It’s easy to say you’ll be ‘tough’ on crime that happens on the streets. But what about crime that happens on the internet?
It doesn’t take long for the dedicated con artist to convince the owner of the vault to hand over the keys, and then it’s all go on the theft. When they enter the safe the intruders look around, then carefully and methodically strip out as much as they can, quickly and quietly, before anyone notices. One person changes the locks; once they’ve taken everything in the room, they lock the doors behind them so it’ll be harder for the real owner to get back in. They’ve committed a crime – stolen money – and, for now at least, no one has noticed. The reality of cybercrime, which New Zealanders have lost at least $13.4m to in the first half of this year, can look something like this, except it’s much harder to picture, because it happens online.
The metaphor of cybercrime-as-bank-heist quickly breaks down, of course: digital law-breaking differs from other kinds of crime in material ways. Lots of human relationships, including fraudulent or violent ones, happen on phones and computers, but a phone is not a house, and the internet is not a street. The perpetrators are often overseas, and always difficult to identify. With the vast majority of New Zealanders using the internet every single day, digital crime is one of the fastest-growing types of crime, targeting not just individuals but also institutions with millions of dollars to lose. But as the government ramps up its “tough on crime” rhetoric, is this area of threat being neglected?
Cybercrime is widespread and everyday
Every three months, the government agencies responsible for cybercrime release a report about the incidents that have been reported to them over the quarter. Previously led by Cert NZ, these responsibilities have now been merged with the National Cyber Security Centre (NCSC), under the GCSB (Government Security Communications Bureau). The latest report, covering the second quarter of 2024 (ending June 30), found that $6.8m of direct financial loss was reported, a slight increase from the previous quarter.
While most people think of scams as the obvious example of internet crime, other types of digital crimes can be equally harmful. Ransomware attacks have targeted lots of public institutions in New Zealand, including hospitals. Notably, unauthorised access incidents – where someone enters a computer or system without permission – caused more than $3.6m of loss in the past quarter, a more than nine-fold increase. Just a few big losses are responsible for the bulk of the money lost to cybercrime; 11 reports of more than $100,000 being lost added up to $5.5m in total, although the amount of reported losses has dropped 22% since the same time last year.
While these numbers might seem noteworthy, everyone working in cybercrime acknowledges that it’s massively underreported. To give a sense of the discrepancy, 24% of the 7,935 incidents reported to Cert NZ in 2023 included some kind of financial loss, with a combined total loss of $18.3m. By contrast, analysis by MBIE released last November, compiling information from 11 of New Zealand’s largest financial institutions, calculated that $198m was lost to scams over the previous year.
The 2023 Crime and Victims Survey (NZCVS) also shows how widespread and under-reported cybercrime is. In 2023, 11.5% of people were estimated to have experienced at least one incident of fraud or cybercrime in 2023, making it the most common type of crime experienced in New Zealand. Yet only 10% of fraud and cybercrime incidents were reported to police.
“I’d rather see more reporting than just the numbers coming down,” says Mike Jagusch, the director of mission enablement at the NCSC.
Efforts by NCSC and its partner organisations to limit cybercrime continue to tick along. It runs the website Own Your Online, which has tips for cybersecurity for individuals and small businesses. “We want to reduce the level of harm for everyday people,” Jagusch says, acknowledging that it’s not a realistic goal to eliminate cybercrime.
NCSC has a regular “phishing disruption service” which compiles a list of all known phishing scams – which try to get people’s passwords or bank card information by pretending to be trusted institutions like New Zealand Post, the IRD or toll road authorities – happening in New Zealand. “We’re trying to reduce the amount of decisions individuals need to make to block [cybercrime],” Jagusch says. That’s the right approach; if the only response to cybercrime is to ask individuals to be more paranoid, the outcome will be savvier scammers and reduced public trust.
NCSC also works with the New Zealand Police (where it’s clear that a crime has taken place, or for online harm like individuals being bullied), and the private sector, particularly banks and other financial institutions. “Partnership with the private sector is really effective – it lets us reach a huge scale we wouldn’t be able to do on our own,” Jagusch says.
Well-functioning cybercrime prevention might mean that you never notice cybercrime at all. A bank might be aware of a scam that their customers are frequently reporting, and, while working on internal processes to notice a pattern of who’s being targeted (transfers between $100 and $300 to a bank account registered in Estonia, for example), alert NCSC’s confidential system too. A Malware Free Networks programme intended to improve New Zealand’s cybersecurity across big public and private sector organisations has reduced certain types of attacks too.
What’s the big-picture, long-term strategy to prevent cybercrime?
But while all efforts to reduce cybercrime are important, and many are necessarily invisible to the public, there are also some notable gaps in New Zealand’s approach to the issue.
The Justice Select Committee report interrogating the spending in the 2024 budget, released in August, mentions that “fraud and cybercrime are one of the fastest-growing demand areas by volume” [for the police]. Despite this, in the budget this year, no additional funding was given to cybersecurity.
The government also told BusinessDesk in May that a new national cybersecurity strategy was on its way, following an ambitious cybersecurity plan in Australia. This plan is still in progress, and is intended for release in the first half of 2025, a spokesperson for the Department of Prime Minister and Cabinet (DPMC) told The Spinoff. “As with the current strategy, improving New Zealand’s ability to proactively detect, disrupt and investigate cybercrime will remain a priority,” they said. “Responses to the wide range of cybercrimes and other online harms that affect New Zealanders will continue to be addressed by a range of agencies across government including NZ Police, Department of Internal Affairs and the National Cyber Security Centre.”
In the meantime, without offering more resources, the government is pushing the private sector to improve its security processes. Banks are a big area of focus; commerce minister Andrew Bayly said in March that “bank processes need to be strengthened to give Kiwis better protections”. Online harm was briefly touched on in the recent review of the banking sector. The report, released in August, said that “limited investment in core systems has contributed to lagging scam and fraud prevention” – as well as impeding the progress of open banking, a system that would make it very easy to switch bank and therefore increase competition.
That works well for New Zealand-based companies, but what about international ones? Someone in Putāruru losing $50 to a Facebook Marketplace scam is unlikely to matter much to Meta, even if it happens on its platform. “We’re really encouraging the private sector to make sure that everything they produce is secure,” Jagusch says. What does “encourage” mean in this context? “Companies will build things if customers demand it, requesting or requiring that they improve their cybersecurity.” So if you’re worried about this rising area of crime, you can at least take action – update the software on your computer, write to every company you use and request better cybersecurity – and hold tight for a bigger cybersecurity plan, coming some time in 2025.