Huge surge in cybercrime, Crown agency says

Technology Editor/Senior Business Writer·NZ Herald·

23 Mar, 2021 04:00 PM6 mins to read

Share this article

Reminder, this is a Premium article and requires a subscription to read.

CERT NZ director Rob Pope: says although reported incidents dipped in the fourth quarter, risks are getting more severe. Photo / Supplied

Reported cyber-security incidents jumped by 65 per cent to 7809 in 2020, Crown agency CERT NZ says in its latest report.

It was a year that began with high-profile attacks on F&P Appliances, Toll Group and Lion, and ended with the NZX being overwhelmed by a Distributed Denial of Service

CERT (the Computer Emergency Response Team) says reported losses only increased modestly, from $16.7m to $16.9m - but experts say losses can be hard to quantify, and are not always reported by people or companies, who do not want to admit being duped.

CERT director Rob Pope said that although substantial, those incidents reported were "just the tip of the iceberg."

Advertise with NZME.

The agency saw big increases in phishing attacks, credential harvesting, scams and fraud - in short, various methods used by hackers to trick you into handing over personal details and passwords by pretending to be someone - or some organisation - they're not.

Governments worldwide have tracked similar surges in online attacks.

In part, the phenomenon has been put down to "bad state actors" increasingly using malware as a geopolitical weapon, including what the Biden administration saw as China's mass attack on Microsoft Outlook users.

But earlier, AUT computer science professor Dave Parry said it had partly been driven by the pandemic. Covid-19 had driven many to work from poorly-protected home offices just as a lot of organised crime was turning to the internet as a new source of revenue as lockdown's reduced opportunities for "real-world" theft.

Advertise with NZME.

And earlier this month, Kordia chief information security officer Hilary Walton pointed to survey results that indicated many companies thought they were doing a better job at cyber-security under the "new normal" than was actually the case. IT bosses thought they were getting the message across, while staff were often confused, or simply not following the drill. One-third confessed to using the same password for multiple services.

Another concern raised by the same survey least 15 per cent of parents were letting their kids play on the devices they use for work.

Discover more

Official Cash Rate

Data breach: Reserve Bank likely facing $250K ransom; files from other victims made public

18 Feb 01:45 AM

Business

Data breach: The questions Reserve Bank must answer

13 Jan 04:00 AM

Business

'Foreseeable attacks, critical gaps': Watchdog slams NZX for cybersecurity failures

27 Jan 07:16 PM

Business

Tradie startup raises $10m

23 Mar 04:27 AM

Reactions in different countries have different, in terms of urgency.

In the US, President Joe Biden recently launched an emergency taskforce to address the aggressive cyberattack on hundreds of thousands of Microsoft Exchange customers around the world. After a wave of cyber-attacks against Australia last year, Prime Minister Scott Morrison said his country needed to put itself on a "war-footing" against hackers, and announced A$1.35 billion ($1.4b) in new spending to support efforts to defend the country's public and private networks - a stark contrast to single-digit million increases at NZ's last Budget. Here, new Digital Economy and Communications Minister David Clark told the Herald last week, "Any increase to cybersecurity spending is subject to Budget decisions. Decisions on Budget 2021 are still being considered."

Although there was a modest tail off in reported incidents in the fourth quarter, Pope warns that the overall trend is up, and that the level of risk is rising.

And as Juha Saarinen points out, there's been an increase in the severity of attacks.

Retrieving $500K after an invoicing scam

It can be tricky for police to apprehend hackers or retrieve stolen data or money defrauded by cyber-scammers.

But increasing international co-operation means it can happen and prosecutions do happen.

Advertise with NZME.

Late last year, the owner/operator of a business reported a scam to CERT NZ, the agency reports.

The owner had received what they thought was a legitimate email from an overseas supplier with details of a new bank account, requesting the business make invoice payments to the new account number.

The business updated the account details and paid the supplier's invoice. It wasn't until after the payment had been made that the business became concerned it was a scam, and reported the incident to CERT NZ.

The agency worked with the business and discovered an attacker had likely accessed the supplier's email account and sent the scam email in an attempt to redirect any payments to their account instead.

CERT NZ quickly referred the incident and reported financial loss to NZ Police's Cyber Crimes Unit.

Through their network of international partners, NZ Police helped track the transaction and recover the large payment, before it had reached the attacker's account.

The moral of the story: your best shot at recovery is to report a cyber-security incident to CERT NZ, which can in turn refer your case to the right law enforcement contacts.

Both police and CERT NZ recommend against paying a ransom to retrieve data. There's no guarantee you'll get your files back, or that their contents won't later be used to embarrass or blackmail you regardless. Police also caution that paying up - although legal - encourages more offending.