An email phishing scam which targeted companies including The Rarotongan Beach Resort & Lagoonarium has highlighted growing cybersecurity challenges facing businesses in the Cook Islands.
The incident occurred coincidentally as the government and private sector concluded a four-day training programme addressing cybercrime threats, facilitated by WebSafe Samoa, Pacer Plus, and the Cook Islands Business Trade and Investment Board (BTIB).
Last week, the Office of the Prime Minister had issued a notice warning businesses and individuals about an active email phishing scam.
According to resort owner Tata Crocombe, the scam was a sophisticated attack that exploited vulnerabilities in Microsoft’s cybersecurity systems.
“This was a breach of Microsoft cybersecurity that Microsoft is working to close out. It is a 24/7 battle with scammers worldwide. If a scammer can overcome Microsoft’s systems, they are very, very, very sophisticated,” Crocombe said.
He confirmed that the resort detected the scam immediately. The phishing attack reportedly involved over 3,000 fraudulent emails urging recipients to open a document related to Q4 funding.
While most staff recognized the scam, a few unfortunately didn’t and provided sensitive information, compromising the system’s security.
“This has been a nuisance, nothing more,” said Crocombe, emphasizing that the financial stability of the resort was not affected
Despite the limited financial impact, the incident underscores the escalating threat of cybercrime.
“Usually, scammers do not bother with relatively small companies like ours or small countries like the Cook Islands. This is a warning that scammers are extending their focus to smaller companies and countries,” Crocombe said.
The resort has since upgraded its cybersecurity protocols and is collaborating with Microsoft and other specialists to prevent future attacks.
Crocombe expressed scepticism, however, about identifying the perpetrators. “I will be very surprised if the scammers are apprehended. They operate on a global basis and are very sophisticated,” he said.
Key measures implemented by the resort include enhanced staff training, adoption of two-factor authentication (2FA), and updated policies to bolster defenses against phishing attacks.
Crocombe urged local businesses to remain vigilant and proactive in the face of evolving cyber threats.
“Most people are aware of the basic rule, which is not to open any suspicious links, and if in doubt, to check,” he said.
The resort has shared lessons learned and actionable recommendations with government IT and industry stakeholders.
The incident also coincided with a broader push for cybersecurity preparedness in the Cook Islands. The recent training programme, which brought together public and private sector representatives, emphasized the need for collaboration, resource-sharing, and robust incident reporting protocols to combat cyber threats.
As phishing scams grow increasingly sophisticated, businesses and governments alike are urged to adopt stronger cybersecurity measures.
Recommendations include establishing a national cybersecurity alert system, conducting regular training, and fostering public-private partnerships to address the shared threat.
