SecurityBrief New Zealand logo
New Zealand's leading source of cybersecurity and cyber-attack news
Story image

The rise of cybercrime and NZ's fragmented response

By Anusha Bradley, RNZ
Tue 15 Jun 2021

Cybercrime is on the rise but New Zealand's response to it is fragmented and victims rarely get justice. In the wake of the Waikato District Health Board ransomware attack, Anusha Bradley asks how we can better help and protect cybercrime victims.

Paul Hay realised his social media accounts had been hacked when his friends started shunning him.

"There were these really disturbing sexual messages," he says.

The hacker had sent one to Hay's heavily pregnant friend, and Hay later discovered messages had gone to nearly all of his female friends.

But worse, his mates didn't believe his explanation. "They couldn't understand that people could steal your identity or that I couldn't take control of my Facebook," Hay says.

But that's exactly what had happened to the Hawke's Bay farmer in 2014. He suspected a person he knew was behind it, but couldn't prove it was them, even as the messages turned increasingly nasty.

"It got to the point where the police turned up at my house with folders thick of evidence against me."

Hay was never charged, but the damage was done. "It was horrific. Pretty much all my friends I've known for 10 years just didn't want to talk to me anymore. I was literally really cut off from everyone. I fell into a huge depressive cycle of just essentially being alone and sad."

Adding to his misery, it was two-and-a-half years before Facebook believed he was the real Paul Hay and finally deleted his hacked profile page.

That wasn't enough for Hay. He wanted to prove to police and his friends that he was a victim. So he came up with a plan and went to great lengths to transform himself from the hunted to the hunter.

Online impersonation and identity theft are among the many types of cybercrime that are on the rise. But despite its rapid growth, our response to cybercrime is fragmented - and, some say, underfunded. Thirteen government agencies and four ministers - if you include police - oversee different aspects of cybercrime reporting, fighting and security. There are also several non-governmental organisations providing education, advice and reporting services for cybercrimes and incidents. This fragmentation often leaves victims struggling to know where to turn.

With such a plethora of agencies involved, it is difficult to even establish the extent of cybercrime. Just how bad the problem is depends on who you ask. The Computer Emergency Response Team (CERT NZ), which is the central government agency to which all cybercrimes and incidents should be reported, recorded a 25 percent rise in incidents in the past 12 months. During 2020, when Covid-19 prompted people to work from home away from their higher workplace security, instances of malware - which includes ransomware attacks like the one Waikato DHB recently experienced - rose 2008 percent. Overall, there has been a seven-fold increase in the number of cyber security incidents reported by businesses and individuals in the last three years, costing victims a whopping $53 million.

But other organisations give different statistics. The charity Netsafe received 6063 incident reports between October and December 2020, slightly fewer than the previous quarter. It saw a 22 percent decrease in personal harm reports, a 23 percent increase in scam reports and a 16 percent decrease in objectionable material reports. However, the number of reported romance scams - in which victims are tricked into sending money to people they believe they are in an online relationship with - grew 39 percent last year. Romance scam victims lost on average more than $18,000 each, though Netsafe believes that's a fraction of the real losses as people can be too embarrassed to report what's happened to them.

The charity IDCARE, which helps up to 1000 victims of scams, data breaches and identity theft a month, has seen about an 8 percent decrease in romance scams since 2018, but a 40 percent increase in people seeking help for identity theft in the first five months of this year. It has also seen a 38 percent increase in remote access scams since 2018. In these scams, offenders trick victims into giving them access to their device, allowing them to obtain personal information. More than half of remote access scam victims have their online bank accounts accessed, with victims losing an average of $5000 each.

Sandra couldn't access any of her files, but it was the box bouncing up and down on her laptop screen that sent a shiver down her spine. "It was saying I'd been hacked and if we paid $800 we'd get a code to unlock it."

With all her files frozen and unsure what else to do, the Whakatāne business owner took her laptop to a computer specialist who told her the attackers had probably gained access through a malicious email she'd unwittingly opened. "They couldn't do much to help us," she recalls.

Sandra and her husband refused to pay the ransom out of fear the criminals would demand even more money. "But it cost us dearly in the end," she says.

The computer held a month's worth of business accounts that hadn't been backed up, but, more importantly, treasured photos and videos of Sandra's late father. "Nobody else had those videos, so I couldn't replace them. It just really guts you."

