Scammers siphon millions in elaborate cyber attacks
The Government’s cyber security agency has recorded a “massive” jump in online fraud, with scammers draining nearly $9 million from unsuspecting victims in just three months.
Twelve victims lost more than $100,000 each as cyber criminals deployed elaborate scams to trick people into giving over their money and personal details, or infiltrated their computers and bank accounts through malware or remote access trojan software.
Data obtained by the Herald from CERT NZ shows the agency received more than 10,000 cyber security reports in the last year relating to phishing attacks, scams and fraud, unauthorised access to email or bank accounts, denial of service attempts, ransom or malware attacks and compromised websites.
The agency admits such attacks are “widespread” with many more going unreported.
Cyber criminals obtained nearly $9m in the last quarter alone (JulySeptember) — a huge spike on the previous quarter ($3.9m) and the quarter before that ($3.7m).
CERT NZ says the number of reported incidents has remained reasonably static in recent months, but the number of attacks resulting in loss through fraudulent criminal activity and unauthorised access to victims’ accounts has jumped by about 30 per cent.
The figures include cases like the Invercargill pensioner who lost $134,000 when thieves infiltrated his SBS Bank accounts in July, changed his listed mobile phone numbers to skirt the bank’s two-factor authentication security checks, then drained the money in 11 unauthorised transactions.
SBS has refused to refund the victim and the matter is now under investigation by the Banking Ombudsman.
CERT NZ threat and incident response manager Jordan Heersping said the most common cyber security incident involved phishing attacks, when victims were contacted by malicious actors pretending to be from a bank, internet provider, government agency or financial institution, and convinced to hand over their user names and passwords.
Phishing attacks could also involve victims clicking on suspect links which then download malicious software to a person’s device, harvesting their personal information and sending it back to the scammers to access bank or email accounts.
These attacks were a “constant threat”. The emails were often wellcrafted and difficult to spot, Heersping said.
CERT NZ has also recorded a big jump in unauthorised access incidents. Victims may have approved a charge, for instance to receive a non-existent courier parcel, but criminals were then able to set up recurring withdrawals from the victim’s account.
Heersping said many attacks reported to CERT NZ originated overseas. The agency helped victims work with banks to recover stolen money and tried to educate people about the latest scams. Victims typically lost between $100 and $1000, but elaborate romance or investment scams could see hundreds of thousands of dollars drained, at huge financial and emotional cost.
“For a lot people, the effect of a cyber attack will have quite a knockon effect on their mental health.
“We see everything from a couple of dollars to a lot of money, and that’s both across businesses and individuals.”
Under the Code of Banking Practice, banks are obligated to refund customers for unauthorised withdraws unless the victims acted fraudulently or were “wilfully negligent”.
Police said they and other government agencies would never contact someone of the blue asking for their password, credit card or bank details. Anyone who believed they had fallen victim to a scam, in person, over the phone or online, should contact
police.