Multiple NZ Companies Compromised: The BEC Attack We’re Seeing Right Now

This Isn’t Standard Phishing. This Is Far More Dangerous.

Over the past week, we’ve received multiple reports from our clients about suspicious emails that looked completely legitimate. When we investigated, we discovered something alarming: these emails were coming from real New Zealand companies whose email accounts had been compromised by criminals.

Real person. Real email address. Real email account. Everything looked completely authentic because it WAS authentic.

Except the actual person didn’t send it. Criminals did.

Their email accounts have been compromised, and attackers are using them to target everyone in their contact lists—including our clients and potentially your business.

If these sophisticated attacks are fooling experienced business owners, they can fool anyone.

Why This Is The Most Dangerous Cyber Threat Right Now

This isn’t a fake email that spam filters can catch. These attacks involve:

• ✅ Legitimate companies (real NZ businesses)
• ✅ Real email addresses (actual employee accounts)
• ✅ Pass all authentication (SPF, DKIM, DMARC all valid)
• ✅ Sent from their actual email servers
• ✅ Appear in existing email threads (attackers read conversation history)
• ✅ Professional formatting and branding
• ❌ Not sent by the real person – sent by criminals who hijacked their account

How Scammers Use AI to Perfect Their Attacks

Business Email Compromise scammers are now weaponizing artificial intelligence to make their attacks virtually undetectable. Here’s how AI has become their secret weapon:

• Voice and Writing Style Cloning: AI analyzes previous emails, social media posts, and communications to perfectly mimic your CEO’s writing style, tone, and common phrases. It can even replicate their typical sign-offs and email formatting.
• Flawless Grammar and Spelling: Gone are the days of obvious spelling errors and broken English. AI produces impeccably written emails with perfect grammar, making them indistinguishable from legitimate business correspondence.
• Context-Aware Content: AI scrapes LinkedIn, company websites, and public records to reference real projects, actual employee names, and current business initiatives—making the email feel authentic and timely.
• Personalization at Scale: Scammers can generate hundreds of customized emails simultaneously, each one tailored to specific targets within your organization, dramatically increasing their success rate.
• Real-Time Adaptation: If you respond with questions, AI can generate convincing follow-up responses that address your concerns and maintain the deception throughout an entire email thread.
• Deep Fake Voice Technology: Beyond email, scammers now use AI to clone voices for phone calls, making urgent payment requests sound exactly like your boss or trusted vendor.

Who Are Scammers Impersonating?

BEC scammers carefully choose their targets to maximize trust and urgency. They commonly impersonate:

• Company Executives (CEO, CFO): The most common target—emails appear to come from senior leadership requesting urgent wire transfers or sensitive information.
• Your Bank or Financial Institution: Fake emails claiming there’s a security issue with your account or requesting verification of recent transactions.
• Your Accountant or Bookkeeper: Especially dangerous during tax season or year-end closing, requesting changes to payment details or access to financial systems.
• Trusted Business Partners or Vendors: Long-standing suppliers suddenly requesting payment to a “new bank account” due to a system upgrade.
• Legal Counsel or HR Department: Creating urgency around compliance issues, legal matters, or confidential employee situations.
• IT Department or Tech Support: Requesting password resets, system access, or clicking links to “verify your account.”

The key to their success? These are all people you trust implicitly and would normally act quickly to help.

The Real Emails Our Clients Received

Here’s what made these attacks so convincing:

The Setup:

• Invitations to participate in bidding processes
• Professional formatting with company branding
• Real contact details and physical addresses
• Proper business language and tone
• Plausible scenarios (tender/bid invitations, document sharing)
• Time pressure: “Bid due in 4 days, confirm within 24 hours”

The Hook:

• “All project drawings and documents are available for download through our secure link below”
• Links to what appeared to be legitimate tender management platforms
• Professional document sharing portals

The Deception:

• Links led to professional-looking sites that resembled common tender/proposal software
• Many tender platforms use third-party domains recipients may not recognize (BuildersLink, TenderLink, etc.)
• Sites looked completely legitimate with proper branding and layout
• The red flag only appeared AFTER entering an email address
• Sites then asked for a PASSWORD to “verify identity” and access documents

But by this point, many recipients would have already:

• Trusted the email source (legitimate compromised account from a known company)
• Trusted the website appearance (professional design)
• Felt time pressure (deadline approaching)
• Been in “task completion mode” (just trying to access the documents)

Fortunately, our clients reached out to verify before entering credentials. That’s exactly the right response.

How Did This Happen?

