Reported cybersecurity incidents hit all-time high, Kiwis losing millions

A record number of concerning incidents are being reported to the Government's cybersecurity agency, prompting a warning for those shopping online for Christmas.

New Zealand's Computer Emergency Response Team (CERT) revealed on Thursday it received 1354 incident reports between July 1 and September 30 - the most in one quarter since the agency was established in 2017, up 13 percent over the last quarter.

CERT responded directly to 1116 of the reports, while 212 were referred to the police. Netsafe, the National Cyber Security Centre and the Department of Internal Affairs also dealt with various reports.

There were another 218 events not recorded by CERT as they fell outside of the agency's scope. This includes cyberbullying, spam and online child abuse.

But despite the record number of reported incidents, the direct financial loss was down 41 percent this quarter to $3.8 million. The average amount lost by individuals was $13,851, with nine losses of more than $100,000 reported.

Of the reported incidents, 41 percent (550) were scams or fraud. Extortion or blackmail scam was the most reported followed by "scammed when buying, selling or donating". There were 21 "fake lottery, prize or grant" scams and 15 reported "dating or romance" scams.

Phishing and credential harvesting was also highly reported. There were 109 unauthorised access incidents reported, 21 reports of malware and 12 reports of websites being compromised among the various incidents.

CERT NZ director Rob Pope said it was important Kiwis were aware of potential risks.

"In this day and age, it's not just those in information security and IT that need to be across cybersecurity issues - being aware of cybersecurity is everyone's business. 

"With the holiday season approaching, we're anticipating an increase in phishing techniques that exploit New Zealanders' festive spirit and trust in email and online shopping. 

"It's important all New Zealanders, at work and at home, are aware of the risks and are confident to take the simple steps required to help protect against them."

Most of the reported incidents came from individuals rather than organisations, with the number of malware reports by individuals doubling since the last quarter. There was a 133 percent increase in denial of service reports affecting organisations. 

Auckland was hit by the most incidents (533), followed by Wellington (196) and Canterbury (113). All regions - excluding Tasman, Hawke's Bay and Gisborne - saw increases.

Of the 656 individuals affected whose date of birth is known, most were aged between 45 and 54 (21 percent). Those aged over 65 made up 18 percent, while only 4 percent were aged under 18. The 55-64 age group lost the most money, however - $1.45 million.

In the last 12 months, 4876 incidents have been reported to CERT.