17 December 2025
5 min
Read
Dayna-Jean Broeders
17 December 2025
5 min
Read
Last quarter, New Zealand businesses lost $12.4 million to cybercrime. That's not a typo and it's not even the scary part.
The scary part? Most of it happened through something we all use every single day: email.
Between July and September 2025, the NCSC recorded financial losses of $12.4 million, a 118% jump from the previous quarter's $5.7 million. Before you think "that's just a few big companies," let me stop you. They received 1,249 incident reports from individuals, businesses, and organisations across the country.
This isn't happening to other people. It's happening to people like you.
Here's the pattern we're seeing over and over:
Someone gets access to a legitimate email account. Not a fake one, a real account that people trust. Then they wait, they watch, they learn how your business works, who pays what, and when invoices are due.
Then they strike. A fake invoice goes out, payment details get changed and money gets redirected to their account.
Mike Jagusch from the NCSC put it plainly: attackers gain access to email accounts and send fake invoices or change payment details to redirect payments.
Your finance team gets an email from what looks like your supplier, same email address, same tone, same format, except the bank account number is different and by the time anyone notices, the money's gone.
We hear this all the time: "We're not big enough to be a target."
Let us be blunt: that's wrong and it's expensive to be wrong about.
The NCSC triaged 110 incidents as potentially nationally significant this quarter, a 96% increase from Q2's 56 incidents. These weren't all massive corporates. Some were smaller organisations that happened to be in the wrong place at the wrong time.
The increase? Unauthorised access to email accounts and a general uptick in activity from financially motivated criminals.
Translation: They're getting better at this and they don't care how big you are.
Remember when you needed actual technical skills to be a cybercriminal? Yeah, those days are over.
Criminal groups now offer malware-as-a-service platforms that let people with no technical skills deploy malicious software. Think of it like Uber for cybercrime, you don't need to own a car to drive for Uber, you don't need to code malware to deploy it anymore.
This isn't good news. It means the pool of potential attackers just got exponentially larger.
Let's look at what people reported:
|
Incident Type |
Reports |
What It Means |
|---|---|---|
|
Scams & Fraud |
446 reports |
The most common threat. Over a third of all incidents. |
|
Phishing & Credential Harvesting |
355 reports |
They're after your passwords and access. |
|
Employment Scams |
50% increase |
Fake job offers, "remote work" cons, bogus partnerships. |
|
Business Email Compromise |
Multiple high-value cases |
The big money maker. Your email is the target. |
Employment and business opportunity scams saw a 50% increase, often promising lucrative jobs, remote work, or investment partnerships.
I'm not going to give you a 47-point checklist. Here's what matters:
1. Verify payment changes in person or by phone If someone emails you new bank details, pick up the phone. Call the number you already have on file, not the one in the email. Yes, even if it's your regular supplier.
2. Multi-factor authentication on email accounts This is non-negotiable. If someone gets your password but can't get past the second authentication step, you just stopped a $12 million problem.
3. Train your team to spot the weird That email from your CEO asking for an urgent payment at 7pm on a Friday? That's weird. Weird deserves a phone call to verify.
4. Assume compromise, not security Stop asking "Could we get hacked?" Start asking "When we get compromised, how quickly will we know?"
5. Back up your data properly When (not if) something goes wrong, backups are the difference between a bad day and a catastrophic month.
The cyber threat environment is evolving quickly, and criminals who lack advanced technical skills now have access to sophisticated tools.
This quarter's numbers aren't an anomaly. They're a trend and trends don't reverse themselves, they accelerate until someone does something about it.
You can prepare for it.
The $12.4 million question is: will you?
Need help figuring out where your gaps are? We've been handling this stuff since cyber threats were just nerds in basements. Get in touch and we'll show you where you're actually vulnerable, not where a checklist says you should be.
Sources:
This article is based on data from the National Cyber Security Centre's Q3 2025 Cyber Security Insights report, covering incidents reported between 1 July and 30 September 2025.
Enter your details below to stay up-to-date with the latest IT solutions and security measures.
.webp)