New Zealand pensioners were swindled out of $1 million by cyber scams in the first three months of the year, with phishing attacks the most favoured con, the government's Computer Emergency Response Team (Cert NZ) says.
The one-stop shop responsible for tracking, monitoring and advising on cybersecurity incidents received 506 reports in the March quarter, of which it responded to 318 directly, referred another 182 to NZ Police, sent five to Netsafe and one to the Department of Internal Affairs. Of those, 196 were phishing scams, where an email or text is used to try to trick a user into handing over information, credentials or cash. Another 168 of those incidents were scams or frauds designed to convince a user to giving up money.
Those attacks caused $2.9 million of direct financial losses, three-quarters of which were reported by individuals. The remaining quarter of losses came from organisation reports.
Older New Zealanders were the biggest dupes, with 44 incidents reported by people over 65, who accounted for $1 million of direct financial losses, while a smaller group of people between 55 and 64 reported $724,000 of losses.
"New data analysis this quarter shows that this has been particularly harmful for victims in the over-55s age group who have reported losing more money than any other age group," Cert NZ director Rob Pope said in a statement. "In quarter one there has been a real focus on taking down phishing websites where we can, including working alongside key partners such as banks and financial institutions whose brands are so often misrepresented in these campaigns."
The government committed an extra $970,000 a year of new operating funding over the next four years for Cert NZ, lifting its annual budget to $5.9 million for the June 2019 year.
Pope told BusinessDesk the increased reporting is a good sign that the agency is building a profile and attracting public acceptance as the clearinghouse for cyber-security issues, where Cert can receive the complaints and either handle it directly or refer it to the appropriate agency.
The latest report is Cert's fourth, and while Pope said it's too early to draw granular conclusions from the data, it has been able to identify firm trends such as the prevalence of older targets.
"That prevalence of phishing still seems to the major malaise that's impacting New Zealanders," Pope said. "It seems at this point in time, the baddies are getting quite a good return on their efforts."
Cert wants to be more proactive in helping New Zealanders prevent cyber incidents, and has several programmes operating in the public and private sectors. However, "demystifying technology language" and humanising the issue is key to make people more comfortable in digital spaces and reporting issues to the authorities, Pope said.
"Our main focus is prevention so we're very very alert of the need to be more proactive," he said.
The agency was formed from the previous administration's cyber-security strategy, and Pope said it will play a role in a policy refresh, which he describes as a "stocktake" and that Communications Minister Clare Curran says is essential to the government's goal of building a "connected nation, promoting and protecting digital rights, and harnessing digital technology for economic growth, community benefit and innovation".
Pope said establishing public buy-in is "exceptionally important" so it can describe the "cyber-threat landscape", which can get confusing with different but similar sounding reports, such as last year's assessment by the National Cyber Security Centre (NCSC) identifying 396 cyber threats in the year ended June 30, which could have caused $640 million of harm to nationally significant organisations. The NCSC is a unit of the Government Communications Security Bureau.
Over the past four quarters, Cert has received 1,637 reported incidents, referring 474 to the police and 2 to the NSCS.
The March quarter report shows financial and insurance firms were the most targeted sector, with 92 reports accounting for 44 per cent of organisation incidents, most of which were phishing attempts.