Cert NZ has released its final quarterly report for 2018.
The Cert NZ reports provide an interesting snapshot of recent cyber security incidents reported in New Zealand by both individuals and organisations.
The latest report shows that cyber security incidents continue to increase quarter-on-quarter. In total:
- 1333 incident reports were made to CERT NZ in the last quarter of 2018, up 53% from Q3, and
- losses of almost $6 million were reported, up from $3 million in Q3.
Reports of scams and fraud increased significantly this quarter, making up half the total number of reports received.
666 (yes, 666!) scam and fraud reports were received in Q4, this is up a whopping 236% from Q3.
In particular, there was a significant increase in email extortion scams, which accounted for more than a third of all scams.
What is email extortion?
This is where attackers email a seemingly legitimate threat and demand urgent payment from the recipient to revoke it. Such as a bomb threat sent to a business, or a threat to an individual to release embarrassing images of them.
Receiving an extortion email can be a frightening experience.
Scammers work to continually evolve their approach and they employ new tactics to try and trick people into meeting their payment demands. This new wave of email extortion scams at the end of 2018 shows that scams are big business.
What makes email extortion so effective?
One reason why email extortion scams can be so effective is the fact that the email will often include personal information, like a password, to make the threat seem more real.
The emails will also often contain a worrying or embarrassing element, playing to the fears of the recipient. Does the scammer really have a compromising photo of me? Do they really have access to my home router?
But how did they get my personal information?
Scammers often collect customer records from data breaches that are available online. Some of these collections contain millions of entries that include information like email addresses, passwords and other account details. Often the information obtained is out of date, but because of the volumes of emails sent out, even if only a small percentage of people pay up, the scammers can still make a considerable amount of money with little effort.
If an email says that the sender has other personal information about you, this will more often than not be an empty threat. The scammer is likely to only have access to information sourced from old data breaches that have effectively been made public, rather than via an actual hack of your computer or records. A key question to ask yourself is whether the information they are referring to could not possibly have been obtained from a public source.
What should I do if I receive a scam email?
Report the email to CERT NZ, as they can keep track of larger scams and offer practical advice to individuals. Do not contact the sender or respond to any threats made. If the scam email includes a password, make sure you change the password on any account where that password is used just to be sure. You can also check if your information has been leaked in well-known data breaches with tools like https://haveibeenpwned.com/
This is a fascinating, reliable and safe way to check if any of your accounts have been involved in a data breach that has been made public.
And speak to us about how we can help protect you, your passwords, your sensitive information and your business against scammers and other threats.
phew. Cyber Security Sorted.