The Government's Computer Emergency Response Team (Cert NZ) says cybercrime was up in the third quarter, with webcam blackmail scams the largest factor behind the increase.
In its latest report, Cert finds:
• Another record quarter with 870 reports received by Cert (up from 736 in Q2)
• Direct financial losses from cyber security incidents were up 35 per cent from last quarter, with a total of $2.9 million reported losses
• Reports of unauthorised access continue to increase. 91 reports were received in Q3 – a 28 per cent increase on Q2.
• Phishing remains the largest incident category although it has plateaued this quarter.
• 198 of the reports received in Q3 related to scams and fraud, an increase of 90 per cent from Q2, with webcam blackmail and payment scams accounting for most of the increase.
Cert, run by former deputy police commissioner Rob Pope, says webcam blackmail emails usually follow the same format, including:
• the email includes a previous password that you have used
• the email claims that you visited an adult website and that the scammer turned on your webcam and recorded what was happening
• the email claims that they have a copy of your website history
• the scammer threatens to email the video to all your contacts unless they pay a ransom between $1700 and $3000
"We can't confirm whether the video recordings actually exist, or if this is an opportunistic scam. We have not had any reports of scammers releasing a video when a ransom isn't paid," Cert operations manager Declan Ingram says.
Passwords are often genuine, Ingram says, but the scammer is only pretending to have gained access to your computer.
In reality, they've probably bought your password in a so-called "credentials dump" rather than hacking your computer. A credentials dump is when a major data breach takes place at an organisation such as LinkedIn or Ticketmaster (to name two real-life examples) then lists of logins are sold on the dark web.
"We know that scams like this prey on people being too embarrassed to seek help, so we assume that the reports we've received are only the tip of the iceberg," Ingram says.
Cert recommends you change passwords regularly and use different passwords for different services.
The agency says if you think you're the victim of a genuine blackmail threat, it should be reported as soon as possible because "digital evidence is fragile".
Cert is still very new. It was only created in May last year, and most Kiwis still think of Pope as the Scott Watson case detective rather than our cyber-security czar. And the Cert boss acknowledges the increase in reports reflects, to a degree, a growing awareness that his agency exists.
"While it's difficult to determine what specifically drives increases in reports, we believe that the growing numbers of reports are largely based on an increase in awareness of Cert, and in turn are a more accurate reflection of the impact of cyber security issues on New Zealanders."
Cert aims to track cybercrime, and to act as a triage unit, directing businesses or home users to the right police contacts or other support after they've been hacked.
It can be reached via cert.govt.nz or 0800 CERT NZ (0800 2378 69).