What’s New

Cert NZ has released its first quarterly report for 2018, and social engineering attacks feature heavily in the new statistics.

The Cert NZ reports provide an interesting snapshot of recent cyber security incidents reported by both individuals and organisations.

The number of reported incidents reached a peak of 506 in the first quarter of 2018, although the total of financial losses decreased slightly to around $3m.

41 per cent of all reported incidents involved organisations, as opposed to individuals (see Fig 1). The finance and insurance industry remains the biggest target for cyber crime with 44 per cent of all reported organisational incidents relating to this sector, followed by the technology sector (11 per cent) and public administration and safety (9 per cent). 

Fig 1: Reports about organisations; breakdown by sector
(Source: CERT NZ’s Quarter One Report 2018) 

Social engineering attacks, in particular “phishing & credential harvesting” and “scams & fraud”, make up the bulk of all reported incidents, sitting at just over 70 per cent. And eight of the nine biggest incidents, causing 81 per cent of the total reported financial losses, involved “scams & fraud”. 

Social engineering attacks are both effective and low cost to run, and allow attackers to target the masses with ease.  As a result, there has been a gradual rise of number phishing & credential harvesting attacks from the previous quarter, from 126 to 196 (see Fig 2), making it the most common type of attack, followed by scam & fraud attacks, which have also risen 21 per cent since the previous quarter. 

Fig 2: Breakdown by incident category
(Source: CERT NZ’s Quarter One Report 2018) 

Hackers Unite

Hackers are finding increasing success by targeting insecure (or unpatched) websites from local and trusted brands, to give an air of legitimacy and familiarity to phishing emails.

Favourite tactics include registering a sneakily similar domain to their target brand (such as misspellings like anazon.co.nz, amazoon.co.nz, or using a different top level domain, such as .com instead of .co.nz) or creating an email account that looks like a legitimate email from a trusted brand’s customer services or technical support.

This quarter saw four large invoice scams, which lured victims into making payments for fake or compromised invoices into attackers’ bank accounts. 

And the hackers’ efforts seem to be paying off. Eight of the top nine big incidents this quarter were “scams & fraud” attacks, which caused total losses of almost $2.4m, being 81 per cent of total reported financial losses.

Users Unite 

The increasing number of individuals and organisations falling prey to social engineer attacks demonstrates that increased vigilance, and security awareness for company staff, is of key importance.

Training for staff is paramount and should include: 

– examples of real world scenarios of social engineering attack
– tips for how to detect unsafe email
– procedures for the treatment of email attachments
– advice on how to detect website phishing 

 Organisations also need to ensure the security of their public websites by: 

– updating or patching websites to fix any public disclosure vulnerabilities
– performing website penetration testing, and network security assessments to detect and fix vulnerabilities


Speak to phew! today about protecting your company and people from the risks of social engineering attacks.