Cyber-enabled fraud in New Zealand – a snapshot

By Anne French

No one has a good handle on the extent of cybercrime in New Zealand - not NZ Police, National Cyber Security Centre’s (NCSC) Computer Emergency Response Team (CERT), the Department of Internal Affairs, or banks. Most of it is not reported. The government agencies for whom cybercrime is part of their job struggle to give an accurate estimate of its cost to the country.

In April 2024, CERT reported that over half of New Zealanders had experienced a ‘security attack’ online in the previous six months. In the case of fraud, most victims pay up without reporting the crime. Reporting rates are so low (around 10%) that the official data are misleading.

Some definitions; see EU / Policies / Internal Security / Cybercrime:

  1. crimes specific to the internet such as attacks against information systems (‘pure cybercrime’, such as fake bank websites to solicit passwords enabling access to victims’ bank accounts).
  2. online fraud and forgery: large-scale fraud committed online through instruments such as identity theft, phishing, spam, and malicious code
  3. illegal online content, including child sexual abuse material, incitement to racial hatred, incitement to terrorist acts and glorification of violence, terrorism, racism, and xenophobia. These latter two are defined as ‘cyber-enabled’. 

The Ministry of Justice collects data annually through the NZ Crime and Victim Survey. Burglary has been declining since data was first collected in 2018 but cyber-enabled fraud and other kinds of cybercrime have been increasing steadily.

In 2024, 11% of adults experienced at least one incident of fraud and cybercrime. Interpersonal violence has been holding steady since 2018, but fraud and cybercrime have been rising, reaching 14 incidents per 100 adults in 2024 (up from 10 in 2018). An adult New Zealander is now more likely to suffer a fraud or cybercrime incident than an incident of interpersonal violence.

Cybercrime became big business during the pandemic. Multinational criminal gangs shifted out of illegal drugs and into fraud and other kinds of cyber-enabled crime. Criminals no longer need advanced computer skills to run a cybercrime operation. AI has taken cybercrime to an industrial scale, creating massive efficiencies for criminal gangs. Everyone with an internet connection is vulnerable.

Leading up to the 2023 election, when politicians campaigned on law and order, they were responding to a small number of high-profile crimes such as ram raids. No one mentioned cybercrime, despite its prevalence and impact on individuals and small businesses.

How is New Zealand doing compared with Australia?

Australians are more savvy than Kiwis about the risks they run online thanks to better communications and stronger legal and regulatory protections. 

They have only one reporting agency, the Australian Signals Directorate (ASD), which operates an on-line service called Report Cyber and a cyber security hotline. Report Cyber was launched with a big public campaign and backed with serious resources. The ASD recently received an additional $15-20 billion to enhance its signals intelligence and cyber capabilities.

New Zealand’s operational agencies are poorly resourced. We lack strong political leadership in this area.

Big thefts of personal data from financial and other institutions have been in the Australian news. They include the Medibank attack in October 2022, when the personal data of 9.7 million Australians was stolen and sold on the dark web, and the Latitude financial data breach in March 2023, which affected over 10 million Australians and about a million New Zealanders. It took weeks for Latitude to inform the NZ victims that their data had been stolen. But it was all over the news in Australia.

Despite the heightened threat landscape, New Zealand lags behind other jurisdictions in policy and legislation for a broad range of cybercrime. As a starting point, New Zealand victims of cybercrime cannot be well served if harms are not criminalised and if law enforcement cannot investigate promptly and with certainty.

Ultimately this will erode Kiwis’ confidence in their institutions. As the NZ Crime and Victim Survey data shows, we are seeing a tolerance of crime that is corrosive to the rule of law.

Bio note:

Anne French consults on innovation and strategy. In 2022-23, with colleagues, she prepared an assessment of the NZ cybercrime risk landscape for government clients.

Blog Post written by: