Kiwis are an easy target for cybercriminals. A recent article highlighted that the most significant and exploited cybersecurity vulnerability of any New Zealand organisation is its people.
Our view is that people have become more aware of the power of their data, but there has also been a significant increase in attacks targeting Kiwis and Kiwi businesses. A third of Kiwis suffered from some form of cybercrime in the last 12 months according to a 2022 survey from online security firm Norton.
The Norton Cyber Safety Insights Report surveyed 10,000 adults in 10 countries, and included 1000 in New Zealand, with an average loss of $135 for Kiwis impacted, the report stated. It’s not only individuals that suffer from cybercrime, businesses are in the crosshairs too.
Organisations of all shapes and sizes lose significant amounts of confidential and client data that translates into direct and indirect revenue loss.
There is a growing need for organisations to know how they are targeted and attacked, and how to prevent attacks from impacting customers, staff and core operations. The most successful people-focused attacks are phishing and social engineering or social hacking. Phishing attacks have been around for decades and have progressively evolved through the years.
Phishing and social hacking are by far the most common techniques cybercriminals use on staff members to gain access to the organisation’s systems and confidential files.
A few common classifications of these attacks are:
Generic or ‘Old School’ Phishing Attacks
This phishing attack typically takes the form of the infamous “Nigerian prince” or inheritance type emails, trying to trick recipients into responding with some personal financial information. These attacks have evolved to include generic IRD-refund, NZ Post Delivery, and Spark email SCAMs.
Spear phishing Attacks
Spear phishing attacks are less generic and targets individuals, sectors, or organisations. Criminals typically persuade victims to click on a hyperlink or an attachment that deploys some form of a virus (also known as malware). This allows the criminal to launch further attacks like encrypting files for ransom, access to the staff member’s computer or an entire corporate network.
Smishing or Vishing
These attacks use seemingly trustworthy SMS messages or voice calls to trick recipients into responding with credentials, personal information, or credit cards.
Business Email Compromises (BEC)
BEC is another type of phishing attack where cybercriminals use impersonation to gain access to funds. The criminal creates an email address in the name of a company executive, a trusted vendor or staff member and then sends an impersonated email requesting something that’s usually very urgent.
Here are some easy to follow tips:
Never click on email or SMS links from someone you don’t know. Go directly to the real website that the message appears to be from and check to see if the notification indicated in the email or text message is real.
Never give out your personal information to someone who contacts you out of the blue. If they claim to represent a bank, government organisation or company you already do business with, call them back on a number you know.
Don’t answer calls or texts from numbers you don’t recognise. Don’t even use the links / ask to be taken off the list – the scammers will note that you interacted with the call. This will likely increase the number of calls you get from scammers in general.
How do I stop cybercrime from affecting my business?
Staff members using mobile phones and laptops may continue to be targeted by cybercriminals. The best prevention strategy is to offer some form of awareness training or education program to ensure employees can identify and prevent threats.
If you’ve been affected by cybercrime, report it to CERT NZ immediately.