If you manage operations, finance or IT at an SME in New Zealand, this guide shows how to spot scam red flags, run a one‑minute triage and take immediate containment steps. We explain current scam trends, common scam types, business‑specific risks, a short checklist your team can use right away and where to report incidents in New Zealand.
If you manage operations, finance or IT at an SME in New Zealand, this guide shows how to spot scam red flags, run a one‑minute triage and take immediate containment steps. Use the checklist and reporting steps to act quickly when a suspicious request appears.
A scam is a dishonest scheme designed to steal money or personal information. Scammers use email, phone, social media and fake websites to impersonate trusted organisations or people.
Scammers are adapting quickly; these trends often target business processes as well as individuals — in Q1 2025, NCSC reported that 486 (38%) of incidents were classified as Scams and Fraud. Watch them so you can prioritise controls and staff checks.
Attackers use AI to mimic executives’ voices or faces and issue urgent requests — this matches industry findings where 31% of APAC fraud teams flagged AI voice manipulation as a leading fraud typology. These messages create authenticity and pressure staff to act without verifying.
Scammers pose as banks, government agencies or suppliers and use official‑sounding scripts. The goal is to create urgency and bypass normal verification steps.
BEC involves compromised or spoofed business emails used to request payments or change supplier details. These attacks often result in successful invoice redirection or wire fraud — for example, NCSC found that among large-loss incidents in Q1 2025, several involved unauthorised transfers.
Attackers target suppliers and procurement systems to insert fake vendors or change legitimate vendor details. Routine workflows make this an effective method for stealing payments.
Mitigation: Verify supplier bank‑change requests by calling a known number from your records.
Different scams use different tactics. Below are common customer‑facing and business‑facing examples your team should recognise.
Travel scams use fake clubs, bogus rental listings or timeshare resales to collect payments or personal data. They often look like legitimate booking sites.
Scammers build false relationships to request money later. These are typically consumer‑targeted but can affect staff personally and distract them from work.
Offers promising quick returns, fake investment platforms and wallet‑theft phishing are common. Treat unsolicited crypto investment requests with high scepticism.
Fake marketplace listings or counterfeit products on peer‑to‑peer platforms steal payments and personal data. Always use platform payment systems and verify seller histories.
Fraudsters promise loan forgiveness or refunds in exchange for fees or personal information. These offers are usually fraudulent; never pay up front for a guaranteed outcome.
Business scams exploit routine approvals and supplier relationships. Protecting your accounts payable and procurement processes reduces risk without slowing operations.
Invoice redirection fraud is common and effective because attackers copy invoices and supplier branding. Verify requests via a separate channel before you pay — payment‑fraud losses are substantial, with online payment fraud projected to exceed USD 362 billion through 2028.
CEO/CFO impersonation scams use authority to create urgency. Staff should treat any payment request that claims to be confidential or urgent as suspicious until verified.
Supplier onboarding abuse occurs when fake suppliers enter procurement systems. Strengthen onboarding with identity checks and bank‑account verification — the Government and industry are progressing measures such as Confirmation of Payee to reduce payment‑change fraud.
These practical controls are low cost and quick to implement; they close the most commonly exploited gaps attackers use to steal from SMEs — NCSC recorded direct financial losses of $7.8 million in Q1 2025, underscoring the value of preventive steps.
Recognising a scam quickly reduces the chance of loss. Use the checks below to triage any suspicious message or request.
Use this checklist as a quick, repeatable test before approving payments or sharing sensitive data — combined with regular in-person training, checklists and simulations help staff spot and stop scams.
Act fast. These steps help limit financial, reputational and technical damage.
Report promptly and include copies of messages and transaction details to help investigators.
Manage alerts so staff stay informed without overloading them. Use device and inbox controls to reduce noise.
Technical defences plus trained people reduce the chance a scam becomes a loss. Prioritise services that detect, block and recover.
Continuous monitoring catches unusual logins, abnormal email activity and suspicious data flows early. Early detection reduces investigation time.
Audits find misconfigurations, stale access permissions and missing patches. Fixing these lowers the risk of account compromise used in BEC attacks.
A tested incident response plan gives clear roles, communications steps and technical actions to recover fast. Backups and tested recovery procedures minimise downtime.
ATP tools focus on behavioural detection to block sophisticated attacks that signature‑based tools miss. They reduce false negatives against novel phishing tactics.
Regular training sessions are one of the most effective defences and should include practical simulations.
Oxygen IT helps businesses prevent and respond to scams with proactive security, fast incident response and clear recovery steps. Our focus is on outcomes—minimising downtime and limiting operational impact so you can keep running the business.
Contact Oxygen IT to arrange a security review or urgent incident response.
Sign up for CERT NZ, Netsafe and government consumer protection updates; these are free and provide timely, local alerts. Choose one or two sources and review them weekly.
For financial loss, contact your bank first and then the New Zealand Police; for phishing or cyber incidents report to CERT NZ; for misleading trading practices contact the Commerce Commission. Report quickly and include copies of messages and transaction details to help investigators.
Contact your bank immediately to try to stop or reverse payments, then secure compromised accounts by changing passwords and enabling multi‑factor authentication. Preserve evidence and report the incident to CERT NZ and the Police so investigators can follow up.
Check known breach services for exposed emails and run a professional cybersecurity audit for company systems. A full audit identifies compromised accounts, misconfigurations and recommended remediation steps.
If you need help reviewing processes or responding to an incident, contact Oxygen IT for a practical, outcomes‑focused security review and rapid incident response. Our team will help prioritise controls and get you back to business quickly.
