Financial losses from cyber attacks and scams are down, according to the latest quarter figures from Crown agency Cert NZ.
But a survey by Horizon indicates that actual number of victims could be far larger.
Cert (the Computer Emergency Response Team) says Kiwis reported direct financial losses of $4.2 million between April and June.
That was down on the $5.8m lost to cyber attacks, scams and online fraud in the first quarter.
And the number of incidents reported edged down slightly from the first quarter’s 1968 to 1950.
In themselves, Cert NZ’s numbers are encouraging.
But director Rob Pope has previously told the Herald, “We [Cert NZ] understand that the report numbers are just the tip of the iceberg.”
Some people are too sheepish to admit they’ve clicked on a malicious link. Others simply don’t know Cert NZ exists as a cyber-triage unit for individuals and small businesses. Some companies fear reputational damage (Pope promises discretion).
A demographically weighted Horizon Research survey of 1039 adult New Zealanders, also released this week, indicated Pope’s iceberg may be vast beneath its tip.
The study, carried out last month, found 7 per cent of those surveyed (which extrapolates to 258,000 Kiwis) had been a victim of cybercrime.
The crossover between bank fraud and cyber fraud is murky, given some bank fraud starts with an old fashioned phone call rather than an online con, data breach or phishing, but 10 per cent (385,000) had experienced fraud or theft involving a bank account.
Of those who were victims of fraud, 54 per cent had lost up to $500, and 80 per cent had lost up to $5000 (some above that $5000 survey threshold have lost much bigger sums. The Herald recently reported on six victims who allegedly lost a combined $1.25m to international scammers via a Whanganui “money mule”.)
Only 30 per cent of respondents to Horizon’s survey thought banks were doing enough to combat fraud.
When told about anti-fraud initiatives being introduced in Australia:
- 69 per cent believed their bank should introduce dynamically generated CVC [card verification code] numbers;
- 83 per cent believed their bank should do a check to see that the account names and numbers match on an account to which a customer is sending a payment.
More than half said they were willing to put up with slower payments as a trade-off for more protection against fraud.
Banks say they have invested heavily in anti-fraud and customer verification systems and increased the size of anti-fraud teams. There have also been campaigns on TV and bank websites to educate customers.
“Scam-related crime is increasingly sophisticated and constantly evolving. Scams go much wider than banks, which are usually at the end of the chain of events that makes up a scam that tricks you into paying a criminal or allowing them access to your bank account,” New Zealand Banking Association chief executive Roger Beaumont told the Herald.
The NZBA’s members include ANZ, ASB, BNZ, Citi, Kiwibank and Westpac.
“There’s no silver bullet for solving scams. What’s needed is a multi-pronged approach and the involvement and investment of all affected sectors, including government agencies, telcos, social media companies and internet service providers,” Beaumont said.
“Banks already have significant, sophisticated systems in place to help detect and prevent fraud. We’re working on what else banks can do to fight scams and further protect their customers, which we hope to announce soon.”
Rise of smishing
Cert NZ did track an increase in one type of attack in the second quarter: text message-based phishing – aka “smishing”.
Reports to the agency about smishing increased 26 per cent.
The text messages, and links in them, change rapidly, and people need to remain alert to not be caught out, as they can quickly lead to severe losses, Cert said
“At the moment, everyone knows about the ‘NZTA scam’,” Pope said, “but tomorrow it could change to be another organisation being impersonated or another scam message. They could change tactics to include a phone number ‘for more information’ and get you that way.”
Recent scams often purport to be alerting you to a new log-on or suspicious activity on your account, or a refund for over-billing.
The advice is to be wary of any text that comes from a regular cellphone number. Service providers typically send messages from four-digit shortcodes and seldom include links. If in any doubt, phone the service provider on a number you’ve sourced yourself.
Moved in with the spies
While New Zealand’s Budget 2023 did not match several Budget 2023 moves across the Tasman, where hundreds of millions were poured into new anti-scam and cybersecurity measures, last month GCSB Minister Andrew Little did announce that Cert, which has 35 staff, would fall under the GCSB’s National Cybersecurity Centre from August 31.
“The current system is fragmented, creating a merry-go-round experience for victims of cyber crime,” Little said as he announced the move.
The positive spin was that the NCSC would give Cert more oomph; the negative that the spy agency - which usually deals with cyber threats to government departments and large exporters - was not a good fit for Cert, given its focus on home and small business users.
Little said any changes to Cert would be an operational matter for the NCSC. This week, a Cert spokesman said there had been no changes at the top. Two staff had left but were being replaced.
Chris Keall is an Auckland-based member of the Herald’s business team. He joined the Herald in 2018 and is the technology editor and a senior business writer.