Business Email Compromise: The Cyber Threat Hitting NZ Businesses Hard

Cyberattacks in New Zealand are on the rise and NSP has seen first-hand how quickly they can devastate a business. One of the fastest-growing and most damaging attack methods right now is Business Email Compromise (BEC), and Microsoft 365 users are firmly in the crosshairs. 

What’s Happening

Cybercriminals are breaking into legitimate Microsoft 365 business email accounts and using them to send phishing emails. These often look like genuine shared files or collaboration invites from trusted colleagues or partners.

Because the messages come from a real, compromised account, recipients are less likely to question them and more likely to click malicious links or open infected attachments.

How BEC Works

Once attackers gain access to an email account, they can:

• Impersonate trusted users - tricking staff, clients, or suppliers into action.

• Harvest login credentials - capturing usernames and passwords for further attacks.

• Steal sensitive data - from financials to client information.

• Deliver malware or ransomware - using legitimate-looking attachments.

• Manipulate payments or invoices - redirecting funds without raising alarms.

These attacks are stealthy, effective, and increasingly common in New Zealand.

Slide below to see what you could expect to see when encountering BEC:

Why This Is So Dangerous

Traditional warning signs, like strange email addresses or poor grammar, don’t always apply here. Messages appear to come from trusted, known senders, often referencing real projects or conversations.

That means antivirus alone isn’t enough. Without layered defences and an informed workforce, even the most security-conscious businesses can fall victim.

What You Can Do to Protect Your Business

Here are practical steps your team should take right now:

• Pause before clicking. Always be cautious with unexpected file-sharing emails, even from known contacts. When in doubt, call and verify.

• Check the link. Hover over file-sharing links to confirm they are legitimate.

• Verify Microsoft login pages. Only enter credentials on URLs that come from Microsoft domains. (See the full list of official Microsoft domains here).

• Enable Multi-Factor Authentication (MFA). A critical safeguard if credentials are stolen.

• Use advanced email security tools. Filtering and threat detection add another layer of defence.

• Report suspicious messages. Never ignore a potential threat, escalate it to your IT team or provider immediately.

The Bigger Picture

According to New Zealand’s National Cyber Security Centre, the cost of cybercrime against local businesses continues to climb each quarter. For SMEs, the risk is even higher: attackers know these organisations often lack enterprise-scale defences.

BEC attacks thrive on trust, exploiting human behaviour as much as technical systems. That’s why prevention requires a mix of:

• Technology (MFA, filtering, monitoring)

• Processes (verification, reporting)

• Awareness training (so staff recognise red flags before damage is done).

How NSP Can Help

At NSP, we work with New Zealand businesses every day to strengthen cyber resilience. With:

• Awareness training through industry-leading platforms like KnowBe4,

• Advanced threat detection to stop attacks before they spread,

• Security reviews to identify and close gaps in Microsoft 365 setups,

• 24/7 monitoring through our SOC (Security Operations Centre).

We make sure you’re not just reacting to attacks, but staying a step ahead.

Final Word

If a cybercriminal compromised your Microsoft 365 account today, would your business notice in time?

With Business Email Compromise rising sharply across New Zealand, the difference between resilience and risk is action.

Contact NSP today to review your defences and protect your business from becoming the next statistic.

Frequently Asked Questions: Business Email Compromise in NZ

1. What is Business Email Compromise (BEC)?

BEC is when attackers compromise a legitimate business email account and use it to trick others into sharing sensitive data, making payments, or clicking malicious links.

2. Why are Microsoft 365 users a common target?

Because Microsoft 365 is widely used in New Zealand, attackers know compromising these accounts gives them access to trusted communication channels and sensitive business data.

3. How can I tell if an email is fake if it comes from a real account?

Look for unusual requests, look at the URL, unexpected file shares, or urgent language. Always verify directly by phone or in person before acting.

4. Is Multi-Factor Authentication (MFA) enough to stop BEC?

MFA significantly reduces risk, but attackers may still trick staff into clicking or sharing information. That’s why MFA must be combined with training and monitoring.

5. What should I do if I suspect my account has been compromised?

Immediately reset your password, notify your IT team or MSP, enable MFA, and review account activity for signs of further compromise.