New Zealand’s National Cyber Security Centre (NCSC) recorded 7,122 cyber security incidents between 1 July 2023 and 30 June 2024, with the vast majority-6,779 incidents-targeting individuals and small to medium businesses. These incidents, typically driven by scams, phishing and unauthorized access, highlight persistent threats to personal and organizational security from everyday online activity to critical sector exposure.
In the 2023/24 financial year, the NCSC received 7,122 incident reports. Most 6,779 of them (≈95%)-were handled via its general incident triage process, indicating they did not require advanced technical intervention. These incidents typically affected individuals and SMEs and resulted in US $21.6 million in reported losses. This represents a 12.5% reduction from the previous year (down from 7,744 incidents).
A smaller subset of 343 incidents was escalated for specialist technical support due to potential national significance. Among these, 110 were linked to state-sponsored actors, and 65 appeared financially motivated.
Most Common Incident Types
Scams & Fraud
Accounts for 30% of general triage incidents, making scams and fraud the most prevalent type. Examples include fake investment opportunities and too-good-to-be-true online deals. While technically simple, they rely on users identifying deception.
Phishing & Credential Harvesting
The second-most common incident type 3,455 cases. Although down 31% from last year, this remains prevalent due to its use in enabling unauthorized money transfers, ransomware, and identity theft. Most phishing themes mimic mail/package delivery, government services, banks, or online shopping.
Unauthorized Access
681 incidents of unauthorized access via general triage: 601 affecting individuals and 57 affecting SMEs a decrease of roughly 23% and 27%, respectively. Many reports involved compromised social media accounts used to propagate further scams or malware.
Economic Harm & Victim Impact
Despite fewer incidents, per-incident losses rose from US $14,000 to $25,500. Total individual-reported losses hit $20.1 million, with organizations reporting $1.2 million highlighting the financial toll on vulnerable groups. Investment scam losses quadrupled to $4 million, and losses affecting older adults aged 65+ doubled to $4 million.
MEA & Global Context (Optional Perspective)
Though the report reflects New Zealand’s threat landscape, its insights resonate globally: small organizations and individuals remain frequent targets due to limited cybersecurity maturity. In regions like the Middle East and Africa, similar patterns-scams, phishing, and weak IAM-persist, underscoring the global nature of low-sophistication attacks and the need for basic protective measures.
Expert Insights
“Scams and phishing continue to exploit trust. Without awareness training and basic safeguards, individuals remain soft targets.” – NCSC Officials
“Unauthorized-access incidents decreased but remain significant—especially social-media breaches used to fuel more scams.” – GCSB/NCSC analysts
Actionable Takeaways for Defenders & Executives
- Enforce phishing awareness training and simulations.
- Require multi-factor authentication (MFA) on all personal and organizational accounts.
- Advise clients/customers on recognizing scams involving fake investments or packages.
- Implement long, unique passwords and password managers.
- Encourage regular backups and incident reporting to cyber authorities.
- Promote basic cybersecurity hygiene across SMEs and households.
- Monitor unauthorized access alerts—especially social media or email hijacks.
- Provide targeted awareness to older demographics, who face rising losses.
- Engage incident response services for recovery and identity theft support.
- Share community-level guidance (especially in MEA) to raise collective resilience.
Conclusion
Although the frequency of general cyber incidents in New Zealand decreased in 2023/24, financial losses per incident increased notably. The report underscores how scams, phishing, and unauthorized access continue to prey on everyday users and small businesses. Basic safeguards-awareness, MFA, secure passwords-remain the frontline defense. As the global threat landscape grows more complex, cyber resilience starts with defense at the grassroots level.
Sources
- NCSC Cyber Threat Report 2023/24 – “Incidents usually affecting individuals or small to medium businesses”
- NCSC “By the numbers” summary
- NCSC Loss and Harm breakdown
- Incident specifics on unauthorized access and phishing
- Management.co.nz editorial summarizing the NCSC report
