But the degree of under-reporting is such that it’s hard to discern concrete trends from Cert NZ’s numbers, which rely on members of the public and small businesses coming forward.
Research by the Ministry of Business, Innovation and Employment (MBIE), which drew data directly from ANZ, ASB, BNZ, Co-op Bank, Heartland, KiwiBank, Rabobank, SBS, TSB, Unity and Westpac, found Kiwis lost $198.4 million (or roughly $50m per quarter) to scams – most perpetuated online – in the 12 months to September 30, 2023.
A Netsafe survey, carried out in concert with the Global Anti-Scam Alliance, estimated that total losses to cyber crime were $2.05 billion for the same period.
There were 1530 incidents reported to Cert NZ between January and March, or a 20 per cent drop from the prior quarter.
“A drop in incidents sounds like encouraging news, but we know cyber crime is significantly under-reported,” Cert NZ acting director Sue Critchlow said.
Rob Pope – the veteran former cop best-known for his role leading the Ben Smart-Olivia Hope murder investigation – was named Cert NZ’s founding director when the agency was created in 2017, but decamped to WorkSafe in March on the heels of a restructure that saw the previously-independent Cert NZ moved under the GCSB’s National Cyber Security Centre (NCSC).
The Herald understands Pope’s role might not be directly replaced under the new NCSC-led arrangement.
“The structure of the newly-aligned Cert NZ and NCSC is still to be finalised,” a Cert NZ spokesman told the Herald.
“The drop in reporting is quite concerning and we are working on updating our reporting tools to help with this, as well as trying to create an understanding of what happens when you report a cyber incident.”
Individuals are sometimes too sheepish to admit an attack to Cert NZ (or simply don’t know the agency exists), while small businesses can fear reputational damage.
Cert NZ – which acts as a triage unit, pointing people to the right law enforcement or IT help after a data breach or phishing incident (when someone is conned into giving up a password or other sensitive data) – wants to emphasise that reports are treated confidentially.
New system could be thwarting phishing attacks
While a 1 per cent drop in reported scams and frauds (487) over the prior quarter has to be taken with a grain of salt, given the depth of under-reporting, a 36 per cent drop in reports of phishing and credential harvesting (to 699) could reflect the free Phishing Disruption Service (PDS) offered by Cert NZ.
“Part of the drop in phishing reports might be due to the Phishing Disruption Service,” the spokesman said.
“The PDS does a great job of running the background and protecting people without them even noticing.”
The PDS complements the broader Malware-Free Networks (MFN) threat detection, disruption and intelligence system that the GCSB’s NSCS unit created for larger New Zealand organisations. MFN was piloted by One NZ and now also includes Spark and others. The telcos have also introduced new systems for filtering scam text messages.
Cert NZ hopes to have some concrete numbers on the PDS in a future report.
Unlike across the Tasman, New Zealand’s Budget 2024 had no major new cyber security initiatives (or tech initiatives full-stop).
Chris Keall is an Auckland-based member of the Herald’s business team. He joined the Herald in 2018 and is the technology editor and a senior business writer.
