It’s International Fraud Awareness Week, and unfortunately the Xero security team is all too aware of fraud. We see it affecting our customers and community as an almost daily event.
We’d like to help everyone avoid becoming a victim of fraud, so small businesses in New Zealand keep their hard earned money in their business, where it belongs.
The theme of this year’s Fraud Week is ‘Stop and think: is this for real?’ This is a good mantra to keep in mind whenever you’re presented with a situation that doesn’t quite seem to add up.
Invoice fraud on the rise
Sending invoices via email is a common method of requesting payment for many businesses, but it has also opened up a whole new field for criminals looking for easy targets.
Cyber criminals are hacking into the email accounts of businesses and accessing invoices in the ‘Sent’ items folder. The hacker can then easily copy the invoice and change details like the payment bank account number. They then resend the updated invoice from the compromised email account back to the customer asking them to make payment to the new bank account, often with an excuse for the change such as “our bank account is under maintenance” or “being audited”.
They may also intercept inbound invoices from suppliers and modify the payment bank account numbers on these before they’re seen by the business.
Once payment is made to the fraudulent account, the money can quickly be moved offshore where the funds become increasingly difficult to retrieve. These bank accounts are usually owned by “money mules” who move the money offshore to the hacker, in the same way that drug mules are used to get narcotics across borders.
Often the mules are victims themselves, having been tricked or possibly groomed over a long period of time. Online romance scams are unfortunately a common way that mules are recruited and tricked into moving stolen money into the hands of a criminal.
The New Zealand and Australian building sector has been affected by this scam for more than two years now, but other industries are not immune. Cyber criminals aren’t picky about who they steal from, but high value payments are an attractive target for them.
How to keep safe
You can help keep your business safe by following these steps:
● Use strong authentication on your email account. Two-factor (2FA) or multi-factor (MFA) authentication provides another layer of security to prevent an attacker gaining access to your email account, even if they somehow get your password. This significantly reduces the risk of account compromise. (Note: Google, Microsoft and Yahoo call their strong authentication 2SV - Two-Step Verification).
● If your email service provider doesn’t offer 2FA/MFA/2SV, your business will be made safer by changing to one that does.
● Ask your customers to check with you first by phone or in person if they ever receive an invoice with a new payment bank account number.
● If you or a customer has made payment to a fraudulent bank account, contact your/their bank immediately and report this, making sure it's escalated to the bank's fraud team. Your best chance of getting the money back is if the bank can freeze the payment account before the funds are withdrawn and moved offshore.
● Xero customers can also raise a support request via email@example.com and should include the payment bank account number from the fraudulent invoice. Xero has procedures in place with the fraud teams of NZ banks to notify them of accounts being used for fraud.
It pays to be sceptical
Cyber criminals are always looking for ways to steal your money. It pays to be sceptical to help avoid being a victim of fraud. Here are some more tips that can help you to avoid being a victim:
● If you have to pay money to get money, it’s a scam. Watch out for anyone who says you’re entitled to money, like an inheritance or lottery win, but asks for a payment in advance to secure your funds. This is known as advance fee fraud. The well known Nigerian prince or diplomat that needs your help to get their gold/diamonds/cash out of the bank/country is another example. You’ll never see a cent; instead forward the email to firstname.lastname@example.org.
● If you ever receive money into your bank account from someone you’ve only ever met online and they ask you to send it to them in another country using Western Union, Moneygram, or other money transfer service, it’s very likely you’re laundering the proceeds of a crime. Chances are the money was stolen from another person’s bank account and you’re being used as a mule to send it on to the criminal that stole it. Even if you think you’re in a relationship with the person that’s asking you to send the money, check with your bank first to see where it really came from.
● Beware of cold calls. Whether it’s from someone claiming to be the ‘Microsoft help desk’ telling you about a problem with your computer or someone with an investment opportunity too good to miss. Just hang up.
Article by Xero head of security Paul Macpherson.