Sandra didn't think to report the attack to police and says she wasn't aware there were any other organisations who might be able to help her. "To be honest, I didn't know who to ask. The first thing I thought of was to take it to somebody who knows about computers to try and fix it. I didn't even think to ask about any government agencies or anything."

Sandra's response is understandable. The myriad agencies dealing with cybercrimes and security issues are a complex network. CERT NZ, which sits within the Ministry for Business, Innovation and Employment, is the central agency responsible for collating incident reports and co-ordinating government agencies' responses to security issues. It also analyses threats and provides advice, mostly to businesses. In the upper echelons of government, the Department of the Prime Minister and Cabinet's National Cyber Policy Office oversees the Cyber Security Strategy developed in 2019. It is responsible for supporting critical infrastructure and nationally significant organisations, while the New Zealand Security Intelligence Services and the Government Security Communications Bureau deal with threats to national security.

At a consumer level, Netsafe provides education and advice to individuals caught out by online scams, and also reports offences under the Harmful Digital Communications Act. The Department of Internal Affairs deals with some aspects of identity theft, but also refers victims to IDCARE for support. Lastly, police investigate cybercrimes.

All these agencies work closely together, with CERT NZ acting as a clearing house with a "no wrong door policy", referring people to the organisation, or organisations, that are best placed to help.

But the complexity means it's difficult to tackle the problem, especially if there's no one looking at the big picture, IDCARE New Zealand operations manager Neil Hallett says. "Because we don't have a single source of truth in terms of the collation of scam information or data breach information, we can only make an educated guess."

One of those guesses is that New Zealanders are losing $500m a year to offshore scams, he says. Hallett, a former police detective inspector, established an identity crime intelligence unit at Police National Headquarters in 2004, and he believes cybercrime can't be tackled until we know just how big the issue is.

In order to get better data, there needs to be better co-ordination between all the different groups dealing with cybercrime and security in New Zealand, Hallett says.

"It's generally accepted that we do need a single source of truth, that there are too many disparate pockets of information, that if it was put together in one place we would have a better idea of what the overall picture looks like and a better idea of where the main threats are coming from."

Australia's scam co-ordination centre, Scamwatch, is a model New Zealand could follow and would be a "relatively easy fix", Hallett says.

Netsafe chief executive Martin Cocker says the complex web of agencies is needed to address different aspects of cyber security, but he agrees there needs to be better co-ordination of data collection.

"We will get somewhere between $20 and $30 million of scam losses reported to us each year and CERT NZ will get a similar amount, but we don't know how much of that overlaps because people can choose to report to both agencies. It could be $20 million reported twice, or it could be $40 million. There really is difficulty quantifying the problem and that then creates a problem for our political leaders to say: Here's the size of the problem, and here is a reasonable response in terms of investment."

The lack of investment in preventing and tackling cybercrimes in the public and private spheres is another issue, Cocker says. "I don't know of any country that spends enough, but I think New Zealand definitely is looking at cybercrime now and looking at the resources we're putting in and saying that doesn't match up."

And the risk is growing rapidly. "We're seeing serious cybercrime and cyber security breaches. And we've got these relatively small teams across a few agencies really struggling with the kind of volume that they're facing."

It's also a struggle for victims to know where they can turn for help, he says. "I think we've got the right agencies and they've got the right responsibilities split, but it's still really hard for consumers to connect with the agency when they need them."

There's an argument for having a single agency to help victims navigate the system, he says. "It's one thing to say to somebody, you've got to go to the police for this and you've got to get the DIA for that, you've got to go to Netsafe for this. But if your one cybercrime incident involves all of those things, you're really asking the person who is dealing with the fact they're a victim of a cybercrime to then also take on the responsibility to organise their whole response plan and connect with those agencies themselves."

Even if victims find their way through the maze of organisations to access help, they rarely get justice. Paul Hay knows that all too well. After the hacking, the sex messages and losing his friends, he felt helpless. That feeling only deepened when he couldn't get the support he needed. He felt so let down by the authorities, he took matters into his own hands.

There was an open day at the local polytech and Hay spotted an ad for a computer science course. "I remember the date vividly. It was 16 January 2015 and something suddenly sparked in me. I was like 'I need to go and teach myself about this'.

