New Zealand has a cybercrime problem that most people do not fully grasp — because most of it goes unreported. The National Cyber Security Centre (NCSC) recorded $7.8 million in direct financial losses in the first quarter of 2025 alone — a 14.7% jump from the previous quarter and the second-highest quarterly loss ever documented. And those figures only capture what people actually told the authorities.
The real number is almost certainly much higher. Reporting rates for cybercrime in New Zealand sit at roughly 10%, according to research from Transparency International NZ. The losses being counted, in other words, are the tip of the iceberg — and the iceberg is growing.
The question worth sitting with is not just how big the threat is. It is why, despite all the headlines and warnings, so many individuals and organisations remain dangerously underprepared. The answer is less about technology and more about habits — and the gap between what people know they should do and what they actually do.
Credential theft is the front door attackers keep walking through
Of all the categories of cybercrime tracked by the NCSC, phishing and credential harvesting is among the most persistent. In Q1 2025, it rose 15% to 440 reported incidents — and remains the second most commonly reported incident type in New Zealand, quarter after quarter. The pattern is consistent: someone gets a convincing email, clicks a link, enters their login details into what looks like a legitimate page, and the attacker is in.
What makes this type of attack particularly effective is not technical sophistication. It is human nature. Under time pressure, people do not scrutinise URLs carefully. They reuse credentials across services. They trust branding. A fake MyIR or ANZ login page, built in an afternoon, can yield access to multiple accounts if the victim uses the same details everywhere.
The Latitude Financial data breach in 2023 is a case that hit close to home for many Kiwis — over a million New Zealand customers had their personal data exposed in an attack that originated across the Tasman. It took weeks before affected New Zealanders were informed. Many only found out through Australian news coverage.
By the numbers — NCSC Q1 2025:
$7.8M lost to cybercrime in the first three months of 2025 alone.
14.7% increase from the previous quarter.
440 phishing and credential harvesting incidents reported — up 15% from Q4 2024.
28% of all incidents resulted in direct financial loss.
Total losses across the past eight quarters: $46 million.
The underreporting problem is hiding the true scale
In 2024, 11% of New Zealand adults reported experiencing at least one incident of fraud or cybercrime, according to the Ministry of Justice’s NZ Crime and Victim Survey. That translates to hundreds of thousands of people across the country. And in April 2024, CERT NZ itself noted that over half of New Zealanders had experienced a security attack online in the six months prior to that point.
Yet official figures consistently undercount what is happening. Reporting rates hover around 10%, for a mix of reasons: embarrassment, not knowing where to report, assuming nothing will come of it, or simply not realising the incident was significant. The result is a feedback loop — agencies cannot fully resource the response to a problem they cannot fully see, and the public does not grasp the scale because the public numbers look manageable.
An adult New Zealander is now statistically more likely to be the victim of a fraud or cybercrime incident than of interpersonal violence. That is not a headline most people have seen — but it is what the data shows. More on that from Transparency International NZ, whose 2024 snapshot of cyber-enabled fraud in New Zealand is worth reading in full.
The uncomfortable truth: most breaches start with bad habits, not bad luck
It is tempting to frame cybercrime as something that happens to organisations with weak infrastructure, or to individuals who fall for obviously dodgy emails. The reality is more uncomfortable. The majority of incidents the NCSC responds to involve credentials — login details — being compromised. And compromised credentials usually come down to three things: reusing the same password across multiple sites, weak passwords, and not using multi-factor authentication.
None of those are infrastructure failures. They are habit failures. And they are remarkably common across all demographics and organisation sizes.
What security hygiene actually looks like in practice
For individuals, the basics are well-documented by the NCSC and CERT NZ: use unique, strong passwords for every account, turn on two-factor authentication wherever it is available, and do not click links in unsolicited messages without verifying the sender.
Managing unique credentials across dozens of accounts is genuinely difficult without help. A password manager is how most security professionals handle this — it removes the cognitive load of remembering separate logins and makes reuse essentially unnecessary. It is one of those tools that sits in the category of ‘obvious in hindsight’ once you have tried it.
For businesses, the NCSC’s guidance is consistent: regular staff training on phishing recognition, enforced MFA on all accounts with access to sensitive systems, and clear incident response procedures so that when something goes wrong — and it will — the organisation knows exactly what to do in the first 72 hours.
The cost of a breach goes well beyond the ransom or the fraud amount
When the NCSC reports $7.8 million in direct losses for a single quarter, it is worth remembering what that figure does not include. It does not capture the cost of IT recovery, legal advice, regulatory compliance work, reputational damage, or the staff time consumed by the incident response process. For small and medium businesses — which make up the bulk of New Zealand’s commercial landscape — a single serious breach can be existential.
The Manage My Health breach, which saw attackers demand a $60,000 ransom, is illustrative. The ransom itself was the least of it. The investigation, remediation, patient notification obligations under the Privacy Act 2020, and the reputational fallout extended the actual cost far beyond that figure. These are the incidents that close businesses or force years of recovery.
New Zealand’s Privacy Act 2020 requires organisations to notify the Privacy Commissioner of a breach that is likely to cause serious harm. Failure to do so — or failure to notify affected individuals — carries its own regulatory risk. Organisations that treat compliance as a box-ticking exercise tend to find this out at the worst possible moment.
Where does responsibility actually sit?
This is the question that generates genuine debate. Is cybercrime fundamentally a government problem, a platform problem, or an individual problem? The honest answer is that it is all three — and pointing the finger at only one of them is a way of avoiding the parts of the picture that are inconvenient.
Governments and regulators can improve legislation and funding for agencies like the NCSC. Platforms can invest more heavily in authentication infrastructure and make phishing harder to execute at scale. But individuals and businesses also make choices every day that either increase or reduce their exposure. Reusing passwords is a choice. Ignoring MFA prompts is a choice. Not having an incident response plan is a choice.
The framing of cybercrime as something that happens to passive victims — bad luck, bad actors, inevitable — lets too many people off the hook for decisions they can actually control. The $46 million lost across eight quarters in New Zealand does not belong entirely in the category of bad luck.
Takeaway:
The NCSC’s data tells a consistent story: financial losses from cybercrime in New Zealand are rising, phishing and credential theft remain the dominant attack vectors, and the true scale of the problem is far larger than what gets reported. The tools and habits that reduce personal and organisational risk are well-documented and widely available — the gap is not information, it is action.
