Reported financial losses from cybercrime stood at $6.6 million in the final three months of 2021 - a record for the December quarter, and double the amount lost in the September quarter.
That's according to the latest quarterly report by the Government's Computer Emergency Response Team (CertNZ).
While two-thirds ofincidents involved losses of less than $500 to hackers or online scammers, 10 people were taken for more than $100,000, versus seven in the prior quarter.
For the full year 2021, a total of $16.8m in financial losses were reported to CertNZ - a slight dip from 2020's $16.9m.
But the number of incidents reported to CertNZ in the December quarter - 3977 - was a record by any measure. It represented a 92 per cent jump on the September quarter, and a 13 per cent increase on the year-ago quarter.
How many are being hit?
In the US, an FBI report estimated that only 15 per cent of cyber incidents are reported.
Threat analyst Brett Callow said there was likely to be "massive under-reporting" here, too. There is always sheepishness about commercial or reputational damage.
And on top of that, many simply don't know that CertNZ exists, and that all cyber incidents should be reported via its website (cert.govt.nz) or via 0800 CERT NZ (0800 237 869).
CertNZ director Rob Pope told the Herald this morning:
"We know that our reporting numbers don't capture the entire picture of cyber threats in New Zealand.
"However, the large increase in reports is heartening as it shows that every year more New Zealanders know that, when they see or are impacted by an incident, they can report it to us and get help without their identity or organisation being revealed."
The largest threats and scams
Fallout from "Flubot" continued in the fourth quarter, with complaints about the text scam accounting for around two-thirds of incidents reported.
The scam began as a text message that purports to be from a courier company, asking you to click a link to receive a parcel.
It later morphed into a message saying you had been tagged in an online photo album and other variants.
But the scammers' intent is always the same: to get you to click on a link that purports to offer a service, but will download Flubot malware on to your Android phone (iPhones are not targeted) - which can steal details such as your bank account login.
Flubot also accesses your phone's address book then texts a message to all your contacts.
The precautions remain the same: Be wary of any text that purports to be from an organisation if it comes from a regular cellphone number. It's a red flag. Phone the organisation involved - via the number you get from its website - to confirm the request.
Banks, courier companies and the likes of the Ministry of Health typically use a short messaging service platform that sends text messages from a four-digit code.
For example, if the Ministry of Health has sent you a text about collecting a RAT, you'll see it comes from 2328, not a regular mobile number.
Ransomware fell away in the fourth quarter, from 18 incidents in the prior period down to 13, while reports of direct hacking - that is, breaking into a computer network - remained low. Scams that rely on people having the gullibility to click on a dodgy link remain easily the largest threats.
Do we need to worry about Putin's hacker army?
CertNZ, which covers individuals and small businesses, steered the Herald to the GCSB for a response to this question.
Even before Russia unleashed waves of cyber attacks on Ukrainian institutions as a precursor to its physical invasion (according to Microsoft, which says it helped to repel them), our spy agency was warning about an increase in attacks from state-sponsored hackers.
The latest annual report from the GCSB-run National Cyber Security Centre (NCSC), for the year to June 2021, reported 404 attacks on the "organisations of national interest" (such as government agencies and key exporters) who sit under the spy agency's umbrella of cyber-protection.
And of those 404 attacks, 110 were pinned on politically motivated state-sponsored actors - a 28 per cent increase over the previous year.
In a written response this morning, GCSB director-general Andrew Hampton said, "The National Cyber Security Centre is focused on the heightened potential for malicious cyber activity impacting New Zealand organisations as a consequence [of the] Russian invasion of Ukraine."
The spy agency was in contact with its international peers, and sharing information across government agencies and private sector partners.
"Alongside heightened tensions, there is an increased potential for cyber attacks. These may have a serious impact, even for countries and organisations not directly targeted," Hampton added, citing the NotPetya malware (2018) and Solar Winds compromise (2020), both of which reportedly emerged from Russia.
There have so far been no reports of any Russian attacks on NZ institutions since the Ukraine invasion began, but Hampton notes: "There have been several instances in the past two years where New Zealand has called out Russian malicious cyber activity."
Will everyday users be in the gun?
Do everyday internet users need to be worried about Kremlin-controlled hackers?
While there is little percentage for Putin in disabling Mary Smith's iPad in Papamoa, there are a number of precedents for malware created to attack nation-states getting loose in the wild.
And regardless, it pays to follow good security practises, Pope says.
"CertNZ's advice on how to protect yourself or your business doesn't change [with the Ukrainian invasion]," Pope says.
"The four basic steps of strong unique passwords, regular software updates, two-factor authentication, and keeping your personal information safe, do not change.
"And for companies, our 10 critical controls outline the areas that businesses need to focus on to better allocate assets."