10 September 2025
For the period from 1 April to 30 June 2025, a total of 1,315 incidents were reported to the NCSC.
Scams and fraud continue to be the most-reported category of cyber security incident.
Direct financial losses of NZ$5.7 million were reported to the NCSC, compared with $7.8 million in the previous quarter.
This report illustrates an example of cyber criminals using social engineering techniques to gain access to sensitive information.
“We are seeing a type of attack where a cyber criminal calls up an organisation’s helpdesk and pretends to be a staff member who needs help getting access to their account,” said NCSC Director Mission Enablement, Mike Jagusch.
These attackers use the access they gain to take malicious actions such downloading sensitive information or deploying ransomware.
“They use social engineering techniques to sound more convincing. This might be using a sense of urgency, appealing to authority, or tricking you into feeling sympathy towards them.”
Of the 1,315 reported incidents, 56 were triaged for specialist technical support because they were of potential national significance.
A case study for an incident that required NCSC’s specialist support is also included in this report. It demonstrates how a sophisticated actor attempted to infiltrate a New Zealand organisation.
“This case study highlights the effectiveness of good cyber hygiene. Due to the organisation successfully implementing strong passwords, multi-factor authentication and network segmentation, the NCSC could verify that no data had been stolen,” said Mr Jagusch.
“There are valuable lessons to be learned from every incident we’re involved with. We hope organisations find our insights useful in bolstering their defences. In today’s challenging cyber environment, being well-prepared for an incident is more important as ever.”
ENDS
Key data highlights from 1 April to 30 June 2025:
- 1,315 total incident reports were recorded by the NCSC. Of these, 56 were triaged for specialist technical support because they were of potential national significance.
- The remaining 1,259 incidents were handled through the NCSC’s general triage process. These incidents were largely reported to the NCSC by individuals and businesses.
- Compared to Q1 2025, this is a 3% decrease in total incident reports.
- Direct financial loss recorded was $5.7 million. This is a 27% decrease compared to the previous quarter’s $7.8 million.
- The most common loss value reported was less than $500, however incidents $10,000 and over made up $5.3M (94%) of reported loss, despite consisting of only 50 incidents.
- With 514 total reports, Scams and Fraud was again the most-reported incident category. The second-highest number by category was Phishing and Credential Harvesting, with 374 total incident reports.