News & Events
While this scam is not new, many businesses are still falling for it.
Read how you can prevent being a victim.
Because of its interest in cybersecurity, the HTG Cybersecurity Team receives a lot of news (some actual and some anecdotal) about cybersecurity threats throughout the world. There are so many of them that if we were to send you an alert every time we hear of one, you will truly be overwhelmed.
However, we are keen to send you warnings of threats that are either new and highly risky, or ones that we believe are worth your knowing or being reminded of. This is especially of attacks that have snared local businesses.
This warning is about email invoice fraud.
This fraud is old hat but unfortunately, a lot of NZ businesses are still caught by it because of its sophistication. In its most basic form, criminals hack into your organisation’s email accounts. They search through your Sent emails to look for recent customer invoices that you have sent out.
The invoices are copied and then resent to the customer but with the receiving bank account number altered. The sender sometimes includes an ambiguous reason for changing the bank account number. The emails look like they genuinely come from you.
Needless to say, this kind of con is so sophisticated that it is extremely easy to fall prey to. Businesses do change bank accounts occasionally. And because the invoices look legitimate in every other respect, it is extremely easy to be duped.
The emails look like they genuinely come from you.
In New Zealand, for some reason, two particular industries have recently been targeted: the building and importing sectors. At least one NZ importer has reported losing in excess of US$250,000 to scammers.
There are two groups of victims in each of these frauds: the firm whose email account had been hacked (the creditor), and the customers of the creditor if they unwittingly pay the account. Although it is unlikely for the business that is out of pocket to successfully recover the payment from the creditor, the incident has a potential to badly strain the relationship between the two parties. This is because the payer may blame the creditor for allowing its account to be hacked. Additionally, if the payer has been successfully swindled of a large sum of money, that customer may not have much or any funds left to pay the legitimate creditor.
For example, firstname.lastname@example.org looks almost identical to email@example.com but they can be as different as chalk and cheese as to where your email may land up.
What do you need to avoid such scams?
The most effective strategy is eagle-eyed vigilance. Unfortunately, the traditional level of vigilance that businesses used to observe to successfully protect their business in the past is insufficient in this new world of cyber free for all. We need to be super attentive.
Here are some guidelines for dealing with this dangerous scam:
- Be suspicious of any emailed, faxed or even snail-mailed request to change normal payment procedures. No matter how authentic they appear.
- Always verify that any such request is legitimate by contacting (preferably by ringing) the sender of the request. However, do not rely on the contact information contained in the received email for making that contact. As you know, it is very simple to temper with contact details in an email.
- Also, do not hit ‘reply’ to respond to such emails. Even if you can remember the email address of the sender and it corresponds to the one in the email you have just received. This is because it is so easy to be fooled by email addresses that look so legitimate when they are not. For example, firstname.lastname@example.org looks almost identical to email@example.com but they can be as different as chalk and cheese as to where your email may land up.
- Be especially wary of emails from free email domains such as Gmail or Hotmail. They are more easily hacked and it is much harder to trace their owners.
- Pick up the phone and ring a known contact from the requesting company to verify the instruction before acting on it. Do not trust the person at the other end of the phone line unless he/she is someone you recognise.
- Alert your customers as soon as you become aware that the scam has been perpetrated on them. Advise them to contact their banks immediately because sometimes the disbursements can be stopped if reported on time.
- Most of all, secure your email network so that nobody can hack into your emails.
Cyber security fraud reminds me of predators in Africa stalking prey. The hunter sets sight on a large number of prey knowing that one or more of the prey would fall. Do not unwittingly become the weak wildebeest.
I would strongly recommend that you pass the above guidelines to all your staff who deal with payments. I am sure they already know most, if not all, of the suggestions but unless you continually remind them to be extra-vigilant, they can unwittingly become the vulnerable wildebeest. Too many NZ businesses unfortunately had.
If you have any questions about the security of your network or need assistance with ensuring that your protection strategy is in accordance with industry best practice, please click HERE to request a free initial consultation.