Advisers told: check inbox rules before funds vanish
Financial advisers are being urged to review how they secure email accounts as business email compromise (BEC) campaigns grow harder to spot across the financial services sector.
NZFSG has sounded the alarm after detecting a noticeable uptick in account‑takeover attacks where criminals send phishing emails from real business inboxes, rather than spoofed addresses. The aim is to trick staff into handing over credentials, installing remote access tools, or approving fraudulent payments.
Between July and September, Kiwi organisations lost $12.4 million to cybercrime, mostly via email, as incidents jumped 118% in a single quarter.
“This is a serious and evolving threat,” said Laura Bennett (pictured), NZFSG’s principal security consultant. “When phishing emails are sent directly from a legitimate business email address, they appear authentic and trustworthy. That makes them far more dangerous. They’re deliberately designed to create urgency and prompt quick action.”
Recent incidents have involved compromised accounts blasting out messages about invoices or generic invitations such as “You’re Invited”, urging recipients to click on links or open files. Those links can redirect to fake login pages or silently launch malware, increasing the risk of data theft and financial loss.
Inbox caution and 2FA urged as BEC risk rises
The National Cyber Security Centre (NCSC) is tracking the activity and is calling on organisations, particularly in financial services, to scrutinise their email environments for any signs of compromise.
Key checks include reviewing auto‑forwarding rules (especially for accounts receivable), identifying any unexpected auto‑filtering rules, and analysing email access logs for unusual login patterns, including logins from unfamiliar or overseas IP addresses.
Bennett is urging advisers to slow down when faced with anything out of the ordinary in their inbox.
“If you receive any email that seems unusual or out of character and even if the sender is someone you know, do not click any links or open any attachments,” she said. “Doing so could result in a malicious file being downloaded onto your device, potentially without your knowledge.”
NZFSG is advising its network to implement two‑factor authentication (2FA) as a baseline control, work closely with IT providers to monitor business email accounts, and contact both NZFSG and IT support immediately if they think they may have interacted with a suspicious message. Any confirmed or suspected incidents can also be reported to the NCSC.
Stay informed with the latest housing market trends and mortgage insights — subscribe to our free daily newsletter.
