New Zealand businesses are frequently targeted by hackers in order to compromise their emails and attempt invoice scams, which can result in huge financial losses.
Despite many of these hackers being highly skilled at what they do, there are ways to prevent email compromises and invoice fraud.
So, as part of Fraud Awareness Week, REDnews sat down with Westpac’s Financial Crime Management Team to get the ins and outs of these scams and learn how to prevent them.
Here’s what we learned:
What are email compromises and invoice fraud?
Business email compromises involve a hacker gaining access to a business email account and all the information flowing in and out of it. From there, they can use the information and the compromised email account to carry out a range of fraud, scams and cyberattacks.
Email account compromises occur frequently in New Zealand and can result in high financial losses for affected businesses and their clients, as well as reputational damage.
One commonly observed fraud is invoice fraud, where the hacker alters the bank account number on a genuine invoice, emails the false documents to the business’s customers, and requests payments be made to the fraudulent account.
This can be highly successful because the customer was expecting the invoice as they had a relationship with that business (which the hacker knew from monitoring the email account).
How can I prevent email compromises?
- Implement good password policies and practises. Use strong passwords and ensure they are changed regularly.
- Implement two-factor authentication.
- Regularly check your business email accounts for auto forwarding or filtering rules that you did not setup.
- Regularly review your email access logs to look for unusual login activities.
- Regularly check your IT systems for malware or viruses, keep systems and security software up to date.
How can I prevent invoice fraud?
(a) For individuals paying an invoice:
- Always confirm the account number over the phone when:
- An invoice contains different bank account details or payment instructions to those previously advised, or
- a large payment is due, or
- the amount requested differs from the agreed value.
- Do not seek verification of the payment details via email, you may simply be responding to the hacker.
- Do not use any contact details you have received in the email; use the information you have on file for the business or person or use the contact details on their official website.
(b) For businesses paying an invoice:
In addition to the points in (a):
- Implement a defined process for verifying and paying accounts and invoices.
- Ensure your staff are aware of this fraud and understand how it works so they can identify it, avoid it and report it.
- Consider a multi-person approval process for transactions over a certain dollar threshold.
If you believe you have been targeted by a scam, please contact your bank immediately.