CyberCover.co.nz
← Back to Blog
Cyber ThreatsCyberCover Team6 min read10 February 2026

Business Email Compromise: NZ's Most Common Cyber Claim Explained

Business Email Compromise: NZ's Most Costly Cyber Threat

Business email compromise (BEC) — also called social engineering fraud — is consistently the most common and costly cyber claim made by NZ businesses. It accounted for the majority of cyber incidents in 2025 and doesn't require any sophisticated hacking: it relies entirely on human deception.

How BEC Attacks Work

A BEC attack typically follows a predictable pattern:

  • Reconnaissance — attackers research your business, identifying key contacts, suppliers, payment processes and executives through public information, LinkedIn and previous email breaches
  • Impersonation — attackers send emails appearing to come from a trusted party: your CEO, a key supplier, your bank, or a lawyer involved in a transaction
  • Urgency and deception — the email creates urgency: "urgent payment required", "bank account change effective immediately", "confidential — do not discuss"
  • Payment diversion — staff, believing the request is legitimate, transfer funds to a fraudulent account

Common BEC Scenarios in New Zealand

The most common BEC attacks on NZ businesses include: CEO fraud (impersonating executives to request urgent transfers), supplier invoice fraud (fake invoices with redirected bank accounts), conveyancing fraud (intercepting property purchase payments), and trust account attacks (targeting lawyers and real estate agents).

Why Human Error is Hard to Prevent

Sophisticated BEC emails are often near-impossible to distinguish from legitimate communications. They may use a compromised legitimate email account (making them technically genuine), reference real transaction details obtained through research, and be timed to coincide with legitimate business activity. Even trained and vigilant staff can be deceived.

Does Cyber Insurance Cover BEC?

This is critical: BEC cover varies significantly between policies. Some policies include social engineering fraud (cyber crime) as standard, while others exclude it or offer it only as an optional add-on. Given BEC is NZ's most common cyber loss, always confirm with your broker that your policy explicitly covers social engineering fraud, and check the sub-limit — some policies cap this cover at a lower amount than the overall policy limit.

Prevention Tips

While insurance provides the financial safety net, prevention remains important. Key steps include: implementing a dual-authorisation process for any payment over a set threshold, calling back to a known number to verify any payment change request, training staff to verify urgent payment requests through a separate channel, and implementing email authentication (DMARC, DKIM, SPF) to reduce impersonation.

About the Author

CyberCover Team — the CyberCover crew are self-confessed insurance geeks on a mission to make cyber cover simple, accessible and jargon-free for businesses of every size.

Ready to Get Protected?

Get tailored cyber insurance quotes from licensed NZ brokers. Free advice, no obligation.

Free advice. No obligation. Licensed NZ brokers.

✓ Free advice✓ Licensed NZ brokers✓ No obligation✓ Reply within 1 business day