The number of cyber attacks has boomed in New Zealand. In Q1 of 2018 alone, there was a 34 per cent increase in incidents from the end of 2017. The victims? It’s not just limited to individuals; small business is the target of 43 per cent of cybercrime. To stay secure, here are the greatest cyber threats business owners need to consider when setting up their security measures.
196 out of 506 reported incidents in Q1, 2018.
Phishing attacks mimic legitimate organisations, impersonating them in order to uncover confidential information, such as financial details and personal information. From the end of 2017 to the beginning of in 2018, the number of reported phishing and credential harvesting incidents rose 55 per cent in New Zealand.
The danger of phishing is perhaps best illustrated by Hillary Clinton’s 2016 email scandal, where a phishing attack allowed hackers to access classified and confidential information.
Phishing attacks aren’t always limited to high-value targets (high-value attacks of this kind are known as Whaling). Anyone can be a victim. And, perhaps more concerning, is the degree of sophistication. A recent Google Doc phishing attack, for example, targets everyday Gmail users and impersonates one of their contacts to get them to click on a link to view a Google Document they’ve shared.
These are the key ways to mitigate the risk. but there are others. Visit CERT NZ to learn more.
168 out of 506 reported incidents in Q1, 2018.
Online scams aim to trick you into giving away personal information and/or money. There are several types: money scams, prize scams, get-rich-quick scams, romance scams, invoice scams and social media scams. And while we’re probably all familiar with the email scams claiming that we’ve won the lottery, there are other, more sophisticated scams out there. For example, the recent webcam blackmail scam that has reared its head in New Zealand. In other instances, they may operate similarly to phishing by impersonating a friend or acquaintance and asking for money. As of June 2018, Kiwi’s have lost $18.6 million to scammers, up from $10.1 million in 2017.
These are the key ways to mitigate the risk, but there are others. Visit CERT NZ to learn more.
Related content: Common cyber insurance FAQs
60 out of 506 reported incidents in Q1, 2018.
In 2016, Delta Insurance found that 1.1 billion identities had been exposed via data breaches, with an average of 927,000 per breach. And while no one has run the numbers on New Zealand over the last two years, global trends indicate that the number of incidents continues to climb.
In 2018 alone, major companies including Under Armor, Reddit, Instagram, Polar Fitness Trackers, Adidas, TicketMaster, Bithumb, Fortnite, VTech, FedEx, Rail Europe and the U.S. Air Force have all had significant data breaches.
While deliberate hacking accounts for roughly half of global incidents, in New Zealand access is often gained from actions within the organisation itself. According to Delta Insurance, 30 per cent of cyber insurance claims in 2016 were attributed to the actions of insiders; of these, 77 per cent were due to human error with the remaining 23 per cent caused by rogue employees.
These are the key ways to mitigate the risk, but there are others. Visit CERT NZ to learn more.
13 out of 506 reported incidents in Q1, 2018.
Ransomware encrypts user information until they pay a ‘ransom’ fee to have it released. Following the devastation of WannaCry and NotPetya in 2017, 2018 saw new ransomwares, such as Rapid and David, taking their place.
It is important to note that paying the ransom doesn’t guarantee you’ll get your encrypted data back. In some incidents, the hacker deletes the data, even if the ransom is paid. In one Stuff interview, Cert NZ operations manager Declan Ingram stated that only 30 per cent of ransomware victims who paid the fee had their files released.
Lastly, in bowing to the ransom once, you may find you become a target again in the future.
These are the key ways to mitigate the risk, but there are others. Visit CERT NZ to learn more.
A Distributed Denial of Service (DDoS) attack works by flooding a network or server with devices to overload the system and render it unusable. In the past it has cost Kiwi businesses between $12,000 and $2.1 million.
Before you think that this is something that happens to large overseas corporations, in March this year SecurityBriefNZ experienced 4200 DDoS attacks, averaging out to 135 per day. And they are not alone—in 2017, nine DDoS attacks were reported to CERT NZ.
What’s more, according to SecurityBriefNZ, New Zealand is not just experiencing larger attacks, but that some of them were perpetrated locally, from within New Zealand itself.
These are the key ways to mitigate the risk, but there are others. Visit CERT NZ to learn more.
A botnet works by usurping control over Internet of Things (IoT) devices, including smartphones, tablets, home routers and webcams, and uses them as a bot to launch a DDoS attack. The Mirai worm in 2016 is an example of a botnet, which used weak and default login credentials to access devices and build a 300,000 strong network of bots. The network was then used to launch a DDoS attack that caused major outages of websites Netflix, Twitter and Amazon.
In 2017, the Reaper malware took over IoT devices, rendering them useless while adding them to its botnet. Unlike the Mirai worm, Reaper took advantage of device vulnerabilities, hacking flaws in the software itself to gain access.
As Wired put it:“It [Reaper] is the difference between checking for open doors and actively picking locks.”
These are the key ways to mitigate the risk, but there are others. Visit CERT NZ to learn more.
At BRAVEday we’ve seen an uplift in the number of crime-related attacks where bank account numbers in digital invoices have been changed to point away from the correct account.
This usually begins as a phishing attempt as described in point 1 above. Using the harvested credentials, the criminals lie in wait, monitoring the breached email account for invoices.
These invoices are then intercepted, spoofed, the bank account number is changed, and the doctored invoice sent on via a similar email address to the original sender. The recipient then pays this invoice, thinking it comes from a legitimate source.
For example, if you have been working with ElectroTech for years with regular monthly invoices, and you get a familiar-looking invoice from accounts@electratech.co.nz (note the “o” changed to an “a”), it’s unlikely you’ll question the bank account details within and simply pay the amount as usual.
This can be extremely troublesome for businesses, as it can strain relationships between established partners: ElectroTech is now chasing your business for an invoice you thought you’d already paid, and it isn’t always immediately obvious that a cyberattack has taken place.
These attacks have become increasingly prevalent lately, with many of our clients reporting it happening to them or to a client of theirs.
Are the doors of your business open to cyber criminals? Download our cyber security risk assessment checklist to make sure you're covered on all fronts.