Financial losses from cybercrime are up again, according to the latest quarterly report from the Government’s Computer Emergency Response Team (Cert NZ).
Some of the grim stats:
- $5.8 million in direct financial losses from cybercrime were reported to Cert in the first quarter of this year, a 66 per cent jump on the first quarter of 2022 ($3.7m)
- 264 people lost between $100 and $1000
- 16 people lost over $100,000
The true picture will be worse, experts say.
“Cybercrime is significantly under-reported. Companies don’t report incidents because they’re bad PR, and consumers don’t report incidents because of embarrassment and a host of other reasons. This means the $5.8m in losses reported to Cert NZ is likely only the tip of the iceberg,” said Brett Callow, a threat analyst with NZ-based security firm Eset.
Callow pointed to an FBI study in the US that estimated only 15 per cent of cybercrime is reported.
CertNZ director Rob Pope did not dispute that theory.
“We know the number of incidents reported to Cert NZ are not representative of the full impact of cyber events, and it is likely that the financial loss to New Zealanders will be much greater than that reported,” Pope told the Herald.
The situation is further muddied by the fact Cert NZ is a relatively new agency. A study this year by InternetNZ found more than half of Kiwis did not know where to report dodgy content in a multiagency setup that also includes the police, IDCare, the DIA, SFO, FMA and Netsafe. (The answer: Cert NZ is designed as a triage unit, which can point you in the right direction for further help. In the case of financial loss, it’s also imperative you contact your bank as soon as possible.)
Pick a number
Similarly, different agencies have their own takes on the sums lost. Netsafe reported that Kiwis lost $35.6m from online scams alone in the 12 months to June 2022. Cert NZ - which also tracks losses from the likes of ransomware and system break-ins - fielded reports of $15.5m in losses for the same period.
“Our quarterly Cyber Security Insights report is based on incidents reported directly to Cert NZ. These figures have not been cross-referenced with other agencies,” Pope said.
Rise of AI
Regardless of their wildly differing totals, all the reports agree that cybercrime is on the increase. And experts say trends including the rise of AI, organised crime and rogue states using cyberfraud as a way to raise funds will make AI tools available to scammers
“The AI tools available to scammers haven’t yet significantly changed the mechanics of scams, but they have made the lives of scammers easier by simplifying some of the work required to create and run a scam.” Cert NZ’s Q1 report says.
And the agency warns that AI will make it easier for scammers to create more realistic content for investment and romance scams. In May, ethical hackers showed US broadcaster CBS how a cloned voice can be used in a scam. They cloned a reporter’s voice, using broadcast footage to train an AI to mimic her, then used the synthesised, natural-sounding reporter’s voice to successfully con her producer into handing over her passport number, required for a (fake) travel emergency.
Australia’s big moves
Australia’s Budget 2023 had A$46.5 million ($76.34m) earmarked to establish a Coordinator for Cyber Security to oversee multi-agency efforts in the event of a cyber incident.
The Australian Budget also saw the e-Safety Commissioner’s annual funding quadruple with a A$131m injection. The equivalent agency here, Netsafe, has a budget of around $4m.
There was A$86.5m to establish a new National Anti-Scam Centre, which will include establishing Australia’s first SMS Sender ID Registry to help prevent scammers from imitating trusted brand names (something we’re over-familiar with here, most recently with incessent “unpaid toll” scam texts).
Those moves were not matched on this side of the Tasman with our Budget 2023.
Digital Economy Minister Ginny Andersen has been asked for comment on CertNZ’s latest survey, and any new anti-cybercrime initiatives in the works.
Meanwhile, there are some signs of stirring among regulators. The Privacy Commissioner is readying a report following a compliance investigation sparked by a major ransomware attack last December, whose victims included the Ministry of Justice.
The Herald understands it will raise a number of issues over the way all agencies handle data. And an incident involving an ASB to Kiwibank transfer that saw an ASB customer scammed out of $400,000 saw the Reserve Bank assess if there had been too few safeguards for the large amounts of money being moved around - although it ultimately decided not to take the matter further.
Ministers announcing the Commerce Commission market study into the banking sector were asked about the responsibilities banks had to scam victims.
Finance Minister Grant Robertson said it would be for the Commerce Commission to decide if scams or lack of reimbursement to scam victims were factors in bank profitability.
“They are serious issues,” he said. “We’d strongly encourage banks to be working with their customers on how to avoid scams.”
A circuit-breaker move
Callow, tech commentator Juha Saarinen and others have urged the Government to consider making it illegal to pay a cyber ransom - a move that could prove a circuit breaker. Last month, Justice Minister Kiri Allan reiterated that measure was off the table. It would ciriminalise victims.
Another aggravating factor has been a number of Kiwi small businesses saying that social media firms - notably Facebook and Instagram owner Meta - have been slow to respond, taking weeks or even months to address hijacked accounts - including recent cases involving the Auckland Arts Festival, Christchurch tech firm Swiftpoint and others.
Authorities, at least, seem to be getting some traction with big tech.
CertNZ said in its report that in February, it became aware of a term deposit comparison site that had scammed people out of “millions” during February.
“Someone searching terms such as ‘term deposit comparison nz’ on Google would be shown a search page that included ads paid for by scammers and linked to fake websites.”
The agency said it had been able to work closely with Google to have the malicious URLs removed from its search engine, and with banks to communicate the threat to customers.
The victory might have been fleeting, however, with a new take on the scam appearing on the radar last week (see below).
CertNZ’s advice for avoiding scams
Some scams are simple in their initial setup. Last week, for example, the FMA (Financial Markets Authority) warned Kiwis to exercise extreme caution with an interest rate comparison site called Compare Fixed Term Deposits - which it believed was harvesting users’ personal information, via a registration form. They are phoned by a criminal selling a fake investment. It was a fake deposit comparison site that saw a Kiwi man ultimately conned out of $400,000.
Others involve an elaborate mixes of online and real-life deception, such as the “Citibank” scam that recently tricked an Auckland real estate agent out of $100,000.
But whatever their level of sophistication, Cert NZ says the rules for protecting yourself are the same:
- Don’t believe promises of over-the-top investment returns;
- Triple-check every company before investing in them; and
- Don’t reply to investment opportunities that arrive via Whatsapp or other message platforms.
Chris Keall is an Auckland-based member of the Herald’s business team. He joined the Herald in 2018 and is technology editor and a senior business writer.