Over $ 3.9 million in direct financial losses were reported to the government’s Computer Emergency Response Team (Cert NZ) in the June quarter. This is more than double that of the same period last year, with 30 people per person.
Cent quarterly spikes.
However, this could be only part of the actual loss, said Brett Callow, a threat analyst at Emsisoft, a global cybersecurity company based in New Zealand.
And Rob Pope, director of CertNZ, does not disagree with that theory. “We understand that the number of quarterly reports is just the tip of the iceberg,” he says.
Founded in 2017, CertNZ is still a relatively young agency. Victims of many online scams and cyberattacks that Herald is talking about are simply unaware of their existence, not to mention the ability to report incidents and seek help.
Another factor-many organizations and individuals may hesitate to move forward for fear of damaging their reputation (since the new privacy law came into force on December 1, last year, to the Privacy Commissioner). You are required to report serious data breaches).
“Cybercrime is significantly underreported,” says Callow.
In the United States, it is estimated that only 15% of incidents are reported, based on the FBI’s annual Internet crime report statistics.
“And it may be an overestimate in itself,” he says.
“The position in New Zealand is likely to be very similar, with only a few reported cybercrime. It is impossible to say how small the minority is.”
Law enforcement agencies are also usually worth paying attention to including only direct financial losses, such as ransom demands paid, in their cost estimates, Callow says. “On the other hand, indirect economic losses, such as the cost of downtime, can be significant.”
“In 2020, there were more than 250 ransomware incidents involving New Zealand companies, and demand alone cost about $ 55 million. Taking downtime into account, the cost of these incidents is It will increase to about $ 450 million, “said Callow. About the survey summary compiled by his company using submissions to the ID ransomware service.
“And it’s just ransomware. BEC [business email compromise] Fraud and other scams mean that the actual losses are even greater, “says Callow.
He admits that the latest quarterly numbers in his organization are just the tip of the proverbial iceberg, but the Pope says they still serve a useful function.
“These reports help us understand the threat landscape and cybersecurity risks facing New Zealanders,” he says.
Old school, new school
Old-fashioned DDoS (Distributed Denial of Service) attacks dominate recent headlines as bot troops are unleashed against Kiwibank, ANZ, NZ Post, MetService, etc. and overwhelm the site with connection requests. ..
But overall, Cert NZ has tracked an increase in the biggest threat to ransomware. This is more ominous because ransomware attacks involve intrusion and theft, unlike DDoS attacks, where bots crowd the front door and prevent anyone from entering the site. Or data encryption.
Also, the total number of reported cyberattacks actually dropped to just 1351, but the loss increased as the types of attacks that were increasing were accompanied by greater losses.
While the total number of ransomware attacks was only 30, ransomware attackers switched from individuals and small businesses to targets large businesses that required millions of totals.
Increasing cryptocurrency investment fraud
Cert NZ also said that a total of $ 500,000 was lost in the June quarter as cryptocurrency fraud losses increased by 13% and the number of complaints increased by 50%.
Scams often involve email in sophisticated languages and usually revolve around seducing victims to put money into fake cryptocurrency investment opportunities.
Cert NZ has a common theme of playing with Fomo or “fear to miss” with victims who are urged to put money in front of cryptocurrency opportunities before it’s too late. Say they are sharing.
Famous New Zealand targets from Waikato DHB to Lion and Toll Group say they refused to pay the ransom.
But even so, organizations can add millions of costs from manufacturing and supply chain disruptions while carefully rebuilding their systems from backups.
Cert NZ encourages people to come forward.
We emphasize that all reports are treated with strict confidentiality. People and organizations only need to share “as long as they find it easy to share.”
The government has rejected a recent call to make paying cyber ransom illegal. Some people consider this move to be a circuit breaker.But the government counter It will make the victim a crime.
However, Digital Economy and Communications Minister David Clark said authorities are monitoring overseas developments and policy work is taking place in the region.
The Pope says the CertNZ quarterly report has also helped disseminate information.
“We are constantly working to raise awareness through cybersmart week October 18-24 initiatives and general outreach. Advice and remediation for anyone who has experienced a cybersecurity incident. We encourage you to report confidentially to CERTNZ so that we can provide you with it, “he says. Is called.
CertNZ’s important advice on cyber attacks remains unchanged. It contains.
• Use complex passwords that are different for each account and use a password manager to organize everything.
• Keep all software up to date, not just security software.
• Educate staff to suspect email attachments or requests for personal information.
• Make regular backups, assuming you will be attacked someday. Make sure at least one of them is a “cold” or offline backup. Also, test your backups regularly.
• And maintain an up-to-date action plan on how to communicate with staff, suppliers, and customers in the aftermath of an attack.
Report the attack and report as soon as possible
Prompt reporting of cyber attacks and online scams is essential for individuals and small businesses. Cert NZ acts as a triage service, contacting appropriate law enforcement contacts and advising where to seek IT assistance.
A recent report by the Banking Ombudsman, which noted a 21% increase in bank-related online fraud, emphasized that the sooner a banking fraud team learns of a fraud case, the more likely it is that the transaction will be cancelled. I am.
Herald has covered a number of online banking scams that have had different consequences for customers seeking compensation.
One is that a West Oakland couple who paid a series of fake invoices after a scammer hijacked the actual email address of a bathroom remodeling company had the full amount lost ($ 21,000). is. pay back debt By their bank, Westpack.
But in the second case, concern A former Army officer who sent about $ 14,000 from his Westpack account to a fraudster’s account because he thought he was buying Starlink shares (SpaceX’s subsidiary is unlisted and has no plans to go public). No funds were recovered and the soldier lost all of his money.
The two banks said the situation would be more likely to be resolved if retired Army officers were in immediate contact. In that case, more than 7 days after I sent the money, I realized that I was in captivity.
Kiwi has lost millions more in cyberattacks-and the CertNZ boss says the reported number is “the tip of the iceberg.”
SourceKiwi has lost millions more in cyberattacks-and the CertNZ boss says the reported number is “the tip of the iceberg.”