The New Zealand Government’s cyber security unit, CERT NZ, says losses through cyber security issues reported to it in 2017 topped $5.3M, $3.4m of which were in Q4, a figure more than double that for Q3.
CERT NZ director Rob Pope, said more than 1000 reports had been received since CERT NZ opened its doors in April 2017.
CERT NZ said it had seen a rise in cryptocurrency scams as attackers sought to take advantage of increased investment in cryptocurrencies. These types of scams, it said, had resulted in nearly $265,000 in losses in Q4 alone.
Pope said CERT NZ’s work on cryptocurrency scams benefitted from its links with similar organisations overseas. “We gather intelligence from our international counterparts and work with other government agencies that are seeing the impacts of cryptocurrency scams across the financial and regulatory sectors. We combine this information with the incident reports we receive to provide actionable advice and insights for New Zealanders.”
CERT NZ said attackers had been hard at work developing new variations on existing scams, including fake tech support scams where scammers register hoax tech support websites purporting to be for well-known brand names such as Google, Dell, Toshiba, Samsung, and Xero.
“They rely on users searching for a genuine product support website and instead finding the scammer’s fake support site,” said. “Users are typically asked to pay a fee to receive support, but no help is provided and the unlucky users are left out of pocket.”
Some websites reported to CERT NZ also listed phone numbers that put the victim in contact with the scammers who continued to push for money, credit card details, and access to the person’s computer.
During Q4 CERT NZ said it had referred almost 150 incidents to other agencies such as the NZ Police, Netsafe, and the National Cyber Security Centre (NCSC), and its online reporting tool had directed more than 70 people to agencies such as the Department of Internal Affairs or further assistance.
The report contains a number of case studies, some of which show the level of sophistication of scams. In one reported incident a small New Zealand company received fraudulent requests sent from the email account of one of its overseas-based directors. Someone had hacked the director’s email account and used it to send requests for money to be transferred to accounts in a third country.
Similar genuine requests had been received previously, so the money was sent, along with notification of the transfer in emails back to the director. The attacker intercepted these notification emails and responded to them pretending to be the director so the company would not be alerted to the scam.
The scam was uncovered only because the foreign receiving bank found that the information they were provided did not match up and queried a transfer.