New Zealand’s National Cyber Security Centre (NCSC) has begun a large-scale email campaign warning tens of thousands of local users that their devices may be infected with information-stealing malware. The move comes as new data from BNZ indicates that many small and medium-sized enterprises (SMEs) are still engaging with scam attempts, despite reporting increased scam activity.
The Government Communications Security Bureau’s (GCSB) NCSC is notifying about 26,000 email addresses that devices linked to those accounts may be compromised by Lumma Stealer, a form of malicious software that typically targets Microsoft Windows systems.
Recipients are being directed to the NCSC’s Own Your Online website for information on how to remove the malware and for broader cyber security guidance, including steps to reduce the likelihood of credential theft and account takeover. NCSC chief operating officer Michael Jagusch said the software is designed “to steal sensitive information, like email addresses and passwords, from devices typically for the purposes of fraud or identity theft.”
The issue was identified through the NCSC’s cyber security partnerships. Jagusch said the centre has worked with New Zealand government agencies and financial institutions to reach some affected users before moving to a wider direct-contact approach. “However, there is a large group of users we are now contacting directly. This is the first time that we have conducted such a large-scale public outreach, and we want to assure recipients that the email from the NCSC is legitimate,” Jagusch said. To help distinguish the official message from phishing attempts, the NCSC has advised that its notification will come from no-reply@comms.ncsc.govt.nz.
The NCSC campaign focuses on household and individual users, while new research from BNZ suggests that similar behavioural vulnerabilities are present across the SME sector. According to the survey, 64% of SMEs say scam activity targeting their business has increased over the past year. At the same time, 45% do not treat scam or cyber education as a key priority, even though staff regularly handle email, payments, and customer information. BNZ reports that 50% of SMEs engaged with at least one scam attempt in the last 12 months by clicking a link, opening an attachment or replying to a scam message.
BNZ head of fraud operations Margaret Miller said scammers are focusing on weaknesses beyond technical systems. “Business owners are alert to the danger, but they are also time-poor and juggling multiple priorities. The reality is that scammers are becoming increasingly sophisticated in their tactics. Scammers know that breaking through technical security is difficult, so in many cases, they’re bypassing the technology entirely and targeting the person sitting at the keyboard. Business owners are generally doing well with technical defences like antivirus software and firewalls, but criminals are going around that, targeting the busy human at the desk who is clearing invoices or answering the phone,” Miller said.
Where scams resulted in successful breaches, the reported impacts extended beyond business accounts. Among SMEs that fell victim to an online scam, 21% incurred a business financial loss, 26% reported a personal financial loss, and 30% experienced data loss. Miller said: “For those that did suffer a financial hit, the average loss was just over $5,000. Scammers aren’t just after your business accounts. The data shows they are often successful in targeting personal finances or the business’s data, even if they don’t manage to steal money directly from the company accounts.”
BNZ’s findings indicate that, for the SMEs surveyed, social engineering and low-tech deception were more frequently reported than technically complex intrusions such as ransomware. Only 2% of businesses said they were targeted by ransomware. By comparison:
“Scammers prey on the fact that when we’re rushed, distracted, or juggling multiple things we’re more likely to act first and think later,” Miller said.
The survey also points to a gap between confidence and behaviour. While 53% of business owners rated themselves as “prepared” for a scam, BNZ found that 49% of those self-identified prepared businesses still engaged with at least one scam attempt.
BNZ has urged firms to strengthen both technical and human controls, including multi-factor authentication and dual-approval payment processes. “We’re investing heavily in systemic defences, but we also provide specific tools for businesses. This includes two-step authentication for logins, and the ability to require two separate approvals for any payment,” Miller said.
Miller added: “Technology is a vital layer of defence, but an educated team is just as important. When staff feel confident spotting the signs, they become the business’s best asset against scams and fraud. We encourage all business owners to use free resources to upskill their teams – whether that is through the Own Your Online platform operated by the National Cyber Security Centre, Netsafe, or the tailored scam information for businesses available on the BNZ website. It is one of the most effective ways to protect your business from financial loss.”
For the insurance sector, the NCSC’s Lumma Stealer outreach and the BNZ SME survey together point to a risk environment where technical defences coexist with significant human-factor vulnerabilities. Underwriting, pricing, and product design that reflect these patterns – along with services such as training, phishing simulations, and incident response support – are likely to remain central to how insurers engage with New Zealand clients on cyber and fraud risk.
