Date posted: 02/10/2023 5 min read

Why business email compromise is a real threat to New Zealand businesses

Business email compromise is a rich source of valuable data – and payment fraud opportunities – for cybercriminals. Brought to you by Wotton + Kearney.

In Brief

  • Cybercriminals can access business email accounts via phishing emails. Once they are in an account, they can wait and search for opportunities to steal data or commit payment fraud.
  • Payment fraud from business email compromise may only be detected weeks later and it may be impossible for banks to recall the stolen funds.
  • Every business should have regular staff training in cybersecurity, and a breach response team backed up with cyber insurance.

Business email compromise has been the subject of many a ‘businesses beware’ article, but it remains a very common type of cybersecurity breach. And it can result in extended, damaging disagreements regarding the liability for lost funds.

Business email compromise occurs when a fraudulent actor gains access to a business email account, often via a phishing email that contains a malicious link. The cybercriminal can then sit in the compromised account for hours, days or even months to monitor opportunities for financial gain. This usually takes the form of payment fraud – identifying live transactions and sending correspondence to convince an employee or customer to make payment into a fraudulent account – or by finding and using valuable personal information in emails.

In the case of payment fraud, it can be weeks before the fraud is identified. By this point, banks cannot guarantee a successful recall of the funds. If there have been numerous successful attempts at payment fraud, the figures involved can be eye watering.

“The cybercriminal can then sit in the compromised account for hours, days or even months to monitor opportunities for financial gain.”

Cybercriminals target professional services

Fraudulent actors are also becoming more sophisticated, and professional service firms and financial advisers are targeted as sources of information that can readily facilitate fraud.

Adversary-in-the-middle (AiTM) attacks, where attackers intercept communications between two systems (such as a phishing site posing as a legitimate login page), are becoming increasingly common. Cybercriminals can use these techniques to bypass multifactor authentication and other popular cybersecurity controls.

There is increased regulatory focus on cybersecurity, following large-scale ransomware attacks in both New Zealand and further afield. This will naturally have a flow-on effect to how regulators approach privacy incidents in New Zealand, be it a ransomware attempt or business email compromise. Depending on the outcome of any forensic investigation, agencies must consider the notification obligations arising under the Privacy Act, as well as any applicable professional obligations that may require informing clients or other third parties.

How should you respond to business email compromise?

Having a cyber breach response team in place is key and your cyber insurance policy will likely provide for engagement of experts to assist you. A typical business email compromise response will usually involve privacy counsel, IT forensics and crisis communications expertise. Acting quickly can mitigate further loss to you and your clients.

The Office of the Privacy Commissioner advocates that a response should broadly follow the steps set out on its website. Businesses need to try and contain the breach, assess the extent of the incident, notify impacted individuals and regulators, and prevent any further loss or reoccurrence.

“A typical business email compromise response will usually involve privacy counsel, IT forensics and crisis communications expertise. Acting quickly can mitigate further loss to you and your clients.”

What can finance professionals do now?

Taking proactive steps to lessen the risk of business email compromise occurring is best practice. This includes:

1. ensuring multifactor authentication is implemented on all your business email accounts

2. training staff to identify phishing and other suspicious correspondence, and encouraging staff to follow payment procedures at all times

3. reviewing your cyber insurance cover to ensure you have support in place, should your business become a target.

Talk to your insurance broker

We recommend you contact your insurance broker to help you understand and manage your exposure to potential cyber risks and arrange the appropriate cyber insurance. It is important to regularly review business risks with your insurance broker to ensure ongoing protection against increasingly sophisticated cyberattacks.

New Zealand insurance broker Gallagher (formerly Crombie Lockwood) is a CA ANZ Member Benefits Partner. Visit ajg.co.nz/charteredaccountants to find out more.


© Wotton + Kearney 2023 This publication is intended to provide commentary and general information. It should not be relied upon as legal advice. Formal legal advice should be sought in particular transactions or on matters of interest arising from this publication. Company no 3179310. Regulated by the New Zealand Law Society.