More than $3.9 million in direct financial losses were reported to the Government's Computer Emergency Response Team (Cert NZ) in the June quarter - more than double the same period last year, and 30 per cent quarter-on-quarter spike.
But this could be just a fraction of actual losses, says Brett Callow, a threat analyst with Emsisoft - a global cybersecurity company based in New Zealand.
And Cert NZ Director Rob Pope doesn't dispute that theory. "We understand that the quarterly report numbers are just the tip of the iceberg," he says.
Cert NZ, founded in 2017, is still a relatively young agency. Many online fraud or cyber attack victims the Herald talks to are simply unaware of its existence, let alone that they can report an incident to it and request help.
Another factor - many organisations, and individuals, can be sheepish about coming forward, fearing reputational damage (notwithstanding that reporting serious data breaches to the Privacy Commissioner has been mandatory since the new Privacy Act kicked in on December 1 last year.)
"Cybercrime is massively underreported," Callow says.
In the US, it's estimated that only 15 per cent of incidents are reported, Callow says, drawing on a stat from the FBI's annual Internet Crime Report.
"And that in itself may be an overestimate," he says.
"The position in New Zealand is likely quite similar, with only a small minority of cybercrime ever being reported. How small a minority is impossible to say."
It's also worth noting that law enforcement agencies typically only include direct financial losses, such as ransom demands paid, in their cost estimates, Callow says. "Whereas indirect financial losses, such as the cost of downtime, can be considerably greater."
"In 2020, there were just over 250 ransomware incidents involving New Zealand businesses which would have cost around $55m in terms of the demands only. Factor in downtime, and the cost of those incidents increases to around $450m," Callow says, drawing on a research summary put together by his company, which drew on submissions to the ID Ransomware service.
"And that's just ransomware. BEC [business email compromise] fraud and other scams will mean the real losses are even higher," Callow says.
Although he concedes his organisation's latest quarterly numbers are just the tip of the proverbial iceberg, Pope says they still fill a useful function.
"These reports help us understand the threat landscape and cyber security risks New Zealanders are facing," he says.
Old-school DDoS (distributed denial of service) attacks have hogged recent headlines, as armies of bots have been unleashed against the likes of Kiwibank, ANZ, NZ Post and MetService, overwhelming their sites with connection requests.
But overall, Cert NZ has tracked the biggest threat increase in ransomware - which is more sinister because unlike a DDoS attack, where bots crowd the front door, preventing anyone from entering a site, a ransomware attack involves a break-in, and the theft or encryption of data.
And although the total number of reported cyber-attacks actually fell slightly to 1351, the amount of money lost increased because the types of attack that are on the rise involve bigger losses.
While the total number of ransomware attacks was only 30, ransomware attackers have switched from individuals and small businesses to larger corporate targets, where sums in the millions are demanded.
Cryptocurrency investment fraud on the rise
Cert NZ also noted a 13 per cent rise in losses to cryptocurrency scams in the June quarter, with a total $500,000 lost as the number of complaints rose 50 per cent.
The scams, often involving emails with sophisticated-sounding language, usually, revolve around enticing a victim to put money into a fake cryptocurrency investment opportunity.
Cert NZ says the language in the scammers' communication shares the common theme of playing on Fomo or "fear of missing out" with the victim being urged to put money in before the cryptocurrency opportunity before it's too late.
High-profile New Zealand targets from Waikato DHB to Lion and Toll Group say they have refused to pay a ransom.
But even so, organisations can rack up millions in cost from disrupted manufacturing and supply chains while they painstakingly rebuild systems from backups.
Cert NZ encourages people to come forward.
It stresses that all reports are treated with strict confidentiality. People or organisations only have to share "as much as they feel comfortable sharing.
The Government has rejected recent calls for it to be made illegal to pay a cyber-ransom. Some see the move as a circuit-breaker. But the Government counters it would criminalise victims.
Digital Economy and Communications Minister David Clark says officials are monitoring developments overseas, however, and that policy work is being done in the area.
Despite being a hot topic in polics across the Tasman, cyber-security featured in neither of the major parties' technology policies going into last year's election, and did not feature in Budget 2021.
Pope says Cert NZ's quarterly reports are also helping to get the word out.
"We are constantly working to build awareness through initiatives like Cyber Smart Week October 18 - 24) and general outreach. We encourage everyone who has experienced a cyber security incident to report confidentially to CERT NZ so that we can provide advice and remediation," he says.
Cert NZ's key advice on cyber attacks remains the same. It includes.
• Use different and complex passwords for every account - and a password manager to wrangle them all.
• Keep all your software up to date, not just your security software.
• Educate staff to be suspicious of email attachments, or any request for personal information.
• Assume that one day you'll be hit, and make regular backups. Make sure at least one of them is a "cold" or offline backup. And test your backups regularly.
• And maintain an up-to-date action plan for how you'll communicate with staff, suppliers and customers in the aftermath of an attack.
Report an attack, and report it ASAP
For individuals and small businesses, reporting any cyber attack or online fraud quickly is essential. Cert NZ can act as a triage service, putting you in touch with the right law enforcement contacts, and advising where to turn for IT help.
A recent report by the Banking Ombudsman, which noted a 21 per cent increase in bank-related online scams, underlined that the more quickly banks' fraud teams learn of an instance of fraud, the better your odds of getting the transaction reversed.
The Herald has covered a number of online banking fraud cases, which have seen mixed results for customers seeking compensation.
In one, a West Auckland couple who paid a series of fake invoices after a scammer hijacked their bathroom renovation company's real-email address, had the full amount they had lost - $21,000 - paid back by their bank, Westpac.
But in a second case, involving an ex-army officer who transferred around $14,000 from a Westpac account to what turned out to be a fraudster's account, as he thought he was buying Starlink shares (the Space X subsidiary is not listed and has no plans to list) no funds were recovered and the soldier lost all of his money.
Both banks said they would have had more chance of resolving the situation if the retired army officer had contacted them immediately. In the event, it was more than seven days after he transferred the money that he realised he had been conned.