Quarter Two: Cyber Security Insights 2022

This quarter, CERT NZ responded to 2,001 incident reports about individuals and businesses from all over New Zealand. This report shares information around these incidents as well as highlighting examples of work CERT NZ is doing to help.

There are 2 parts to the report:

An Insights report focusing on selected cyber security incidents and issues.

A Data Landscape report providing a standardised set of results and graphs for the quarter.

• Q2 2022 Cyber Security Insights Report [PDF, 2.2 MB]
• Q2 2022 Data Landscape Report [PDF, 729 KB]

Highlights

Number of incidents responded to

A total of 2,001 incidents were responded to in Q2 2022.

Breakdown by incident category

Phishing and credential harvesting remains the most reported incident category.

Focus area: 'Phone spoofing' impacting bank customers

How is this happening?

1. The scammers use intermediary software that generates signals to change the displayed caller ID.
2. Once the attacker has the target on the phone, they use social engineering tactics to try and get the financial information or access they are seeking.
3. To sound more plausible, attackers are often using scripts and dialogue similar to those used by the bank call centres. In many cases, they pretend to be from a bank’s fraud centre and say they’ve detected unauthorised access of the recipient’s account. In some cases, they use fear or urgency to get the recipient to act.

How to tell if you're being called by a scammer

If you receive a phone call from a person claiming to be from your bank, even if the phone number looks similar to the bank’s phone number, there are some red flags that can help you identify if the call is legitimate.

With a bank scam call, the scammer will usually do one of the following:

• Ask the recipient to download remote access software under the pretext of being able to walk the customer through a necessary process.

• Trigger a SMS code that is sent to the recipient’s phone. This is a code to either gain access or authorise a transfer, but the attacker will say it is a 'cancellation code' or something similar, and ask the recipient to read it out.
• Ask for the recipient’s bank account log in information or full credit card number.

What to do if you think it’s a scam call

• CERT NZ strongly recommends ending the call and hanging up if you have any concerns about the legitimacy of a call.
• Then find the bank’s phone number from the bank’s website or on the back of your bank card and call them. This way you'll find out if the original call was genuine.

In some cases, when a recipient tries to end a call, the scammer will use fear and urgency tactics to try and convince the recipient to stay on the call and respond to the request.

Protect yourself and your bank accounts from scam calls

• Enable two-factor authentication (2FA) on your bank account. This adds an extra security layer on top of your password, like a code sent to your phone. That way if an attacker gets your login details, they still won’t be able to access your account. Never share these codes with anyone. Your bank will never ask you for a 2FA code.
  
  Two-factor authentication
• If you have clicked on a suspicious link or received a call where you’ve provided a 2FA code, contact your bank immediately and report the incident to CERT NZ.
  
  www.certnz.govt.nz/report
• Never give out account information, credit card details or remote access to your devices. Your bank will never ask for this information.

Insight: Romance scams

At the heart of scams and fraud

Scams and fraud are consistently one of the most reported categories to CERT NZ.

In quarter two, New Zealanders reported over 500 incidents about scams and fraud, and 92% of these reports (486) were about individuals – with a total direct financial loss of $3.2 million.

Of the types of scams and fraud reported, ‘buying and selling of goods online’ is consistently the most reported. This quarter, ‘dating and romance scams’ was the second most reported, with the number of incidents in this category steadily increasing across the past four quarters.

Romance scams

A romance scam is when a scammer takes advantage of someone looking for a relationship online.

Scammers will use dating websites and apps or social media to build a relationship with someone. Once they’ve gained the person’s trust, the scammer will start to ask for money, gifts, personal details or they will make unusual requests that can be used to commit fraud or to exploit the individual.

More recently, CERT NZ has seen reports where romance scammers are building trust to try and trick the individual to buy into crypto investment scams. The scammers often use fake profiles to make it harder to track them down.

Preventions, checks and red flags

• Avoid giving out too much personal information online, including on social media or by email.
• If you’re unsure about a connection, reverse image search can help identify if the image has been used elsewhere or doesn’t match the identity of the person they are claiming to be. You can do this by uploading the image to a search engine.
• Avoid responding to requests for financial help, making investments or sending money. This includes sending money to enable them to meet you in person.

• Sometimes there are multiple scammers working together, look out for inconsistency in communication style.
• If the contact is not willing to meet up or talk via video call, or comes up with a series of excuses to avoid meeting, they could be a scammer.

If you think you may have experienced a romance scam or are concerned about a connection you’ve made, we can help. Please report confidentially to CERT NZ.

www.cert.govt.nz/report