Story image

CERT NZ: Email extortion & scams hit Kiwis hard in the pocket

12 Mar 2019

Despite ongoing efforts to raise awareness about online scams and fraud, New Zealanders are still losing staggering amounts of money.

CERT NZ’s Q4 2018 Quarterly Report puts the total amount lost to cybersecurity issues at $14 million in 2018, of which more than $8 million was lost to scams and fraud.

In the last quarter alone (October-December), CERT NZ received 1333 reports about cybersecurity issues. New Zealanders also lost $4.9 million due to scams and fraud.

“These scams are becoming increasingly professional, they generate a considerable amount of money so scammers evolve their approach and employ new methods to continue tricking people into paying up,” explains CERT NZ director Rob Pope.

Email extortion scams – in which scammers send threatening emails that trick people into paying money to make the problem disappear – accounted for 36% of all scam reports.

“We saw this type of scam evolve rapidly, from webcam blackmail emails that contained personal information like passwords in October, through to bomb threat emails in December. It’s more important than ever that Kiwis have a trusted source they can turn to for actionable advice to protect themselves online,” says Pope.

The bomb threat emails in December were concerning for many New Zealand businesses. The emails threatened to detonate a bomb in the company’s building if the business did not make payment. CERT NZ and many international partners issued an advisory about the hoax. 

Beyond email extortion scams, the report also highlights a significant number of phishing and credential harvesting reports (431), followed by 48 malware reports – more than double the number in Q3.

In one case study, the report tells the story of one New Zealand business with 20 regional offices that caught a malware infection. The malware was delivered by a phishing email that appeared to be from an accounting service.

A company employee clicked the link and unwittingly downloaded malware in the background. The malware is able to display a phony online banking page, which captured the employee’s login and two-factor authentication information.

The attackers access the company’s bank account from an overseas IP address, and it was only then that the bank noticed something was amiss. The bank notified the company.

“The business was concerned that removing the malware from their systems would impact their day-to-day operations. CERT NZ helped the business resolve the incident while maintaining their operations,” the report says.

CERT NZ also issued an advisory to share information about the threat.

“It’s CERT NZ’s job to help New Zealanders report the cyber security incidents they are impacted by and get the information they need to recover. These reports also allow us to aggregate our information alongside international sources to make sure New Zealanders have access to the most up-to-date information on cyber security threats,” says Pope.

If you or your organisation experience a cybersecurity threat – or if you suspect you may have been exposed to one – contact CERT NZ any time at www.cert.govt.nz or call 0800 CERT NZ, Monday to Friday, 7am – 7pm.

Apple launches revamped iPad Air & iPad mini
Apple loves tinkering with its existing product lines and coming up with new ways to make things more powerful – and both the iPad Air and iPad mini seem to be no exception.
Epson innovations and Mercedes-AMG Petronas Motorsport
The world’s greatest motorsport event, the Formula One Grand Prix World Championship, descended on Melbourne’s Albert Park over the weekend for the first race of the 2019 season.
Tesla unveils the Model Y SUV
After much anticipation, Tesla unveiled the Model Y last week – a vehicle that is described as an all-electric, mid-size SUV that can seat seven adults – and the vehicle has a glass roof.
Preparation for Tokyo 2020 Olympics begins - with robots
The Tokyo 2020 Olympic Games are quickly approaching, but it won’t just be a sea of athletes and sports fans – now robots will make up a significant part of the fan experience.
NZ ISPs block internet footage of Christchurch shootings
2degrees, Spark, Vodafone and Vocus are now blocking any website that shows footage of the mosque shootings.
How AI could warn civilians before a volcanic eruption
Advance monitoring could lead to better disaster planning and evacuation warnings in the event of an eruption.
Facebook launches dedicated home for its Gaming
"All of our work on the Facebook Gaming team adds up to helping build the world's gaming community."
Spotify calls out Apple's anti-competitive behaviour
Apple's App Store rules "purposely limit choice and stifle innovation at the expense of the user experience—essentially acting as both a player and referee to deliberately disadvantage other app developers".