Story image

Xero weighs in on Fraud Awareness Week

14 Nov 18

It’s International Fraud Awareness Week, and unfortunately the Xero security team is all too aware of fraud. We see it affecting our customers and community as an almost daily event.  

We’d like to help everyone avoid becoming a victim of fraud, so small businesses in New Zealand keep their hard earned money in their business, where it belongs.  

The theme of this year’s Fraud Week is ‘Stop and think: is this for real?’ This is a good mantra to keep in mind whenever you’re presented with a situation that doesn’t quite seem to add up.  

Invoice fraud on the rise

Sending invoices via email is a common method of requesting payment for many businesses, but it has also opened up a whole new field for criminals looking for easy targets.

Cyber criminals are hacking into the email accounts of businesses and accessing invoices in the ‘Sent’ items folder. The hacker can then easily copy the invoice and change details like the payment bank account number. They then resend the updated invoice from the compromised email account back to the customer asking them to make payment to the new bank account, often with an excuse for the change such as “our bank account is under maintenance” or “being audited”.

They may also intercept inbound invoices from suppliers and modify the payment bank account numbers on these before they’re seen by the business.

Once payment is made to the fraudulent account, the money can quickly be moved offshore where the funds become increasingly difficult to retrieve.  These bank accounts are usually owned by “money mules” who move the money offshore to the hacker, in the same way that drug mules are used to get narcotics across borders.  

Often the mules are victims themselves, having been tricked or possibly groomed over a long period of time.  Online romance scams are unfortunately a common way that mules are recruited and tricked into moving stolen money into the hands of a criminal.  

The New Zealand and Australian building sector has been affected by this scam for more than two years now, but other industries are not immune. Cyber criminals aren’t picky about who they steal from, but high value payments are an attractive target for them.

How to keep safe

You can help keep your business safe by following these steps:

●    Use strong authentication on your email account.  Two-factor (2FA) or multi-factor (MFA) authentication provides another layer of security to prevent an attacker gaining access to your email account, even if they somehow get your password. This significantly reduces the risk of account compromise. (Note: Google, Microsoft and Yahoo call their strong authentication 2SV - Two-Step Verification).  
●    If your email service provider doesn’t offer 2FA/MFA/2SV, your business will be made safer by changing to one that does.
●    Ask your customers to check with you first by phone or in person if they ever receive an invoice with a new payment bank account number.
●    If you or a customer has made payment to a fraudulent bank account, contact your/their bank immediately and report this, making sure it's escalated to the bank's fraud team.  Your best chance of getting the money back is if the bank can freeze the payment account before the funds are withdrawn and moved offshore.
●    Xero customers can also raise a support request via and should include the payment bank account number from the fraudulent invoice. Xero has procedures in place with the fraud teams of NZ banks to notify them of accounts being used for fraud.

It pays to be sceptical

Cyber criminals are always looking for ways to steal your money.  It pays to be sceptical to help avoid being a victim of fraud.  Here are some more tips that can help you to avoid being a victim:

●    If you have to pay money to get money, it’s a scam.  Watch out for anyone who says you’re entitled to money, like an inheritance or lottery win, but asks for a payment in advance to secure your funds.  This is known as advance fee fraud.  The well known Nigerian prince or diplomat that needs your help to get their gold/diamonds/cash out of the bank/country is another example. You’ll never see a cent; instead forward the email to

●    If you ever receive money into your bank account from someone you’ve only ever met online and they ask you to send it to them in another country using Western Union, Moneygram, or other money transfer service, it’s very likely you’re laundering the proceeds of a crime. Chances are the money was stolen from another person’s bank account and you’re being used as a mule to send it on to the criminal that stole it.  Even if you think you’re in a relationship with the person that’s asking you to send the money, check with your bank first to see where it really came from.

●    Beware of cold calls. Whether it’s from someone claiming to be the ‘Microsoft help desk’ telling you about a problem with your computer or someone with an investment opportunity too good to miss. Just hang up.

Article by Xero head of security Paul Macpherson.

How blockchain will impact NZ’s economy
Distributed ledgers and blockchain are anticipated to provide a positive uplift to New Zealand’s economy.
25% of malicious emails still make it through to recipients
Popular email security programmes may fail to detect as much as 25% of all emails with malicious or dangerous attachments, a study from Mimecast says.
Human value must be put back in marketing - report
“Digital is now so widely adopted that its novelty has worn off. In their attempt to declutter, people are being more selective about which products and services they incorporate into their daily lives."
Wine firm uses AR to tell its story right on the bottle
A Central Otago wine company is using augmented reality (AR) and a ‘digital first’ strategy to change the way it builds its brand and engages with customers.
DigiCert conquers Google's distrust of Symantec certs
“This could have been an extremely disruptive event to online commerce," comments DigiCert CEO John Merrill. 
Protecting organisations against internal fraud
Most companies tend to take a basic approach that focuses on numbers and compliance, without much room for grey areas or negotiation.
Telesmart to deliver Cloud Calling for Microsoft Teams
The integration will allow Telesmart’s Cloud Calling for Microsoft Teams to natively enable external voice connectivity from within Teams collaborative workflow environment.
Jade Software & Ambit take chatbots to next level of AI
“Conversation Agents present a huge opportunity to increase customer and employee engagement in a cost-effective manner."