Summary

This quarter, the National Cyber Security Centre handled 1,358 incident reports through its two distinct triage processes. Of these, 100 incidents were triaged for specialist support because of their potential national significance. This is a slight increase from 98 incidents of potential national significance in Q3.

1,258 reports were received through the CERT NZ online reporting tool and handled through the NCSC's general triage process. This is a 34% decrease in the number of incidents from 1,905 in Q3. Financial loss in the same period went up by 24% from $5.5M to $6.6M.

We saw 17 incidents with losses over $100,000. This is the largest number of high-loss incidents we have seen in a quarter.

These incidents are quite varied— ranging from cyber attacks on computers and accounts, to cryptocurrency, investment and romance scams.

We saw a number of incidents that started with a scam phone call, where the attacker went on to carry out unauthorised money transfers or trick people into sending money. In this report, we have explained how some of these phone scams work and how to identify them. We also take a detailed look at what botnets are and how criminals can use your device to take part in cyber attacks without your knowledge.

You can also find more about Malware Free Networks - the NCSC's award-winning service that works to detect and disrupt malicious cyber activity and to keep your network free from it.

There was a significant decrease (54%) in reports of phishing and credential harvesting. A drop in reports doesn't mean there’s less cybercrime. We know cybercrime is underreported and we need your reports to better understand and respond to the threats New Zealand faces. When you report to us, we can alert other New Zealanders and help protect them from cyber attacks and scams.

You can report any incident to us - big or small - using our online reporting tool. The information you provide is treated as confidential and will not be shared with other agencies without consent.

Report an incident - business and individuals | CERT NZ

Data highlights

The NCSC responded to 100 incidents affecting nationally significant organisations or with potential to cause national harm. This is a slight increase from 98 in Q3.

1,258 incidents were handled through the NCSC's general triage process in Q4, down 34% from Q3 2024.

The most significant decrease was in the number of incidents of Phishing and Credential Harvesting, which went down 54% from Q3 2024 .

$6.8m in direct financial loss was reported in Q4, up 24% from $5.5M in Q3 2024. 32% of incidents reported financial loss.

Number of incidents

A total of 1,358 incidents were recorded in Q4. Of these, 1,258 were handled through the NCSC's general triage process.

YEAR	QUARTER	INCIDENTS
2024	4	1,258
2024	3	1,905
2024	2	1,203
2024	1	1,537
2023	4	1,903
2023	3	2,136
2023	2	1,950
2023	1	1,968

Breakdown by incident category

The most commonly reported category in Q4 was Scams and Fraud.

Phishing and Credential Harvesting, which is usually the most commonly reported category, saw a 54% decrease from 823 in Q3 to 382 in Q4, and was the second most commonly reported type of incident.

Incident category	Incident count	Change from previous quarter
Scams and fraud	506	-15%
Phishing and credential harvesting	382	-54%
Unauthorised access	205	-32%
Website compromise	46	-18%
Malware	16	-45%
Ransomware	11	-15%
Denial of Service	5	400%
Attack on a system	3	N.A
Suspicious network traffic	1	-50
Botnet traffic	0	-100%
C and C server hosting	0	-100%
Other	84	5%

Financial loss

32% of incidents handled through the NCSC's general triage process reported an accompanying financial loss in Q4. The total reported financial loss was $6.8M, up 24% from $5.5M in Q3.

The total financial loss in the last eight quarters is $44M and the average loss per quarter $5.5M.

YEAR	QUARTER	Financial loss
2024	4	$6.8M
2024	3	$5.5M
2024	2	$6.8M
2024	1	$6.6M
2023	4	$3.6M
2023	3	$4.7M
2023	2	$4.2M
2023	1	$5.8M

Incidents with potential national significance

The NCSC responds to incidents affecting nationally significant organisations or with potential to cause national harm. We triage these into a scale that considers the organisational impact and the severity of the incident.

In the fourth quarter of 2024, the NCSC recorded 100 incidents with potential national significance.
Of these:
• 20 were triaged as C6 – minor incidents,
• 59 as C5 – routine incidents,
• 17 as C4 – moderate incidents, and
• 4 as C3 – significant incidents.

There were no reports of C2 - highly significant incidents, or C1 - national cyber emergency.

Incidents in the C3 category doubled compared to a typical quarter. This included unusual distributed denial-of-service (DDoS) against organisations in the financial sector and a ransomware incident that impacted the customer services of an organisation in the information media and telecommunications sector. There was also an 30% increase in the number of incidents categorised as C5 compared to the previous quarter.

Incidents by suspected actors

Of the 100 incidents,

21 were assessed to be likely linked to state-sponsored actors,
36 were assessed to be likely linked to cybercrime actors, and
43 did not have enough evidence to link the activity to a known malicious actor.

There was an 30% decrease in the number of incidents reported to the NCSC which indicated links to state-sponsored actors in a typical quarter. Of the 36 incidents assessed to be likely linked to cybercrime actors, most involved reconnaissance activity through the theft of credentials or resource development to acquire infrastructure.

Techniques, tactics and procedures (TTPs)

The NCSC maps the malicious cyber incidents it responds to using the MITRE ATT&CK framework. This helps us understand how malicious cyber actors are targeting New Zealand. For more information see attack.mitre.org External Link .

In Q4, consistent with the previous reporting period, reconnaissance activity was observed most frequently by the NCSC (50 times). Within this activity, most cyber actors were gathering victim credentials or IP addresses, or scanning victim networks for vulnerabilities.

The next three most commonly seen tactics were:

30 - initial access;
21 - resource development; and
18 - credential access.

Phishing Disruption Service

NCSC’s Phishing Disruption Service (PDS) is a free service that provides a verified list of New Zealand specific phishing indicators that organisations can act on and block from their network.

When you get a phishing link via text or email, you can forward it to phishpond@ops.cert.govt.nz. The incident response team then analyses the links it receives, also called phishing indicators, and publishes verified ones to the PDS. NCSC’s response team also proactively identifies phishing sites and blocks them before they can be used to target New Zealanders.

In Q4, NCSC processed 11,252 phishing indicators of which 995 were published to the PDS. The industry that was most impersonated by phishing scammers this quarter was financial services.

Malware Free Networks® (MFN®)

MFN is a threat detection and disruption service that provides near real-time threat intelligence reflecting current malicious activity targeting New Zealand organisations.

In Q4 2024, 162,018,985 malicious threats were disrupted and 5,071 unique indicators were tasked by MFN.

You can read more about Malware Free Networks in the Q4 Cyber Security Insights report.

Keeping the malware away

The NCSC's Phishing Disruption Service (PDS) and Malware Free Networks (MFN) are complementary capabilities that enable the NCSC's strategy to protect New Zealand from cyber threats. Work is currently underway to simplify, streamline and rationalise the NCSC's disruption capabilities to make it easier for organisations of all sizes to access our services.

Subscribe for updates

Sign up to our quarterly newsletter to receive NCSC's reports and updates.

Subscribe External Link