Cybercrime is no longer just an IT problem—it’s a direct financial threat to businesses. Finance leaders are prime targets because they control the money. From ransomware extortion to fraudulent transactions, New Zealand companies have suffered major losses due to cyber threats.
The financial toll can be devastating, with attackers exploiting weak security measures, tricking employees into transferring funds, or outright stealing sensitive financial information. Below, we break down 10 real-world cases of cyber fraud, analysing how the attacks happened, their financial impact, and, most importantly, key takeaways for CFOs and finance teams to prevent similar losses.
In December 2015, in a case that highlights the growing risk of Business Email Compromise (BEC) scams, cybercriminals impersonated a legitimate supplier, tricking the finance department into transferring $120,000 into a fraudulent bank account.
🚨 CFO Takeaway: Always verify bank detail changes via a secondary communication method (phone or in-person verification) before processing payments.
The construction industry isn’t immune to cyber fraud. Between January–March 2020, a director of ACK Contractors Limited exploited weaknesses in invoice verification processes, submitting fraudulent invoices that led to a loss of $668,000.
🚨 CFO Takeaway: Implement multi-person approvals for payments over a certain threshold to detect fraudulent transactions before money leaves your accounts.
Financial service companies are prime targets for cybercriminals. In July 2024, Squirrel, a well-known lending platform in New Zealand, suffered a serious data breach when hackers accessed financial details of 600+ customers.
🚨 CFO Takeaway: Secure financial records with strong access controls, regular security audits, and encrypted storage to prevent data exposure.
Even large institutions aren’t safe. In January 2021, a high-profile breach at the Reserve Bank occurred when a third-party service provider was compromised, leading to unauthorised access to financial and personal data of an unknown number of individuals.
🚨 CFO Takeaway: Vendor risk is your risk—audit third-party providers that handle financial data and ensure they meet strict cybersecurity standards.
In December 2023, one of the largest breaches affecting the automotive industry occurred when Nissan New Zealand saw 100,000 customers’ data exposed, putting them at risk of identity fraud and phishing attacks.
🚨 CFO Takeaway: Data breaches erode customer trust—regular security assessments and incident response planning are essential.
A New Zealand cleaning supply company was targeted in a BEC scam where fraudsters intercepted email communications and altered payment instructions. The company unknowingly transferred $50,000 to the attackers’ account.
🚨 CFO Takeaway: Establish protocols to verify payment instructions, especially when there are changes in banking details, through direct communication with the supposed recipient.
An office administrator in Christchurch admitted to embezzling $500,000 by manipulating payroll systems and creating fake invoices.
🚨 CFO Takeaway: Regular audits and segregation of duties are essential to detect and prevent internal fraud.
In June 2023, Elite Fitness, a leading New Zealand fitness equipment retailer, suffered a ransomware attack executed by the DragonForce group. The attackers claimed to have stolen 5.31GB of sensitive data, potentially exposing confidential company information and customer records. The breach led to business disruptions and raised concerns about data protection and cyber resilience in the retail sector.
🚨 CFO Takeaway: Regularly update and patch systems, back up critical data, and implement strong endpoint security to mitigate ransomware threats.
In December 2022, Mercury IT, a managed service provider in New Zealand, suffered a ransomware attack that had cascading effects across multiple businesses. The LockBit ransomware group claimed responsibility, disrupting operations for clients including health insurer Accuro and other professional services firms. The attack highlighted the risk businesses face from supply chain vulnerabilities and third-party service providers.
🚨 CFO Takeaway: Vendor security is your security—audit all third-party providers handling your data and critical operations.
In May 2021, the Waikato District Health Board (DHB) suffered a significant ransomware attack that crippled hospital systems across multiple facilities. The cybercriminals encrypted critical data, demanding a ransom for restoration. This attack led to canceled surgeries, delayed treatments, and compromised patient information, affecting thousands of individuals. The financial impact included remediation costs and operational losses, though exact figures were not publicly disclosed.
🚨 CFO Takeaway: Ensure robust cybersecurity measures are in place, including regular system backups, network segmentation, and comprehensive incident response plans to mitigate the impact of ransomware attacks.
✔ Prioritise cybersecurity as a financial risk, not just an IT issue.
✔ Implement strict financial controls: Multi-person approval for payments, fraud detection tools, etc.
✔ Audit third-party vendors: If they handle financial data, they must meet security standards.
✔ Invest in cyber insurance: Many insurers won’t pay if your controls are weak.
✔ Train employees on fraud tactics: BEC scams and phishing attacks target finance teams first.
✔ Have a cyber incident response plan: Knowing how to react before a breach occurs minimises damage.
Nonprofits are prime BEC targets—see real attacks and what finance leaders must do to protect funds, data, and mission-critical operations.
Manufacturers are top targets for BEC scams. See 6 real cases that expose how attackers steal millions—and what finance teams must do to stay protected.
See how 5 real BEC scams stole millions from healthcare orgs—what finance leaders must know to stop attacks that target payments, data, and operations.
Eftsure provides continuous control monitoring to protect your eft payments. Our multi-factor verification approach protects your organisation from financial loss due to cybercrime, fraud and error.
