Alerts

We highlight current cyber security threats in New Zealand, and provide guidance on what to do if they affect you.

12:45pm, 31 August 2018

TLP Rating: Clear

Invoice scams affecting New Zealand businesses

A spike of reports in invoice scams has been reported to CERT NZ recently.

In these scams, the scammers gain access to a business’ email account and advise customers of a change in bank account details. Because it comes from the business’ email account and tend to be for expected payments, the scammers are often successful.

Once the change is discovered, the money has often been transferred overseas and is hard to recover. 

What's happening

Systems affected

Scammers gain access to a business’ email account and they’ll read the emails for a couple of weeks to see when large payments are due. The scammer then sends an email from the business’ email address asking the customer to pay into a different bank account.

In some cases, the scammer will intercept an invoice and change the bank account details on the invoice to the scammer’s bank account. They then send the altered invoice with the new bank account details to the customer.

This is usually an invoice or payment the customer was expecting, and it appears to come from the business that it’s supposed to. The only visible difference is the bank account number on the invoice.

In other cases, the scammer will quickly reply to the email with their bank account. They will say they forgot to update their invoice and they recently changed their bank account details.

Some scammers are covering their tracks by setting up auto-forwarding rules on the business’ email. This means if a customer replies to the email questioning the bank account change, the scammer can reply to them directly without the business knowing.  

Scammers are also setting up filtering rules to delete all their sent mail so their messages can’t be discovered.

What to look for

How to tell if you're affected

The following steps will help you check if you’ve had unusual behaviour on your email account:

  1. Check auto-forwarding rules on email accounts, especially accounts relating to accounts receivable. Check to see if there are any forwarding rules to accounts you are not familiar with.
  2. Check auto-filtering rules on email accounts. Check to see if there are any rules that you did not set up.

Look at your email access logs to look for any unusual login behaviour – particularly odd login times and unexpected or foreign IP addresses.

What to do

Prevention

The best prevention is to strengthen your email security and verbally confirm any change in bank account.

Strengthen your email security:

  • CERT NZ strongly recommends you have two-factor authentication on your email accounts.
  • Make sure all email passwords in your business are strong and not used anywhere else. Encourage staff to use a password manager to help remember all their passwords.
  • Consider disabling the auto-forwarding configuration. If your business does not use this feature, it can be disabled to prevent these rules from being set up.
  • Set up logging on your business’ email. These logs should cover log in attempts (both those that are successful and unsuccessful). These should also cover email delivery status, which tracks when emails might have been forwarded or deleted.

Improving invoice payment practices:

  • If a business tells you they have a new bank account number, double check it with the business over the phone or text.
  • Look on the business’ website for their phone number, in case the scammers have changed the phone number on the address as well.
  • As general practice, implement processes for managing payments over a certain amount. For example, the process could involve needing two people in your business review the invoice, and to confirm the details over the phone with the business.
  • Store the details of regular vendors in your internet banking, so that you have the correct bank details saved.

Mitigation

If you’re expecting a payment or have made a payment and it hasn’t been received, it’s possible you’ve been affected by this scam.

If you’ve made the payment:

  1. Call the business and check it hasn’t been received, and that you have the correct bank account details.
  2. If the bank account details don’t match, immediately call your bank and see if you can get the payment stopped. In some instances, it’s possible to recover the money if it’s caught early enough.
  3. Report the incident to CERT NZ. Make sure you tick the ‘share with partners’ option so that we can share the details with NZ Police.

If you’re expecting the payment:

  1. Call the person making the payment and check the bank details they sent the money to.
  2. If the bank account details don’t match, advise the person to immediately contact their bank and see if they can get the payment stopped.
  3. Immediately change the email passwords for the email account that sent the invoice. In the email settings, see if there’s an option to close all open sessions.
  4. We strongly recommend you turn on two-factor authentication for your email accounts.
  5. In the email settings, see if there are any unexpected auto-forwarding or auto-filtering rules. Remove any you find.
  6. Report the incident to CERT NZ. Make sure you tick the ‘share with partners’ option so that we can share the details with NZ Police.

More information

If you’ve been affected by this scam or need further support, submit a report on our website or contact us on 0800 CERTNZ.

Report an incident to CERT NZ

For media queries, contact media@mbie.govt.nz