A Cyber Minefield for New Zealand Businesses

As we step into FY26, one truth is clearer than ever: cybercrime is no longer a distant threat - it’s hitting Kiwi businesses hard and fast. With attacks growing more sophisticated and costly by the day, business leaders must treat cybersecurity as a strategic priority, not a back-office function. The new financial year is the perfect time to reset, refocus and build resilience - before it’s too late.

NZI’s incident response provider has flagged a trend where cyber criminals are bypassing Multi-Factor Authentication (MFA) using advanced phishing tactics like Adversary in the Middle (AiTM). These attacks trick users into handing over credentials by mimicking trusted platforms like OneDrive or SharePoint, then exploiting that trust to spread malware or steal data.

Scammers may pose as an insurance company or bank, calling businesses about ‘suspicious transactions’ and directing them to fake support sites. There, users are duped into downloading remote access tools. It only takes a few steps for attackers to gain access and quickly transfer funds offshore.

Some NZI customers have been hit hard. Meg Warner, Executive Manager Broker & Specialist Claims, has seen a noticeable rise in cyber claims over the past year. She stresses that cyber-attacks don't discriminate by industry including recent examples from retail, financial services, real estate, engineers, schools, through to plumbers and electricians.

Our in-house cyber insurance expert, Andy Beven, warns that as cyber threats evolve, so do the tactics. One of the more sophisticated attacks we’re seeing is the AiTM attack (explained below):

• A fake login page mimics a trusted site
• The employee logs in, unaware the attacker is intercepting the session
• Session cookies are stolen, allowing attackers to bypass MFA
• Tip: Always check browser URLs before logging in. If it looks off, don’t proceed.

Hitting businesses in the pocket

CERT NZ’s most recent insights are sobering:

• 1,369 cybercrime incidents reported in Q1 2025
• $7.8m in losses - a 14.7% increase from the previous quarter
• $46M in direct financial losses over the past two years.

Assessing your cyber vulnerabilities

NZI’s nationwide risk team delivers tailored solutions to help protect businesses. It’s worth noting that all NZI Cyber Ultra customers have access to a 1-hour complimentary pre-loss consultation in each period of insurance. We can also provide customers with a Cyber Vulnerability Assessment through our partner, UpGuard.

This assessment identifies risks across your website and digital assets, helping you and your IT provider prioritise security improvements and reduce the risk of a cyberattack.

Talk to your broker to see how UpGuard’s ‘Always On’ technology can help safeguard your business.

Tips to boost your cyber defences:

• Use advanced MFA to block phishing
• Set conditional access rules for trusted devices and locations
• Encourage staff to pause before clicking suspicious links
  
•  Watch for unusual sign-ins or mailbox activity
• Invest in anti-phishing tools that scan emails and websites.

If you have cyber concerns, please contact your broker. If you think you’ve been targeted, contact the New Zealand Police (105) or report it here.