The Government's Computer Emergency Response Team (CERT NZ) fielded fewer reports of cyber attacks, and financial losses in the September quarter vs the same period last year.
But it warns incidents are again on the rise as Christmas approaches. Tech support call scans are one area of particular concern (more on which below).
Overall, the stats are trending down vs the same time last year, however. Or, at least, they appear to be.
Cert NZ responded to 2972 incidents in third quarter - a 53 per cent rise from Q2's 1351, but notably fewer than the 2610 reported for the September quarter last year.
Similarly, reported direct financial losses from cyber attacks fell 16 per cent to $3.3m between the June and September quarters this year, the figure was still well below the $6.3m reported for the September quarter last year.
Did the cyber-criminals really ease up?
Recently, CERT NZ director Rob Pope told the Herald, "We understand that the report numbers are just the tip of the iceberg."
Some are too sheepish to admit they've been duped by cyber criminals (Pope emphasises that his agency, which puts victims in touch with the right law enforcement and tech support contacts, treats all complaints confidentially).
There's also an element of some victims simply being unaware that the relatively new CERT NZ even exists as a resource for individuals and small businesses.
CERT NZ puts average losses at $4.1m per quarter over the past year.
But as a contrast, Brett Callow, a threat analyst with Emsisoft - a global cybersecurity company based in New Zealand - says Ransomware attacks alone likely cost New Zealanders at least $55m last year based on data collected by ID Ransomware, which collates cyber ransom notes. Actual total losses to New Zealand organisations, including business downtime, would have been in the order of $450m, Callow's research suggests. Since it was formed in mid-2017, total losses of $63.2m have been reported to Cert NZ.
Under-reporting is an international trend. A recent FBI report estimated that only 15 per cent of cyber crime is reported in the US.
Cert's quarterly report says it received 700 calls from members of the public concerned about the "Flubot" text scam, which started with bogus messages purporting to be from a courier company. By contrast, the Department of Internal Affairs - which set up a report-by-text-service - was bombed with more than 58,000 complaints.
Nevertheless, Cert played a key role in response to the scam. Pope says the agency worked with ISPs to block more than 1200 websites associated with FluBot.
Cert NZ saw phishing - or attacks like Flubot, which try to trick people into revealing their credentials - rise 73 per cent to 1071 reports - plus general scams and fraud, which rose 28 per cent to 488. Together, those two categories accounted for the lion's share of incidents. Unauthorised access accounted for 225 reports, while reports of ransomware fell by 40 per cent to 18.
At the top end of town, threats are definitely increasing.
The GCSB recently said that its NCSC (National Cyber Security Centre) tracked 404 cyber attacks affecting those it protects in the year to June, 2021 - up from 352 in the year to June 2020.
All told it said it disrupted 2000 attempted attacks against the 200 "organisations of national significance that it protects". The NCSC has just launched a new programme to more broadly share its threat-warning data with the private sector.
Whatever size your organisation, Pope says the speed with which you report an incident is key. Cert reports that during Q3, it assisted an individual who gave a "tech support" phone caller remote access to their computer, only to see "large sums of money" drained from their bank account. Because the incident was reported quickly, most of the funds were recovered. Unfortunately, that has not been the case with most bank account breach incidents the Herald has covered (see below).
Cert NZ's key advice for thwarting cyber attacks:
• Use different and complex passwords for every account - and a password manager to wrangle them all.
• Keep all your software up to date, not just your security software.
• Educate staff to be suspicious of email attachments, or any request for personal information. Know signs to look for. A legitimate text from a service provicer such as a courfirm or government agency, for example, will usually come from a four-digit number rather than a conventional cellphone number (a cellphone number is a sign of Flubot, which access an Android phone's address book then sends itself to all of the victim's contacts).
• Assume that one day you'll be hit, and make regular backups. Make sure at least one of them is a "cold" or offline backup. And test your backups regularly.
• And maintain an up-to-date action plan for how you'll communicate with staff, suppliers and customers in the aftermath of an attack.
Report an attack, and report it ASAP
For individuals and small businesses, reporting any cyber attack or online fraud quickly is essential. Cert NZ can act as a triage service, putting you in touch with the right law enforcement contacts, and advising where to turn for IT help.
A recent report by the Banking Ombudsman, which noted a 21 per cent increase in bank-related online scams, underlined that the more quickly banks' fraud teams learn of an instance of fraud, the better your odds of getting the transaction reversed.
The Herald has covered a number of online banking fraud cases, which have seen mixed results for customers seeking compensation.
In one, a West Auckland couple who paid a series of fake invoices after a scammer hijacked their bathroom renovation company's real-email address, had the full amount they had lost - $21,000 - paid back by their bank, Westpac.
But in a second case, involving an ex-army officer who transferred around $14,000 from a Westpac account to what turned out to be a fraudster's account, as he thought he was buying Starlink shares (the Space X subsidiary is not listed and has no plans to list) no funds were recovered and the soldier lost all of his money.
Both banks said they would have had more chance of resolving the situation if the retired army officer had contacted them immediately. In the event, it was more than seven days after he transferred the money that he realised he had been conned.