Nearly half of New Zealand’s small and medium-sized businesses admit they struggle with scam education and cyber training. Yet half of SMEs engaged with a scam in the last year by clicking a link, opening an attachment, or replying to a scam message.
Of the SMEs that fell victim to an online scam, 21% suffered a business financial loss, 26% a personal financial loss, and 30% suffered data loss. The average loss for those SMEs that take a financial hit is just over $5,000.
64% of SMEs note an increase in scam activity in 2025, per BNZ’s SME scam survey. Still, 45% don’t consider cyber training a priority. Scammers will always find ways to exploit gaps, says Margaret Miller, BNZ Head of Fraud Operations.
She recognises that business owners know scams are dangerous but are also time-poor and juggle multiple priorities. “Scammers prey on the fact that when we’re rushed, distracted, or juggling multiple things, we’re more likely to act first and think later.”
“The reality is that scammers are becoming increasingly sophisticated in their tactics,” she says. “Scammers know that breaking through technical security is difficult, so in many cases they’re bypassing the technology entirely and targeting the person sitting at the keyboard.”
2% of SMEs faced a ransomware scam. Technology is improving, but more classic deceptive tactics are more prevalent than hyper-modern hacks. 27% of businesses were targeted by cold calls requesting sensitive company information, 17% faced bank impersonation attempts, and 10% encountered invoice scams involving altered bank details.
“Business owners are generally doing well with technical defences like antivirus software and firewalls, but criminals are going around that, targeting the busy human at the desk who is clearing invoices or answering the phone.”
Complacency is a huge hindrance. While 53% of business owners rated themselves as “prepared” for a scam, 49% of that same group still engaged with a scam attempt. This complacency is especially alarming when you consider that most business scams have a ripple effect beyond the firm itself.
“Scammers aren’t just after your business accounts. The data shows they are often successful in targeting personal finances or the business’s data, even if they don’t manage to steal money directly from the company accounts.”
What cyber-trained staff look like
Although technology is a vital layer of defence, Miller says an educated team is just as important. When staff feel confident in spotting the signs, they become the business’s best asset in combating scams and fraud.
Cyber-trained staff are vigilant and aware of common scam practices. They can identify common threats like phishing emails, suspicious links, attachments, and fake websites. They’re proactive when a breach is suspected and can follow the set-out incident response plan.
Ensuring staff follow secure practices is another line of defence. Staff should use strong, unique passwords with a password manager, enable multi-factor authentication, keep software updated, handle sensitive data securely (especially when working remotely) and avoid using personal devices like USB drives without IT approval.
Honing soft skills such as attention to detail, communication, and calm under pressure also enhances key technical skills, such as navigating systems and identifying vulnerabilities before they can be targeted. In time, the workforce will comprise even more confident, informed and responsible digital citizens.
“We encourage all business owners to use free resources to upskill their teams -whether that is through the Own Your Online platform operated by the National Cyber Security Centre, Netsafe, or the tailored scam information for businesses available on the BNZ website. It is one of the most effective ways to protect your business from financial loss.”
SPONSORED
