Half of New Zealand’s small and medium sized businesses have responded to a scam attempt in the last year while nearly 50% admit they struggle to prioritise scam education and cyber training for staff.

New research released today from BNZ’s small and medium-sized enterprise (SME) scam survey shows a concerning gap in scam defences deployed in small and medium sized businesses.

While 64% of SMEs say scam activity has increased in the past 12 months, 45% do not consider cyber education a key priority.

This disconnect has raised concerns that staff in these businesses are being targeted as the new frontline in the battle against scammers.

The survey reveals 50% of businesses engaged with a scam in the last year by clicking a link, opening an attachment, or replying to a scam message.

BNZ head of fraud operations Margaret Miller said scammers would always find ways to exploit gaps.

“Business owners are alert to the danger, but they are also time-poor and juggling multiple priorities. The reality is that scammers are becoming increasingly sophisticated in their tactics,” Miller said in a statement.

“Scammers know that breaking through technical security is difficult, so in many cases they’re bypassing the technology entirely and targeting the person sitting at the keyboard.

“Business owners are generally doing well with technical defences like antivirus software and firewalls, but criminals are going around that, targeting the busy human at the desk who is clearing invoices or answering the phone.”

The $5000 blow to cash flow

For those businesses where a scam attempt turns into an actual breach, the consequences can be significant, Miller said.

Of the SMEs that fell victim to an online scam, 21% suffered a business financial loss and 26% a personal financial loss, while 30% suffered data loss.

“For those that did suffer a financial hit, the average loss was just over $5,000,” Miller said.

“Scammers aren’t just after your business accounts. The data shows they are often successful in targeting personal finances or the business’s data, even if they don’t manage to steal money directly from the company accounts.”

Cold calls and fake invoices on the rise

Contrary to the popular narrative of complex cyber-attacks, the data shows businesses are far more likely to be targeted by “old school” deception than high-tech hacks.

While only 2% of businesses were targeted by Ransomware for example, traditional deception and social engineering scams were much more prevalent:

- 27% of businesses were targeted by cold calls requesting sensitive company information

- 17% faced bank impersonation attempts

- 10% encountered invoice scams involving altered bank details

“Scammers prey on the fact that when we’re rushed, distracted, or juggling multiple things, we’re more likely to act first and think later,” Miller said.

The findings highlight the risk of complacency. While 53% of business owners rated themselves as “prepared” for a scam, the data shows 49% of that same group still engaged with a scam attempt.

BNZ urged businesses to use the bank’s tools to close the gap between technology and human behaviour.

“We’re investing heavily in systemic defences, but we also provide specific tools for businesses. This includes two-step authentication for logins, and the ability to require two separate approvals for any payment,” Miller said.

“Technology is a vital layer of defence, but an educated team is just as important. When staff feel confident spotting the signs, they become the business’s best asset against scams and fraud.

“We encourage all business owners to use free resources to upskill their teams -whether that is through the Own Your Online platform operated by the National Cyber Security Centre, Netsafe, or the tailored scam information for businesses available on the BNZ website.

“It is one of the most effective ways to protect your business from financial loss.”