The payments chain ends at the smallest operator
When a fraudulent booking hits a small motel, the loss doesn’t get absorbed by a corporate balance sheet or written off against quarterly earnings. It lands directly on an owner-operator who may have their entire retirement savings tied up in the property. The chargeback arrives weeks after the guest has gone, the platform shrugs, and the bank classifies the transaction as authorised.
This is not a hypothetical. New Zealand’s accommodation sector is the most digitally exposed industry in the country, with 72% of Accommodation and Food Services businesses reporting cyber threat impacts in a 12-month period, higher than any other sector surveyed by MBIE in 2024. And the national fraud bill keeps climbing. MBIE’s first industry-wide fraud monitor recorded total gross fraud losses of $265 million over 12 months across 12 banks, with $126 million classified as authorised payments where victims were tricked into approving the transaction.
That authorised classification is the trap. When a guest pays a fraudster instead of the motel, or when an operator releases a room before payment truly clears, banks treat it as the customer’s problem.
Half of all SMEs have already engaged with a scam
BNZ research from December 2025 found half of New Zealand SMEs had engaged with a scam attempt in the prior year, with 50% clicking a link, opening an attachment or replying to a scam message. Of those that fell victim, 21% suffered a business financial loss and 26% a personal financial loss. The average loss sat just over $5,000, meaningful for a sole operator but below the threshold that triggers serious bank investigation.
Margaret Miller, BNZ head of fraud operations, put the vulnerability plainly: “Business owners are alert to the danger, but they are also time-poor and juggling multiple priorities. The reality is that scammers are becoming increasingly sophisticated in their tactics.”
Despite this, 45% of SMEs do not consider cyber education a key priority, even as 64% believe scam activity has increased.
The attacks are getting more personal
In April 2026, Norton threat researchers warned of a rise in Reservation Hijack scams that use genuine booking data, hotel names, travel dates, and payment references, to make fraudulent messages indistinguishable from real ones. Researchers noted: “Rather than relying on generic scam emails with obvious warning signs, criminals are increasingly using personal and situational information to tailor messages around a specific purchase or journey.”
These aren’t Nigerian prince emails. They arrive via the booking platform’s own messaging system, referencing real reservations. A time-poor motel owner checking bookings at 6am has almost no chance of spotting the difference without training and tools they don’t have.
Enterprise solutions don’t scale down
Experian and Forrester research published this year found 58% of New Zealand organisations experienced a year-on-year increase in fraud losses, with 71% globally now investing more in fraud technology than in human analysts. That’s an enterprise reality. A motel owner in Paeroa managing bookings on a laptop is not deploying AI-driven fraud detection.
Mathew Demetriou, Managing Director Software Solutions A/NZ at Experian, said: “The rise of generative AI is accelerating both the scale and sophistication of attacks, making it critical for organisations to reassess their fraud prevention strategies.”
The NCSC’s 2023/2024 cyber threat report recorded $21.6 million in direct financial losses across 6,779 incidents, with average loss per incident rising from $14,000 to $25,500. These are reported figures only. NCSC has consistently noted that most losses go unreported.
The risk sits where the resources don’t
The structural problem is clear. Booking platforms set low verification standards and respond slowly to fraud reports. Banks draw the line at authorised transactions. And operators absorb the loss, the reputational damage, and the compliance burden with no dedicated support infrastructure.
In 2022, police warned Northland accommodation providers about stolen credit cards being used for bookings. The pattern hasn’t changed, it has only become more sophisticated. MBIE’s Business Digital Capability Monitor found 49% of businesses cite security and fraud concerns as barriers to digital adoption, yet only a third of those concerned businesses are actually updating their cyber security systems. A quarter find the tools too expensive.
The policy debate about fraud reimbursement in New Zealand has not yet seriously engaged with SME operators as a victim class distinct from individual consumers. Until it does, every small accommodation provider in the country is carrying digital payment risk that belongs somewhere further up the chain.