"I decided I needed to learn all I could about computers so I could understand how this happened. I had tried... but nobody believed it wasn't me. I had to go and get a degree in computer science to be able to prove myself."

Over the next few years, he learnt how to trace the malicious messages that had ruined his life. "I could prove without a shadow of a doubt the piece of hardware that every message came from." The computer belonged to the person Hay had suspected all along. But it wasn't enough. "When I went to the police with the evidence, all they said to me was: 'Can you prove who was on the end of that computer?'"

Prosecutions of cybercrimes are rare, admits Detective Inspector Stu Mills, who manages police's intercept and technology operation. It's because it's tricky to track down cybercrime offenders, most of whom are based overseas. "It makes it more difficult to identify them and have sufficient evidence for the local authorities where they're based to take any of the investigative or prosecuting action."

There have been some successes. Mills' team helped to convict the US-Israeli teenager who made bomb threats to New Zealand schools in 2018, and police have occasionally frozen the accounts of cybercriminals who have taken money from New Zealand victims. Netsafe's Cocker says he's never heard of anyone overseas being prosecuted for scamming or defrauding someone in New Zealand. Nor is he aware of anyone getting their money back. "In fact, if you ever get contacted and told we've recovered money from a scammer, we're going to give it back to you, that will be a scam," he warns.

Low numbers of cybercrime prosecutions, dissatisfaction with funding, data spread across organisations and victims struggling to know where to turn. What does Digital Economy and Communications Minister David Clark have to say?

He's unconvinced that a more centralised approach for data collection or service provision is needed, but he does say the government will "continue to look at the resourcing" for CERT NZ to ensure it has "the capacity across government to respond in an increasingly difficult world".

Some collaboration is on the cards too. One of the projects in the government's Cyber Security Strategy aims to improve links between government cyber security agencies by establishing a "cross-agency governance board and funding for inter-agency priorities" which Clark says is "work that is ongoing".

What about victims struggling with where to turn? "The system that we have at the moment, there's no doubt, does help people who get into difficulties - I've received positive feedback on it."

The real issue is that victims don't report crimes, he says. "There's a huge amount of under-reporting here. It's something that jurisdictions around the real world wrestle with. One of the big reasons it's hard to work out is because there's a lot of embarrassment associated with being a victim."

The government is doing "everything it can" to make sure people are aware that those services are available through CERT NZ. The organisation says it's also working on publishing a flowchart to help people figure out the agencies they need to contact for help.

Are Clark's plans ambitious enough? Darkscope founder Bruce Armstrong, who monitors the dark web for criminal activity, reckons New Zealand could do better. He favours Australia's more centralised approach, and says New Zealand could learn from it. The Australia Cyber Security Centre (ACSC) is a one-stop shop service, supporting national critical infrastructure, small and medium-sized enterprises and individuals. The country also has AusCert, a not-for-profit outfit based at the University of Queensland that provides a user-pays service for businesses and government agencies, providing technical help and advice.

University of Melbourne lecturer Suelette Dreyfus agrees the Australian system works reasonably well. Still, Dreyfus, an expert in computing and information systems, says no system is perfect. She believes the thing that would really help, globally, is transparency about cybercrimes. "A lot of companies are anxious about reporting incidents because they think it might cause that loss of reputation." But if these case studies were made public, we could learn from them, she says.

"A couple of years ago, Australian National University was hacked in a very sophisticated attack and to the enormous credit of that university its management decided to release the report about the hacking attack. I use that report in my teaching and it's very important because it provides a set of lessons for people who are going to go out into the workforce and defend organisations about what can go wrong and how you can prevent it."

When the global shipping company Maersk was immobilised by a ransomware attack in 2017, it did the same, Dreyfus says. "They did an analysis of what went wrong, how they were infected… they made that all public and that is incredibly valuable to the rest of the world to figure out how to do it right."

Paul Hay advocates speaking up too. It's why he shares it all - the sex messages, the friends who ditched him, the struggle for justice. He hopes others can learn from his experience, but also that it will make victims feel less alone.

That's not all he's doing to help others. He finished studying computer science and is now a case manager at IDCARE, where he works with victims of cybercrime. "I had a lady call me up the other day in the exact same position that I was five years ago. By the end of the conversation, she went from being in tears to saying 'Thank you, you've made me feel better about the whole situation' and it actually makes me feel good, because I can actually help somebody."