Based on our investigations, the compromised companies likely had employees who:

• Clicked a phishing link and entered credentials
• Had their password compromised in a data breach
• Used weak or reused passwords across multiple platforms
• Didn’t have multi-factor authentication enabled

Now attackers have:

• ✅ Full access to their email accounts
• ✅ Their entire contact lists (hundreds or thousands of businesses)
• ✅ Historical emails to reference for context and authenticity
• ✅ Ability to send “legitimate” emails to everyone they know
• ✅ Access to confidential business information

What The Attackers Want

When someone enters their email and password on these fake sites, the victim has just:

• Given attackers access to their email account
• Handed over their entire contact list
• Allowed criminals to read all their historical emails
• Potentially given access to other accounts (if passwords are reused)
• Enabled the attack chain to continue using their account as the next attack vector

One compromised account becomes ten, becomes a hundred, becomes a thousand.

The Devastating Ripple Effect in NZ

When one NZ business gets compromised, we see:

• Their customers receiving fake invoices with changed bank details
• Their suppliers getting fraudulent purchase orders
• Their partners receiving credential harvesting attacks
• Their employees becoming the next victims
• Every business in their network becoming a target

Based on industry data and our client experiences, New Zealand businesses are losing:

• $50,000 – $500,000+ in direct theft
• Customer trust and long-term contracts
• Regulatory compliance standing
• Months of productivity recovering from breaches
• Reputation in their industry

And it’s spreading rapidly across New Zealand.

Critical Defence Strategies

What To Do If You Think You’ve Entered Your Password

Immediate actions (DO THIS NOW – first 5 minutes):

• Change your email password IMMEDIATELY from a different device
• Use a computer/phone you’re CERTAIN is clean
• Change it to something completely different
• Make it strong and unique
• Enable MFA on your email account RIGHT NOW if not already enabled
• Disconnect the device you used from your network (WiFi off, ethernet unplugged)
• Contact your IT provider immediately – don’t wait, call now (we’re available 24/7)

Next steps (first 30 minutes):

• Change passwords for ALL accounts that use the same or similar passwords
  • Banking and financial accounts
  • Accounting software
  • Any business-critical systems
  • Personal accounts that share the password
• Check your email sent items and deleted items for unauthorized activity
• Alert your manager/business owner
• Alert your bank – put them on high alert for suspicious activity

Following 24 hours:

• Full security scan of the device used (likely needs professional cleaning/reimaging)
• Monitor ALL accounts for suspicious activity
• Check for email forwarding rules – attackers often create hidden forwarding rules to maintain access
• Notify your contacts that your email may have been briefly compromised
• File a report with CERT NZ (cert.govt.nz)
• Work with your IT provider to review email logs and assess what was accessed

The Bigger Picture: BEC Is Exploding in NZ

The attacks we’re seeing are part of a much larger trend affecting businesses across New Zealand.

Recent data:

• Business Email Compromise attacks up 300%+ in the last 12 months
• Average loss per incident: $50,000 – $500,000
• Small to medium businesses are prime targets (easier to compromise, often less security infrastructure)
• Most attacks go unreported due to embarrassment
• Recovery takes 3-6 months on average

This is a national crisis for New Zealand businesses, and it’s accelerating.

Real-World NZ Impact

Across our client base and the wider NZ business community, we’re seeing:

• Construction companies losing hundreds of thousands to fake invoice payment redirects
• Law firms having client data stolen and held for ransom
• Accounting firms with compromised accounts used to steal from their clients
• Manufacturing businesses having their supply chains disrupted
• Service companies losing customer trust after data breaches

No industry is immune. Company size doesn’t matter. It’s happening to everyone.

Our Commitment to Protecting NZ Businesses

As your MSP partner, we’re:

• 🛡️ Monitoring for these attacks in real-time across our client base
• 🛡️ Implementing advanced threat protection across your systems
• 🛡️ Conducting regular security awareness training
• 🛡️ Available 24/7 to help verify suspicious emails
• 🛡️ Providing rapid incident response when attacks occur
• 🛡️ Keeping you informed about emerging threats affecting NZ businesses

Take Action Today – Not After An Attack

Immediate Steps (Do This Week):

Have Questions Right Now?

The Bottom Line

When real email accounts get hijacked, there’s no technical solution that can save you. Only human vigilance combined with proper security measures.

The attacks we investigated this week demonstrate that even sophisticated, legitimate-looking emails from real companies can be dangerous. The difference between being protected and being a victim often comes down to:

• One phone call to verify
• Recognizing that NO legitimate site asks for your email password
• Having MFA enabled
• Having a plan when something seems suspicious
• Acting immediately if credentials are compromised

Don’t wait until you’re the victim trying to explain to customers why their money went to criminals.