Story image

Scammers intercepting business emails in fake invoice scams

06 Sep 18

CERT NZ is warning New Zealand businesses to be aware of an upsurge in fake invoices, which are often intercepting genuine payments.

CERT NZ says it has received a spike of reports about invoice scams recently. The best method of prevention is to strengthen email security and verbally confirm and change in bank account details.

Typically scammers gain access to a company’s email account, monitor emails and then target customers who owe large payments.

The scammers then use the company’s email address to tell those customers that bank account details have changed. Sometimes the scammer will even alter an invoice to include change the bank details.

CERT NZ advises that some scammers are also using auto-forwarding rules on a company’s email, so they can respond directly to customers without the business ever knowing about it.

Scammers will also use filtering rules to delete their sent mail so their messages can’t be detected.

Are you affected?

CERT NZ says there are three main ways businesses can detect unusual activity:

Check auto-forwarding rules on email accounts, especially accounts relating to accounts receivable. Check to see if there are any forwarding rules to accounts you are not familiar with.
Check auto-filtering rules on email accounts. Check to see if there are any rules that you did not set up.

Look at your email access logs to look for any unusual login behaviour – particularly odd login times and unexpected or foreign IP addresses.

How to mitigate the problem

CERT NZ says that if companies are expecting a payment that hasn’t arrived or have made a payment that hasn’t been received, it could be a sign of this scam.

Businesses that have made payment:

You should call the intended recipient, confirm bank details and check that the payment hasn’t been received. If details don’t match, call the bank immediately. The bank may be able to recover the money if it is caught early enough.  Businesses should also file a report with CERT NZ.

Businesses that are expecting payments that haven’t arrived:

You should call the person responsible for the payment and ask them to confirm bank details. If details don’t match, the person should contact their bank to find out if the payment can be stopped.

  • “Immediately change the email passwords for the email account that sent the invoice. In the email settings, see if there’s an option to close all open sessions.
  • We strongly recommend you turn on two-factor authentication for your email accounts.
  • In the email settings, see if there are any unexpected auto-forwarding or auto-filtering rules. Remove any you find.
  • Report the incident to CERT NZ. Make sure you tick the ‘share with partners’ option so that we can share the details with NZ Police.

CERT NZ also offers the following prevention tips:

Strengthen your email security

  • CERT NZ strongly recommends you have two-factor authentication on your email accounts.
  • Make sure all email passwords in your business are strong and not used anywhere else. Encourage staff to use a password manager to help remember all their passwords.
  • Consider disabling the auto-forwarding configuration. If your business does not use this feature, it can be disabled to prevent these rules from being set up.
  • Set up logging on your business’ email. These logs should cover log in attempts (both those that are successful and unsuccessful). These should also cover email delivery status, which tracks when emails might have been forwarded or deleted.

Improving invoice payment practices:

  • If a business tells you they have a new bank account number, double check it with the business over the phone or text.
  • Look on the business’ website for their phone number, in case the scammers have changed the phone number on the address as well.
  • As general practice, implement processes for managing payments over a certain amount. For example, the process could involve needing two people in your business review the invoice, and to confirm the details over the phone with the business.
  • Store the details of regular vendors in your internet banking, so that you have the correct bank details saved.
Soul Machines' virtual humans go mainstream
An Auckland AI firm renowned for its work creating ‘digital humans’ is now unleashing its creativity to the wider market.
Hands-on review: The Logitech R500 laser presentation remote
With a clever ergonomic design, you’ll never have to glance at the device, unless you deliberately look to use the built-in laser pointer to emphasise your presentation.
GCSB welcomes Inspector-General's report on intelligence warrants
Intelligence warrants can include surveillance, private communications interception, searches of physical places and things, and the seizure of communications, information and things.
Lightning Lab accelerator delves into tourism
“It’s great to see the tourism sector taking a proactive and collaborative approach to innovation."
Apax Partners wins bidding war for Trade Me buyout
“We’re confident Trade Me would have a successful standalone future," says Trade Me chairman David Kirk
Verifi takes spot in Deloitte Asia Pacific Fast 500
"An increasing amount of companies captured by New Zealand’s Anti-Money laundering legislation are realising that an electronic identity verification solution can streamline their customer onboarding."
Homegrown stress relief app to be launched next year
Researchers at the University of Auckland and an Auckland-based creative agency are working together to create a ‘world first’ app that they believe will help with stress relief.
How blockchain will impact NZ’s economy
Distributed ledgers and blockchain are anticipated to provide a positive uplift to New Zealand’s economy.