RNZ logo
This story was originally published on and is republished with permission.
Related stories
Top stories
Story image
Tech job moves
Tech job moves - Adatree, Brother, Databricks, Nutanix & Rubrik
We round up all job appointments from May 20-26, 2022, in one place to keep you updated with the latest from across the tech industries.
Story image
Could New Zealanders initiate a cyber attack from within?
The threat landscape is significantly increasing worldwide, and the opportunities it presents are a growing concern in Aotearoa.
Story image
The path to bolstering supply chain security in New Zealand
A significant amount of today's business and leisure activity relies on IT supply chains. From complex international freight trades to local small business distribution channels, any supply chain that involves IT infrastructure serves as a crucial tool in our daily lives. 
Story image
Microsoft NZ and TupuToa to boost diversity in cybersecurity sector
Microsoft NZ has teamed up with TupuToa to co-develop a cyber security employment programme specifically aimed at creating more diversity in Aotearoa's cybersecurity sector.
Story image
i-PRO releases smallest AI-based surveillance camera on the market
The new i-PRO mini network camera is now available, with a pocket-sized form factor and full AI analytics functionality.
Story image
WhatsApp and QR codes the next scam threat - report
KnowBe4 has warned it expects to see an increase in QR Codes and the WhatsApp chat platform being used for phishing and other scams. 
Story image
Remote Working
Successful digital transformation in the hybrid work era is about embracing shifting goalposts
As organisations embraced remote working, many discovered they lacked the infrastructure needed to support history’s first global load test of remote work capabilities.
Story image
Trojan cyber attacks hitting SMBs harder than ever - Kaspersky
In 2022 the number of Trojan-PSW detections increased by almost a quarter compared to the same period in 2021 to reach 4,003,323.
Story image
Cyber attacks
Devastating cyber attacks expected to hit energy sector
Energy executives anticipate life, property, and environment-compromising cyber attacks on the sector within the next two years.
Story image
Vectra AI
Understanding the weight on security leader’s shoulders, and how to shift it
Millions of dollars of government funding and internal budgets are being funnelled into cybersecurity to build resilience against sophisticated threats, indicating how serious this issue has become.
Story image
'Alarming' rise in ransomware threats - Verizon report
As criminals look to leverage increasingly sophisticated forms of malware, it is ransomware that continues to prove particularly successful.
Story image
Check Point
Check Point and CCTV expert join forces to boost protection
The partnership will involve Check Point Quantum IoT Protect Nano Agent being embedded in Provision-ISR’s CCTV cameras for on-device runtime protection.
Story image
Accenture - a collective security approach a driving factor for cyber resilience
With the approaching Davos World Economic Forum upon us, it is even more imperative to discuss the impact of cybersecurity on business operations leading into the future.
Story image
Identity and Access Management
The post-pandemic workforce requires secure IAM capabilities
HID Global discusses what identity and access management means for organisations in today's convoluted digital world.
Threat actors are exploiting weaknesses in interconnected IT/OT ecosystems. Darktrace illuminates your entire business and takes targeted action to stop emerging attacks.
Link image
Story image
Asia Pacific plagued by sophisticated bad bots - report
The three most common bot attacks were account takeover, content or price scraping, and scalping to obtain limited-availability items.
Story image
Customer experience
Gartner recognises Okta for abilities in Access Management
Okta has announced it has been recognised as a Customers' Choice for the fourth time in a row in the Gartner Peer Insights "Voice of the Customer" report.
Story image
More than 40% of banks worried about cloud security - report
Publicis Sapient's new report finds security and the lack of cloud skills and internal understanding of business benefits are big obstacles for banks moving to the cloud.
Story image
The ups and downs and runarounds of catching cybercriminals in NZ
We're becoming more and more aware of cybercrimes but how many criminals actually get caught? The New Zealand police explain why the answer is complicated.
Story image
Third-party automotive apps bear significant privacy risks
Mobile applications for connected cars provide various features to make life easier for motorists, but they can also be a source of risk.
Story image
Silver Peak
The path to an adaptive, modern network
Managing and securing the network looks different than it did just two years ago—especially given that most of these networks are made up of multi-generations of infrastructure stitched together over time.
Story image
