The National Cyber Security Centre (NCSC) has released its Cyber Security Insights report for the second quarter of 2025 (Q2 2025), highlighting ongoing challenges for New Zealand organisations.
Between April and June, the NCSC received 1,315 reports of cyber security incidents. While scams and fraud continued to dominate as the most frequent type of incident, the direct financial losses reported dropped to $5.7 million, a notable decrease from the $7.8 million recorded in the previous quarter.
Of the total incidents, 56 were escalated for specialist technical support due to their potential national significance. The remaining 1,259 incidents were managed through the NCSC’s standard triage process, with most reports originating from individuals and businesses.
This quarter’s figures represent a 3% reduction in overall incident reports compared to the first quarter of the year.
The report draws attention to the continued use of social engineering tactics by cyber criminals.
According to Mike Jagusch, director mission enablement at the NCSC, attackers are increasingly targeting organisational helpdesks by impersonating staff members to gain access to internal accounts.
“We are seeing a type of attack where a cyber criminal calls up an organisation’s helpdesk and pretends to be a staff member who needs help getting access to their account,” he said.
Once access is obtained, attackers may exfiltrate sensitive information or deploy ransomware.
Jagusch noted that these tactics often involve creating a sense of urgency or leveraging authority to manipulate helpdesk staff.
“They use social engineering techniques to sound more convincing. This might be using a sense of urgency, appealing to authority, or tricking you into feeling sympathy towards them,” he said.
The NCSC’s report includes a case study involving an attempted infiltration of a New Zealand organisation by a sophisticated threat actor.
The organisation’s use of strong passwords, multi-factor authentication, and network segmentation enabled the NCSC to confirm that no data was compromised.
“This case study highlights the effectiveness of good cyber hygiene,” Jagusch said.
He also emphasised the importance of learning from each incident to improve organisational defences.
“There are valuable lessons to be learned from every incident we’re involved with. We hope organisations find our insights useful in bolstering their defences. In today’s challenging cyber environment, being well-prepared for an incident is more important as ever,” Jagusch said.
A separate survey, commissioned by the NCSC and conducted by The Research Agency (TRA), found that 53% of New Zealand’s small and medium-sized enterprises (SMEs) reported experiencing a cyber threat in the past six months, up from 36% in the previous year.
Jagusch commented on the findings, stating: “With cyber threats increasing in frequency and sophistication globally, New Zealand’s businesses need to anticipate a cyber security attack and plan accordingly to lessen the threat and be ready to respond.”
Despite high awareness – 94% of SMEs recognise cyber security as important – many businesses believe their current measures are sufficient.
Jagusch cautioned that this perception could lead to gaps in protection, such as not adopting two-factor authentication (2FA) or failing to regularly back up data.
“2FA is a simple and effective way of adding an extra layer of protection to online accounts that can often prevent the majority of online attacks,” he said.
