The Government’s cyber security agency has recorded a “massive” jump in online fraud, with scammers draining nearly $9 million from unsuspecting victims in just three months.
Twelve victims lost more than $100,000 each as cyber criminals deployed a devious array of elaborate scams to trick people into giving over their money and personal details, or infiltrated their computers and bank accounts through malware or remote access trojan software.
Data obtained by the Herald from CERT NZ shows the agency received more than 10,000 cyber security reports in the last year relating to phishing attacks, scams and fraud, unauthorised access to email or bank accounts, denial of service attempts, ransom or malware attacks and compromised websites.
The agency admits such attacks are “widespread” with many more going unreported. CERT NZ director Rob Pope earlier told the Herald that the numbers reported to his agency were just the “tip of the iceberg” due to many businesses and people being too sheepish to admit they’ve been taken in by scammers.
Cyber criminals obtained nearly $9m in the last quarter alone (July-September) - a huge spike on the previous quarter ($3.9m) and the quarter before that ($3.7m).
CERT NZ says the number of reported incidents has remained reasonably static in recent months, but the number of attacks resulting in loss through fraudulent criminal activity and unauthorised access to victims’ accounts has jumped by about 30 per cent.
The figures include cases like the Invercargill pensioner who lost $134,000 when thieves infiltrated his SBS Bank accounts in July, changed his listed mobile phone numbers to skirt the bank’s two-factor authentication security checks, then drained the money in 11 unauthorised transactions.
SBS has refused to refund the victim and the matter is now under investigation by the Banking Ombudsman.
CERT NZ threat and incident response manager Jordan Heersping said the most common cyber security incident involved phishing attacks, when victims were contacted by malicious actors pretending to be from a bank, internet provider, government agency or financial institution, and convinced to hand over their user names and passwords.
Phishing attacks could also involve victims clicking on suspect links which then download malicious software to a person’s device, harvesting their personal information and sending it back to the scammers to access bank or email accounts.
These attacks were a “constant threat”. The emails were often well-crafted and difficult to spot, Heersping said.
CERT NZ has also recorded a big jump in unauthorised access incidents. Victims may have approved a charge, for instance to receive a non-existent courier parcel, but criminals were then able to set up recurring withdrawals from the victim’s account.
Heersping said many attacks reported to CERT NZ originated overseas. The agency helped victims work with banks to recover stolen money and tried to educate people about the latest scams.
Victims typically lost between $100 and $1000, but elaborate romance or investment scams could see hundreds of thousands of dollars drained, at huge financial and emotional cost.
“For a lot people, the effect of a cyber attack will have quite a knock-on effect on their mental health.
“We see everything from a couple of dollars to a lot of money, and that’s both across businesses and individuals.”
The Herald has reported on two recent cases where cyber criminals accessed pensioners’ online accounts to steal money and the banks refused to reimburse the victims, claiming they had not taken adequate precautions.
Under the Code of Banking Practice, banks are obligated to refund customers for unauthorised withdraws unless the victims acted fraudulently or were “wilfully negligent”.
Asked about liability, Heersping said scam victims had been “fooled”.
“You’re not deliberately giving your details to a malicious actor. You’re tricked into it. It can be quite hard to tell.
“I’d say they’re no more liable than if someone’s jimmied their window open and stole their TV.
“There might be things they can do [to keep themselves safe], but the reality is they’re victims of a crime and I wouldn’t put the onus on individuals for falling for a phishing attack.”
Heersping said compromised devices could be “cleaned”, which involved a forensic check for malware, often returning the computer or phone to factory settings.
However, most people did not know what to look for and may not realise their device had been compromised until it was too late.
The quicker fraudulent transaction were reported, the more likely the money could be recovered by banks, Heersping said.
It was crucial to educate people about what to look out for and how to protect themselves online.
Police said they and other government agencies would never contact someone of the blue asking for their password, credit card or bank details.
Anyone who believed they had fallen victim to a scam, in person, over the phone or online, should contact police.
“Police acknowledge the financial and emotional distress that falling victim to online scams can cause, and recommend taking a cautious approach to unsolicited emails and approaches online. Trust your gut instinct - if it doesn’t feel right, it probably isn’t.”
Consumer Protection NZ has information on how to prevent yourself, family and friends from being scammed.
The Financial Markets Authority provides advice to help avoid falling victim to online investment scams.
CERT NZ provides advice on how to respond to and avoid cyber security incidents.
TIPS TO STAY SAFE
- Use two-factor authentication for added security.
- Never give out your username, password or 2FA codes.
- Be aware of phishing attacks and think twice about clicking on suspect links.
- Report any malicious cyber attacks to CERT NZ.