Advice

Cybercrime

2 weeks ago
woman typing on keyboard

Are you and your team prepared for potential cybercrime attacks?

Cybercrime refers to all illegal activity that involves the internet or digital technology.

In July 2024, MYOB reported that more than a quarter (28%) of SMEs surveyed said they had been targeted by malicious cyber activity.

New Zealand’s Computer Emergency Response Team’s (CERT NZ) quarterly Cyber Security Insights reported over $25 million in direct financial losses in 2024.

Business owners should be aware of potential threats and train their staff to recognise and prevent potential attacks that may cause financial loss, harm to reputation and business disruptions.

What are common types of cybercrime?

Cybercrime continuously evolves and adapts to exploit new vulnerabilities and technological advancements. Cybercriminals often shift their tactics, from simple phishing schemes to sophisticated ransomware attacks, to stay ahead of security measures. Below are the most common types of cybercrime that are currently known.

Phishing is a type of email or text scam, where the recipient is asked to click a link or open an attachment. This often results in the scammer collecting critical information such as log-in details or installing malicious software onto the recipient’s computer.

According to CERT, phishing is the most reported cybercrime. Phishing emails often look like legitimate messages from trusted sources such as colleagues, clients or even government agencies; this is referred to as ‘spoofing’.

Some criminals simply ask for the information they need to commit their intended crime. They may contact you by phone or email under false pretence and ask for information such as passwords, serial numbers or financial data.

For example, you may get a call from someone claiming to be a bank representative, saying that they are investigating suspicious activity and require your account password. During tax season, scammers may imitate Inland Revenue and ask you for banking or financial details related to tax refunds or end-of-year filing.

Another common scam is payment redirection—a sender that appears to be a trusted source asks the recipient to send money to new or updated payee details of a bank account they control.

Once a criminal has your information, they can get unauthorised access to your systems or accounts. They can make unauthorised transactions, steal proprietary information, communicate false information to your clients and associates, and engage in many activities that can harm the business and/or cause financial losses or damage reputations. Furthermore, they can install malicious software that will continue to damage and expose your business to further harm in the future.

In some instances, a criminal will target a business by using software or bots to flood the business website, causing an overload of your server or online tools. This can cause business disruption by preventing your customers from contacting you or placing orders, making payments or even accessing your website.

How can you protect your business?

There is no foolproof method of preventing cybercrime, but you can greatly decrease your chances of attack by following the steps below.

Stay informed

Make sure you are familiar with the privacy and data policies of companies and services you work with, such as banks, IT providers, government departments, etc. Most of these organisations would never ask you for personal or private information, log-in details, etc., so be aware of their processes for communicating or requesting information.

If a request seems unusual, call or email the organisation to check – but do not rely on the contact details in the request. Check your records or the organisation’s website to ensure you are using the correct phone number or email address.

Watch out for news about specific scams that are being reported, as they often happen in waves. If a company you’ve interacted with has experienced a hack or data breach, you may receive an email informing you that your information may have been compromised. Be sure to take appropriate steps to protect your business, e.g. change your passwords.

Update your passwords and logins
  • Use strong passwords that are difficult to guess, change them often, e.g. every six months and do not reuse old passwords.
  • Discourage your staff from sharing log-in details, unless it is unavoidable.  
  • Always disable access to emails or other company accounts for employees who have left the business; this could mean changing shared log-in details after someone leaves.
  • If possible, enable multi-factor authentication, such as text verification.
Train your team

Provide regular training to your team on cyber security, such as:

  • how to spot a phishing email,
  • how to create strong passwords,
  • what to do if someone calls or emails the store asking for sensitive information.

Own Your Online, created by CERT NZ, offers many free, educational resources for businesses, including webinars, templates and security frameworks.

Report incidents

If you believe you have experienced a cyber-attack, there are several ways to report this:

  • Police – Call 111 (if the attack presents immediate threat) or 105 (for non-emergency attacks). You can also go to your local police station to file a report in person.
  • CERT NZ – call 0800 CERT NZ (0800 2378 69) or use their online reporting tool.
  • Netsafe NZ – call 0508 638 723, text “Netsafe” to 4282, or use their online reporting tool

In addition to reporting the breach to security officials, you may have further obligations to your employees, customers and business associates under the Privacy Act.

If a cyber-attack has resulted in unauthorised access of private information such as names, contact information, payment information or other personal data, you are required to take the following actions:

  • Inform the affected individuals that their data has been breached
  • Take steps to prevent further breaches (this may include updating your security settings, implementing new policies and procedures, or engaging with data security professionals)
  • Report the breach to the Office of the Privacy Commissioner

Additional Resources

Podcast: Business risk and resilience in Cybersecurity

Did you know that retail is one of the largest targets for cybersecurity?
  
Listen in as Kendra Ross, Cybersecurity Business Leader and Carolyn Young, Chief Executive, Retail NZ, as they explore the world of cybersecurity. 

They delve into why cybersecurity should matter to retailers and what you need to know about business risk and resilience. Make sure you tune in, to gain in-depth insights by an IFSEC Global Top 20 Cybersecurity Influencer.

LEARN MORE

Webinar: Keeping your customers’ data safe

Retailers have responsibilities under the Privacy Act as collectors and users of customer data.

Retailers often collect customer data for online orders, customer loyalty programmes and transacting purchases. Steph Gregor from the Office of the Privacy Commissioner talks us through our responsibilities as collectors and users of this information, and our obligations under the Privacy Act.

We cover data storing safeguard requirements, obligation of data accuracy, how to deal with any data breaches, privacy officer requirements and data information requests.

LEARN MORE
Need more information?

If you would like clarification on anything in this article, or if you would like advice on a specific situation, do not hesitate to email us on [email protected] or give our Advice Service a call on 0800 472 472 (or 1800 128 086 from Australia).

Updated April 2025.

Tags

Our Supporters

OUR STRATEGIC PARTNERS

Would you like one of our team to give you a call? Let us know and we will get back to you.