low-effort type of fraud with high return on investment. Whaling through emails needs very little technical knowledge and effort - it's not classed as hacking due to its rudimentary nature - but is highly profitable with successful attacks netting millions.

[Email fraud] is as simple as someone claiming they're the CEO and asking for money.


Instances of social engineering are on the rise. It's crucial for managers and executives to have an awareness of the risks.

Dr Abdolhossein Sarrafzadeh, director of the Centre of Computational Intelligence for Cyber Security at Unitec, says most firms aren't aware of the risks until it happens to them. The majority of attacks, he says, are done simply through email. In the past couple of months he's seen one business lose $200,000 after someone posing as a Chinese partner said the accounts had changed - they complied and put the money into the new account.

"It's as simple as someone claiming they're the CEO and asking for money" he says. "It's a total lack of awareness."

Sarrafzadeh says the estimated monetary loss from these attacks in NZ comes to about $250 million a year and it's increasing. "It's going to happen more and more."

Some email system compromises are more complex and can appear genuine. Businesses with trading partners abroad need to be especially careful. Fake invoices can arrive after emails with trading partners are intercepted, making the details appear very similar to those of the partner's.

Netsafe has recommend a "two-man rule" for signing off transactions and making sure any staff handling payments are trained to recognise suspicious emails.


Losing data can be more costly than losing money, and ransomware and intellectual property theft are also up.

Ransomware attacks are much cleverer than simple requests for money from bogus chief executives. Typically, they occur when somebody, often unknowingly or accidentally, allows malicious software - "malware" - on to a computer. These infections are often transmitted by email or untrusted websites.

Chris Hails, from the cyber safety organisation Netsafe. Photo / Supplied
Chris Hails, from the cyber safety organisation Netsafe. Photo / Supplied

The malware encrypts data and the attacker will demand a fee to unlock it. If the encrypted or "ransomed" data is precious - say, financial forecasts or thousands of private client or company records - the victim will have no choice but to pay the exorbitant fee. It's near impossible to retrieve data which has been encrypted in a ransomware attack. The choice is to pay up if it happens, or use preventive measures.

Jai Vijayan, of cybersecurity news website, says the best way to protect yourself from ransomware is to have a robust backup system for precious data. That way, the victim or business will not need to pay the extortionist to have it decrypted. Breach of intellectual property, Boileau says, is the biggest threat to New Zealand businesses.

For example, if Fonterra's financial forecasting were to be accessed by someone in China, where milk powder is a huge export, the dairy exporter could take major losses. This corporate espionage is not undertaken for a quick buck, but instead can undermine and manipulate market prices. High-level security breaches can be run during a distraction known as a DDoS - distributed denial of service - attack.

DDoS attacks work by using a huge number of compromised systems to direct traffic to a single server, effectively denying service to anyone else attempting to access the website. It's like going to the supermarket and finding millions of other people are trying to get in at the same time. The user is denied service due to overwhelming demand.

DDoS attacks tend to be used as a distraction because they aren't effective at much else. Denial of service has affected one NZ accounting firm recently but they are not a prevalent cyber security risk in themselves. But if a company finds its digital systems suddenly struck down, everyone focuses on getting the system back online -- and during this time, hackers can use the distraction to their advantage and breach the systems to steal data or install malware.

It's difficult to protect a system from a DDoS attack, but by themselves they don't pose a significant risk to most New Zealand businesses. A company which relies on online trading such as Amazon or Trade Me is most vulnerable to denial of service.

The main type of attack costing businesses in New Zealand - the old-fashioned dodgy email -- is the most simple and most easily prevented. It's absolutely crucial that employees, managers, and executives in businesses of any size have training in identifying suspicious emails and use a multiple-step approval system for digital financial transactions.

No one is immune to attempted cybercrime. Even the director of the CIA had his emails hacked into by a 15-year-old boy.

The best way to deal with cybercrime is to prevent it through education.

Recognising a suspicious email:

• Look for variations in the address - it might come from an address with a company's name, but ending with .biz or .com instead of

• Watch for addresses ending in - e.g. "". Look for bad spelling.

• Does the email address you by name or as a "valued customer"? Businesses will normally want to address the recipient by name.

• Never give out passwords or credentials - legitimate businesses will not ask for this in an email.

• Don't let urgent subject lines scare you - things like "account suspended" or "unauthorised login attempt" are often just phishing attempts.

• Do not open attachments you weren't expecting. Attachments can contain malware and ransomware.

• If you haven't heard of the company, google it to find out if it's a legitimate business. Phishers often create genuine-looking logos and language. Do not click links in the header or signature of the email.

• If the email address and subject line arouse suspicion, don't open it.

• If you're unsure about an email or think you might be a victim of an email fraud, call Netsafe on 0508 NETSAFE (0508 638 723) and ask for advice.

How it's done

Adam Boileau, an organiser of the Kiwicon computer security conference, says there are four steps needed to break into a business -- understand the target, get a foothold on something (someone) in the target, move laterally around the target and, finally, take action.

A typical attack, he said, would proceed as follows:

1. Recon

"Search LinkedIn for the target company, find a bunch of names. Google the names until you find the email address for the company."

2. Initial foothold (Phishing)

"Email people within the company and ask for their password. For instance: 'Click this link to view the updated HR Bonus Policy. You'll need to enter your domain username and password for security.' Use a picture of a padlock for extra credibility."

3. Move laterally

"Use the passwords to log into the company's internet-facing web-based email."

4. Action

"Read all the email, harvest the address book, use email access to reset passwords of other things."

At this point, everything is compromised and it's game over -- without use of the dark web, and with the most rudimentary of tools, the hacker has gained access to private and confidential information which can be seriously damaging. One could write a book and publish it right before an election with this information.

Another way of gaining an initial foothold is to get malware on to a computer, through infected documents or PDFs.

A broad-spectrum attack takes the form of infecting a website that the target -- or targets -- visits in what is known as a "watering hole" attack.

Boileau explains that while hacks vary in complexity and difficulty, they all require the same starting point: a foothold in the system.

These attacks can also be made by people with access to company computers, such as a disgruntled employee or even a cleaner.

Businesses need to be careful how much data and information is shared across their systems, especially if an employee is given cause to leak, delete, or corrupt that data.

The dark web comes into practice in hacking primarily as a marketplace for hackers -- to hire hackers, buy malicious software, and hire botnets (zombie computers used for distributed denial-of-service attacks).

Cybercrime is happening in our pockets

Google, says Hail, is well aware of the problem. There is currently 10 times more ransomware on Android devices than Windows or iPhones.

A well-publicised case hit New Zealand just last year. Android users were getting scammed with lockscreen ransomware that claimed to have come from the Police Cyber Crime Unit and included the GCSB logo. The ransomware would display a case number, IP address and would take contacts from the address book along with a picture of the user to appear legitimate.

An accompanying message said "You are accused of viewing/storage and/or dissemination of banned pornography (child pornography/zoophilia/rape, etc)".

The user was asked to pay a fine of $200 to unlock the screen, or the selected contacts would be "interrogated".

Many people were scared by the threat of embarrassment and believed the message really was from the police.

These sorts of attacks typically come from overseas -- frequently Eastern Europe. People who pay up are not going to get their money back and those who delivered the ransomware are extremely difficult to prosecute. Symantec has called mobile cybercrime the "new cash-cow" for hackers.

In the scheme of things, Hails says, mobile attacks are more of an "annoyance" than a serious threat. The money demanded tends to be quite low compared to larger and more elaborate desktop scams.

Losing contacts and access to text messages can be damaging, but is nothing compared to a compromised corporate system.

To avoid having ransomware installed on your phone, users should keep internet contact on mobile to a superficial level by not clicking on advertisements, email attachments and so on. Never install apps that you are unsure about and be careful about what websites you use on your phone.

And if you do encounter lockscreen ransomware, turn your phone off and boot it in safe mode -- if you're unsure how to do that, google safe mode instructions for your phone model. Then find and delete the application. Restart your phone normally. If the ransomware is still there contact an expert.

Never pay the ransom. You could waste money for no reason.