APAC organisations fail to disclose ransomware breaches
85% of organisations in APAC were breached by ransomware at least once in the past five years, but only 28% publicly disclosed the incident.
Story image
Global cybersecurity insurance market worth $11.5b this year
Future Market Insights finds the cybersecurity insurance market is expected to reach USD$11.5 billion in 2022, growing to $61.2 billion in 10 years.
Story image
Sysdig unveils new Kubernetes troubleshooting and cloud innovations
Sysdig has introduced two new innovations that look to help bolster cloud services and simplify Kubernetes troubleshooting.
Story image
Managed service provider
Barracuda MSP Day 2022 highlights MSP opportunities
Barracuda Networks has released a report showing global services-related MSP revenue is set to increase by more than a third in 2022 compared to 2021.
Story image
BYOD / Bring Your Own Device
How zero trust can lead the battle against ransomware
SecOps teams champion a zero trust strategy to support the fight against the escalating risk of cybercrime and help monitor threat actors across a network.
Story image
New Relic
New Relic launches vulnerability management platform
New Relic has introduced New Relic Vulnerability Management to help organisations find and address security risks faster and with greater precision.
Story image
Data Protection
Information management capabilities to meet privacy requirements
Organisations with customers or operations across more than one country face a spate of new and proposed privacy and data protection laws.
Story image
Let’s clear the cloud visibility haze with app awareness
Increasingly, organisations are heading for the cloud, initiating new born-in-the-cloud architectures and migrating existing applications via ‘lift and shift’ or refactoring.
Story image
Artificial Intelligence
Gartner reveals top three tech trends for banks this year
Gartner says generative artificial intelligence, autonomic systems and privacy-enhancing computation are gaining traction in banking and investment services.
Story image
APAC ranks third-highest region targeted by ransomware
Asia Pacific has ranked the third-highest region globally to be targeted by ransomware, according to cybersecurity firm Group-IB.
Story image
Maintaining secure systems with expectations of flexible work
Most office workers feel they've proved they can work successfully from home, and as much as employers try, things aren't going back to the way they were anytime soon.
Story image
Employees on the frontline of cyber defense - report
In the first quarter of 2022, employees found themselves more than ever at the frontline of cyber defense, according to a new report from Kroll. 
Story image
Amazon Web Services / AWS
RedShield leverages AWS to scale cybersecurity services
"Working with AWS gives RedShield the ability to mitigate significant application layer DDoS attacks, helping leaders adopt best practices and security architectures."
Story image
CERT NZ releases first Cyber Security Insights for 2022
CERT NZ has released Quarter One: Cyber Security Insights 2022, which offers an overview of reports about cybersecurity incidents affecting New Zealanders.
Story image
Data Protection
Barracuda launches new capabilities for API Protection
"Every business needs this type of critical protection against API vulnerabilities and automated bot attacks," Barracuda says.
Story image
Fortinet introduces self-learning AI in latest offering
Fortinet is introducing self-learning AI capabilities in its new network detection and response offering, FortiNDR.
Story image
Vishing attacks reach all time high - Agari and PhishLabs
"Hybrid vishing campaigns continue to generate stunning numbers, representing 26.1% of total share in volume so far in 2022."
Story image
Alarming surge in Conti Ransomware Group activity - report
A new report has identified a 7.6 per cent increase in the number of vulnerabilities tied to ransomware in Q1 2022.
Story image
What every CISO must answer to enable a best-in-class security operations program
It has been widely reported recently that South Australian government employees have been the victims of a cyberattack.
Story image
Cybersecurity prompts upgrade for 1.3 billion electricity meters
ABI Research finds Advanced Metering Infrastructure (AMI) and cybersecurity concerns are prompting the upgrade of 1.3 billion electricity meters by 2027.
Story image
Ponemon Institute
Email revealed to be riskiest channel for data loss
More than half (60%) of organisations experienced data loss or exfiltration caused by an employee mistake on email in the last 12 months.
Story image
Comcast to use ThreatQuotient for cybersecurity operations
Comcast, the parent company of NBC Universal and SKY Group, has chosen ThreatQ Platform and ThreatQ Investigations to meet their cybersecurity needs.
Story image
Elevation of Privilege the top 2021 Microsoft vulnerability
BeyondTrust has released its 2022 Microsoft Vulnerabilities Report, finding that Elevation of Privilege is the top vulnerability category for the second consecutive year.