When your loss is their gain: What fraud can look like and how to avoid it

It’s hard to imagine that you could fall victim to business fraud. That happens to other people, right? People who are unlucky or less careful? Not necessarily. We present three recent examples of fraud, along with tips on how to protect your business against cyberattack, spear-phishing and false invoices.

Time to read: 4 mins


More and more cyberattacks are targeting New Zealand businesses. An attacker can target you or your IT supplier’s systems to lock down or steal your data and prevent you accessing your systems. CERT NZ responded to 1,968 cyber security incidents in Q1 2023, up 12% from Q4 2022. Direct financial losses were up 66% to $5.8 million.

Last year a New Zealand business lost its operational IT systems, customer-facing website, payroll systems and employee data when the business that looked after its IT was attacked. Back-ups were also compromised, so no data recovery was possible. Staff and contractors spent hundreds of hours rebuilding the information and systems, and dealing with the disruption to the business.

What can you do to protect your business from cyberattack?

  • Keep regular back-ups entirely separate from your main systems, so they can be restored in the event of an attack.
  • Invest in good, quality cybersecurity measures that are proportionate to your risks. Two-factor authentication is one example of an easy and effective safeguard.
  • This is a fast-moving and specialist area, so get expert advice. Also report any suspicious activity or attacks to CERT NZ straight away.
  • Consider insuring against cyberattack. The cost of recovery can be substantial.


A “spear phishing’’ attack is highly targeted and can seem credible enough to fool even careful staff who are alert to fraud risks. The fraudster may already know enough information about the business and individual being targeted to make a plausible request.

Last year a New Zealand charity administrator was targeted with an email, supposedly from the Chief Executive, asking them to buy gift cards to be used as competition prizes. The request was urgent and there was no time for the usual processes and approvals. The staff member did as asked, forwarding the serial numbers of the gift cards by return email. Sadly, it was a scam and $500 was irrecoverably lost.

How can you protect yourself from spear-phishing?

  • If you receive an unusual request, confirm it with the person who purportedly sent the email. Do this without replying to the original message, which might be a scam, and instead phone or text them to check.
  • As a leader in your business, don’t make a habit of circumventing internal controls and processes for convenience. An apparent request from you to bypass approvals should set alarm bells ringing. If you routinely bypass controls, a scammer’s request might seem like something you could have sent.

False invoices

This one’s an oldie, but still a favourite of fraudsters. By creating fake invoices or changing supplier details on real invoices, scammers can obtain payments from businesses for goods and services they haven’t provided. Sometimes the perpetrator is a staff member, sometimes a stranger. These types of fraud can be extremely expensive and devastating for staff morale if they continue for a long period undetected.

A charity worker appeared in court in Wellington in June 2023 accused of misappropriating more than $1 million through fake supplier invoices and direct payments from the charity’s bank account. The timing of the losses coincided with rapid growth in activity for the charity, which saw revenue and spending increase four-fold over a two-year period. Those periods of change can be risky for businesses because there is more opportunity for fraudsters, and unusual spending might be harder to detect.

How can you protect against false invoicing?

  • Enforce segregation of duties so that no one staff member can authorise spending without another colleague’s oversight.
  • Contact your local Baker Tilly Staples Rodway advisor to discuss whether your controls remain fit-for-purpose.
  • Protect supplier data in your payments system. Any change in a supplier’s bank account should be checked directly with the supplier.
  • Consider checking periodically whether any of your suppliers have the same banking or contact details as any of your staff.
  • Closely check outcomes against your budget and spending – are you seeing the results of your regular subscriptions and purchases?

Our trusted advisors can help

If you feel like there could be vulnerabilities in your IT system, our IT team can provide cyber security, technology advisory, disaster recovery reviews, day-to-day support and more.

Businesses face all kinds of risks and we provide risk management and assurance services to ensure that they are identified and managed in the most effective way. Call us today if we can assist!

DISCLAIMER No liability is assumed by Baker Tilly Staples Rodway for any losses suffered by any person relying directly or indirectly upon any article within this website. It is recommended that you consult your advisor before acting on this information.

Sign up to our newsletter

Thanks for signing up!

Our website uses cookies to help understand and improve your experience. Please let us know if that’s okay by you.

Cookies help us understand how you use our website, so we can serve up the right information here and in our other marketing.