Quarter One Report 2019

This quarter, CERT NZ received 992 reports. This is the second highest number of incidents reported in a quarter to date. These incidents show that everyday New Zealanders and organisations continue to be affected by cyber security issues.

Some examples include:

Both organisations (61%) and individuals (39%) experienced direct financial loss
96 reports of unauthorised access, the highest number in a quarter to date
Email extortion campaigns make up 50% of all scam and fraud incidents.

Quarterly Report: Highlights [PDF, 689 KB]

Quarterly Report: Data Landscape [PDF, 975 KB]

Highlights

992 incidents reported in quarter one.

$1.7 million in direct financial losses was reported in quarter one.

Phishing made up 45% of all incidents reported, the largest incident category in quarter one.

75% of financial losses were attributed to scams and fraud.

Results by numbers

Number of incidents reported by quarter

Number of incidents reported per quarter

We received 992 reports in the first quarter of 2019. This is the second highest number of incidents reported to CERT NZ in a quarter since its establishment.

dsfdsfd

Results by incidents

Breakdown of incident category

Phishing and credential harvesting, scams and fraud, and unauthorised access have consistently been highest incident categories since quarter four, 2017.
Results by category of incident

Scam and fraud incidents

Graph showing percentage of scam and fraud incidents

Scam and fraud incidents decreased in quarter one, to 33% of all reports received – down from 50% in quarter four 2018. Despite the decline in reports, financial losses experienced as a result of scams and fraud made up 80% of the total in quarter one.

Top three types of scam and fraud incidents in quarter one were:

- 53% email extortion scams

- 24% scams related to buying and selling goods online

- 6% invoice scams

CERT NZ expects to see these types of scams evolve, with new variants being introduced as people become aware of scammers tactics.

Increasing number of unauthorised access reports

Graph showing numbers of unauthorised accesses
CERT NZ received the highest number of unauthorised access in a quarter so far, with a 19% increase on the previous quarter. Just over two thirds of these were about individuals.

Unauthorised access can be costly, in this quarter 30% of incidents reported financial losses, totalling $329,000.

Attackers targeted a range of account types like online banking, social media, cloud services and email. They do this for financial gain and to collect private information about the account holders and their contacts.

Business email compromise

A common type of unauthorised access reported in quarter one was business email compromise.

This is when an attacker gains access to an employee’s email account and carries out scams or attacks, like sending phishing emails or fake invoices to the business’ contacts to access information and finances. The impact can be wide reaching, affecting not just the business but their suppliers and customers as well.

One of the ways that attackers gain access to a business email is by getting an employee’s password. Attackers get passwords in a number of ways, including guessing weak passwords, acquiring them from a previous phishing campaign or through a credential dump—an online list of leaked usernames and passwords. Reports of business email compromise in quarter one included attacks on cloud-based services, like Microsoft Office 365 and Google G-Suite, to send phishing campaigns and ultimately gain access to the business’ wider network. As more and more businesses move to cloud services, CERT NZ predicts that attacks on these platforms will increase.

Business email compromise can also lead to attackers accessing invoice information. This can lead to false invoices being sent out that are hard to detect.

Tip: Protect your business with two-factor authentication

A key mitigation that CERT NZ recommends for these types of attacks is applying two-factor authentication (2FA) to cloud and email accounts.

Protect your accounts with 2FA

Other mitigations include checking invoices and reviewing your business processes to make sure they don’t only rely on email. Verify payments to new or different accounts by phone before making a bill payment to help prevent losses.