Author Belinda Young Director
About author

I have broad experience in business advisory, covering accounting, tax and audit across sectors including retail, manufacturing, professional services, property development and wholesale investment. I specialise in business valuation and litigation support, including forensic accounting and expert evidence for family court matters. I’m a CA ANZ accredited business valuation specialist with niche expertise in legal firm valuations and relationship property calculations. I also serve as a Virtual CFO, helping businesses grow and consolidate with informed financial leadership.

With rising financial crime, email-based attacks and invoice fraud rising, particularly amongst SMEs where controls are lighter, accountants and business advisors are uniquely placed to help clients fortify themselves. Recent analysis shows this is a growing concern for New Zealand businesses, and it is one we take very seriously. As your partners, we see it as our duty to help you protect the business you have worked so hard to build.

The trend: simple tactics, significant losses

The most common and effective attacks we see are not always technically complex. Social engineering – which includes phishing, payment diversion, and impersonation scams – is the dominant threat for New Zealand’s SMEs. These tactics exploit human trust rather than sophisticated software vulnerabilities.
A common weakness we find is the way businesses handle changes to payment details. Many SMEs do not have a process to verify a change of bank account details through a separate, independent channel. A simple, friendly email that appears to be from a trusted supplier requesting an update to their bank account is often all it takes for a fraudster to divert thousands of dollars.

Why this is a critical issue for your business

For most SMEs, there isn’t a dedicated internal audit team constantly reviewing financial controls. This makes you a prime target. The impact of even one successfully diverted payment can be severe, hitting your cash flow and profitability hard.
From a financial management perspective, these incidents create significant risk. They can lead to mis-posted expenses, a direct loss of cash, and even regulatory scrutiny. This is not just an IT problem; it is a fundamental business risk that requires a direct response from leadership.

Controls you should adopt now for 2026

Building resilience doesn’t require a huge investment, it requires a shift in mindset and process. As you plan for the coming year, here are some key controls we recommend putting in place:

  1. Payment verification protocols: make it mandatory for any change to a supplier’s bank account details to be verified by an independent method, such as a phone call to a known contact or an in-person confirmation. Never rely on email alone.
  2. Segregation of duties: where possible, ensure the person who approves an invoice for payment is different from the person who executes the payment. This simple check adds a vital layer of oversight.
  3. Staff training: your people are your best defence. Train your team to spot the signs of an impersonation email, such as a fake CEO request or slight variations in email addresses.
  4. Regular reviews: implement a routine of checking bank reconciliations and monitoring for unusual changes to vendor bank accounts. An independent review of your approved vendor list can also uncover irregularities before they become problems.

How Moore Markhams can help

At Moore Markhams, our purpose is to help people thrive. That includes helping you safeguard your business from these growing threats. Our experts can provide practical, proactive support.

  • Forensic Accounting: we can perform a fraud-risk assessment for your business, asking the critical question: “What would happen if someone tried to divert our vendor payments?” This helps us identify and close control gaps before they are exploited.
  • Audit and Assurance: we can build specific control-testing for payment and invoice risk into our audit engagements, giving you confidence in your financial processes.
  • Business Advisory: we work alongside you to embed low-cost, high-impact control improvements, like two-channel verification, and provide training to empower your staff.

As you head towards your year-end review, ask yourself: “What controls do we truly have around our payments and approvals?” Prevention is always cheaper than remediation, a small investment in strengthening your controls now can save you from significant financial and reputational damage later.
We invite you to connect with us for a “mini control review” engagement. Let’s work together to ensure your business is secure, resilient, and ready for what’s next.