Quarter Three Report 2019

Phishing emails are sent to large email lists to reach as many people as possible. They can be hard to spot as attackers often make them look like they’re from a well-known organisation. The emails usually replicate the organisation’s branding, use similar language and URLs, and spoof the email address to appear legitimate.

Spear phishing emails are more targeted than generic phishing emails and can be a precursor to business email compromise. Attackers often have specific knowledge about the recipient or their organisation—usually found by researching websites and social media—making them seemingly more legitimate and harder to spot.

Whaling is similar to spear phishing, but usually targets senior executives within a business to trick them into sharing high-level information and making financial transactions.

Vishing (voice phishing) is phishing attempted via a phone call. The attackers pretend to be from well-known organisations and usually say they are calling to help the recipient with a service like their computer software, finances or tax refund—you might have heard of the ‘Microsoft tech support’ vishing scams.

Smishing (SMS phishing) is phishing distributed via SMS or text message. These campaigns are low cost and low effort for attackers who send out masses of text messages to blocks of phone numbers. Like generic phishing, they’re large scale and less targeted— the SMS or text aims to trick recipients to click on a URL, visit the phishing website and enter their credentials.

Search engine phishing is when attackers use search engine optimisation techniques to ‘promote’ their phishing websites to the top of search results, where they can be mistaken for legitimate versions of websites. These can be difficult to tell apart from the real websites as they often copy the branding and use similar-looking URLs.

Use unique passwords on all your online accounts (and password managers to help remember them)—that way if you lose your account information in a phishing attack, your other accounts won’t be impacted and you’ll only need to update the password for the compromised account.

Use multi-factor authentication (MFA) on accounts where possible. Including this additional login step provides an extra layer of security to help protect your personal and financial information. That way, even if someone got your password, they’d still need to get past this additional security.

Check the links. If you’re unsure about an email you’ve received, hover over the links in the email to check if they’ll go to a legitimate website. If the email looks to be from someone you know, check the sender’s email address is correct.

Ask someone. If you’re unsure about a message you’ve received, it’s a good idea to check it with a colleague, friend or family member. There’s no shame in asking for help.

Report it. If you’ve received a phishing email or you’ve responded to one, get help quickly by reporting it confidentially to CERT NZ. We’ll help you work out the steps you need to secure your accounts, and your report means we can get the message out to help protect others.

Report to CERT NZ External Link

This positive trend indicates that although cyber attacks are on the rise, the over 65 age group are taking the simple security steps to help build their online resilience and increase their ability to protect themselves and their finances from scams and attacks.

CERT NZ’s targeted awareness programmes like Get Password Smart and our partnerships with national organisations including SeniorNet have been one of the ways we’ve worked with this age group to actively engage them in easy ways to keep secure online.

Although this is good news for the over 65s, our data shows that cyber attacks continue to make a big financial impact on every day New Zealanders. Losses reported by the 45 – 55 age group have climbed this year from $271,279 (Q1) to $1,112,012 (Q3), an increase of more than 300%. We’ve also seen increases of more than 55% in direct financial loss from the under 18 and 18 – 24 age groups—with scams and fraud remaining the largest category for both incidents and direct financial loss reported. 

Gathering data on age furthers our understanding of how cyber security incidents are impacting New Zealanders. It helps inform the focus of our upcoming campaigns and outreach programmes as we continue to engage all New Zealanders with simple security measures to help boost their online resilience.