IT Brief New Zealand - Technology news for CIOs & IT decision-makers
New Zealand

Guides

#
artificial intelligence
#
digital transformation
#
disaster recovery
#
hybrid & remote work
#
internet of things

Search

Businessperson opening suspicious email in australian office with shadowy cybercriminals and digital envelope icons
#
Email Security
#
Cybersecurity
#
Threat intelligence

ANZ organisations see high engagement with sophisticated email scams

Today
Author image
By Shannon Williams, Journalist

Email attacks in the form of business email compromise (BEC) and vendor email compromise (VEC) are prompting growing concern for Australian and New Zealand (ANZ) organisations, as recent data demonstrates persistent employee engagement and under-reporting.

The findings stem from analysis conducted by Abnormal AI, which monitored over 1,400 organisations globally—including in ANZ—across various sectors for a full year. The email security platform operated in passive, read-only mode, observing but not blocking potential threats.

APAC and ANZ trends

The report highlighted distinct behavioural differences across regions. In the wider Asia-Pacific (APAC) region, employees engaged with BEC emails after reading them 44.4% of the time—10% higher than with VEC emails. APAC was the only global region where engagement rates with BEC surpassed those with VEC. Additionally, APAC employees showed the highest repeat engagement with BEC globally at 5.65%, meaning that more than one in twenty BEC interactions involved employees who had previously engaged with a separate BEC attack.

Within ANZ, engagement rates differed slightly compared to the APAC aggregate. ANZ employees engaged with BEC emails 42.60% of the time after reading them and with VEC emails at an even higher rate, 44.18%. However, ANZ showed the highest rate of repeat BEC engagement of any region worldwide, with 5.88% of BEC interactions initiated by employees who had previously replied to or forwarded a different BEC attack.

Reporting rates

The study found that reporting of suspicious emails among ANZ employees remains low. BEC attacks were reported at a rate of 1.87%, while VEC attacks were reported even less frequently at 0.90%. APAC as a whole had a similar pattern, with BEC reporting at 1.92%.

Global context

Globally, attackers attempted to steal more than USD $300 million via VEC in the twelve-month period examined, with 7% of engagements involving employees already exposed to previous attacks. The telecommunications sector had the highest global VEC engagement rate at 71.3%, followed by the energy and utilities sector at 56%.

Entry-level sales staff were identified as particularly susceptible, with junior personnel engaging with 86% of VEC messages they had read. These patterns suggest that certain sectors and job roles may benefit from targeted training and awareness campaigns.

Trends also differed markedly in Europe, the Middle East and Africa (EMEA), where employees exhibited greater susceptibility to VEC attacks rather than BEC. In EMEA, the VEC engagement rate exceeded the BEC rate by 90%, and repeat engagement with VEC was more than double that for BEC. Reporting rates for VEC in EMEA were low (0.27%), while BEC was reported at 4.22%—the highest of any region.

Expert commentary

"Security behaviour is shaped by both cultural norms and compliance standards, and the APAC region exemplifies how these factors can shift the threat landscape," said Tim Bentley, Vice President of Asia-Pacific at Abnormal AI. "While VEC is a growing concern worldwide, the data indicates that attackers targeting APAC are still seeing continued success with executive or internal impersonation tactics instead."

Addressing the rise in sophisticated phishing and impersonation attacks that use artificial intelligence, Bentley noted, "Attackers are leveraging AI to impersonate trusted identities with alarming accuracy. Whether the threat appears to come from a known vendor or a familiar executive, organisations in every region must invest in intelligent defences that adapt to regional behavioural patterns and automatically block attacks before employees ever see them."

Security implications

The report's findings draw attention to the need for a better balance between human vigilance and technical controls, particularly in environments where employee engagement with malicious content remains high and detection or reporting rates are low. Integrated, regionally-aware security solutions may be required to bridge the gap identified by Abnormal AI's research.

Abnormal AI's data-driven insights suggest that attackers continue to adjust their methods according to regional employee behaviours, making ongoing monitoring and adaptability key considerations for organisational security strategies in ANZ and beyond.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
Exclusive: Lightspeed on why tech and AI are 'key' to hospitality’s future
The risky race to AI: How DeepSeek is reshaping the AI landscape
Paras Chadha to lead Microsoft & AI strategy for Logicalis ANZ
Most firms unprepared for rising supply chain cyber threats
KnowBe4 integrates with Microsoft to boost email threat defence

Top stories

Exclusive: BPC and HP deliver flexible IT support to growing firms
Refresh smarter, spend smarter: Why flexible IT financing is on the rise
Spectrum appoints Marty Bennett to lead new era of growth
Gigamon set to lead deep observability with 52 percent share by 2025
Bitdefender unveils EASM for proactive attack surface security