- Incidents and referrals
- Breakdown by incident category
- Breakdown of scams and fraud incidents
- Breakdown of incidents affecting individuals
- Breakdown of incidents affecting organisations
- Breakdown of reported vulnerabilities
- Demographics: Reporting by sector
- Demographics: Reporting by age
- Impacts: Direct financial loss
- Impacts: Types of loss
- About our information
- Incident categories we use
Incidents and referrals
Between 1 April and 30 June 2024, a total of 1,203 incidents were reported to CERT NZ.
Of these:
- 786 (65%) were responded to directly by CERT NZ
- 349 (29%) were referred to New Zealand Police
- 32 (2.7%) were referred to the New Zealand Telecommunications Forum (TCF)
- 16 (1.3%) were referred to the Department of Internal Affairs (DIA)
- 10 (<1%) were referred to the Commerce Commission
- 5 (<1%) were referred to Consumer Protection NZ
- 4 (<1%) were referred to the National Cyber Security Centre (NCSC)
- 1 (<1%) were referred to the Office of the Privacy Commissioner (OPC)
Breakdown by incident category
There was small decrease in the number of reports of Scams and Fraud from 494 in Q1 to 434 in Q2. We saw little change in the number of incidents of Unauthorised Access. However, the reported loss for this category changed from $390,000 in Q1 to $3.6m in Q2.
We define all the incident categories in the appendix of this report – incident categories we use.
Breakdown of scams and fraud incidents
Of the incidents responded to during Q2 2024, 36% (434) were about Scams and Fraud. This incident category consistently features in the top three reported via the CERT NZ reporting tool.
During Q2, there were 189 reports on scams involving Buying, Selling or Donating Goods, a 24% decrease from 248 in Q1. Scams relating to A New Job or Business Opportunity Offer increased in Q2 with 58 reports received compared to the 46 incidents reported in Q1.
Incidents affecting individuals
In Q2 2024, 831 (69%) incidents were reported as affecting individuals.
The largest category affecting individuals this quarter is Scams and Fraud which accounts for nearly half (48%) of the individual reports. The number of Phishing and Credential Harvesting reports decreased from 247 in Q1 to 223 in Q2 – a 10% decrease. Over half of the reported financial loss was from Unauthorised Access which accounted for $3.5M of the $6.5M reported by individuals.
Incidents affecting organisations
In Q2 2024, 72 (6%) incident reports specified that they affected organisations, compared with 113 (7%) in Q4 2023.
Phishing and Credential Harvesting continues to be the largest category of incidents reported to us by organisations, accounting for 32% of incidents affecting organisations during Q2 2024.
Breakdown of reported vulnerabilities
A vulnerability is a weakness in software, hardware, or an online service that can be exploited to allow access to information or damage a system. Early discovery of vulnerabilities means they can be addressed to prevent future incidents.
Vulnerability reports received via the CERT NZ reporting tool are passed on to affected organisations. There were 16 vulnerability reports in Q2 2024, up 23% from the previous quarter.
Of the incidents that reported a loss value, 55% (186) were below $500, compared to 56% (233) in the previous quarter. For three quarters in a row the percentage below $500 has decreased. 11 incidents reported losses of $100,000 and over. Of these:
· three related to Unauthorised Access,
· two related to a scam due to Job, Business, or Investment Opportunity,
· two related to Cryptocurrency Scams,
· one related to Buying, Selling or Donating Goods,
· one related to Denial of Service,
· one related to Inheritance Scams, and
· one that fell into the Other category.
Impact: Types of loss
As well as financial loss, CERT NZ responded to incidents where other types of loss occurred.
336 Financial loss This not only includes money lost as a direct result of the incident, but also includes the cost of recovery, for example the cost of contracting IT security services or investing in new security systems following an incident. (Q1 2024: 413). |
14 Reputational loss Damage to the reputation of an individual or organisation as a result of the incident (Q1 2024: 14). |
60 Data loss Loss or unauthorised copying of data, business records, personal records and intellectual property (Q1 2024: 64). |
<10 Technical damage Impacts on services like email, phone systems or websites, resulting in disruption to a business or organisation (Q1 2024: <10). |
<10 Operational impacts The time, staff and resources spent on recovering from an incident, taking people away from normal business operations (Q1 2024: <10). |
19 Other Includes types of loss not covered in the other categories (Q1 2024: <10). |
How helpful was this page?
This site is protected by reCAPTCHA and the Google Privacy Policy External Link and Terms of Service External Link apply.