Ian Steward 16 Nov 2022

Your business receives an innocuous email from a supplier notifying of a bank account change.

The originating email address is correct and the email looks the same as all the others from that company so the change is instituted and a $50,000 invoice is paid.

This is exactly the situation a New Zealand cleaning supply company found itself in recently when it was contacted by the Westpac Financial Crime team.

The company had fallen victim to a Business Email Compromise scam – a class of scam that’s affecting more and more New Zealand businesses every day.

Business email compromises (BECs) can result in high financial losses that may not be recovered. They can also negatively affect the reputation of the business.

The cleaning company was lucky - it turned out that Westpac had already frozen this particular fraudster’s bank account and were looking into their activity due to a previous transaction that had alerted the bank.

But many other businesses have not been so fortunate and amounts into the millions have been lost.

A BEC involves a hacker getting access to a business email account and all its information. From there they can use the information to carry out a range of fraud, scams or cyber-attacks.

Because the payoffs can be so high, sometimes significant time is invested into the scam, the fraudster laying in wait for the right time to strike.

A fraudster may compromise a building company’s emails, for example, and monitor the emails back and forth until a large progress payment for a build is due. A simple email with a substituted account number can be all it takes to divert funds into the wrong hands.

In another example, a New Zealand charity was hit for $45,000 when an email purporting to be from the CEO was sent to an account director asking that two invoices be paid to an overseas supplier. The CEO’s email turned out to be a forgery and the accounts specified belonged to scammers.

A related common example is invoice fraud, where the hacker alters the bank account number on a genuine invoice, emails the false documents to the business customers, and requests payments be made to the fraudulent account. This can be highly successful because the customer was expecting the invoice due to their previous relationship with that business (which the hacker knew from monitoring the email account).

This was the case with the cleaning company earlier.

Since that fraud attempt, the business has implemented new measures. They have increased their security settings, so no one is authorised to do email forwarding. And if there is any request to change bank account details or contact details, staff now also have to physically check and verify with the supplier before changing their payment details.

With any new account number or change of account number, it’s a good idea to ring and verbally check that the numbers are correct.

To learn more about BEC and how to protect your business from fraud and scams visit https://www.westpac.co.nz/safety-and-security


Top tips to protect your business.

  • Keep operating systems and software up to date on all devices.
  • Ring to verbally check any new or changed account numbers
  • Keep data safe by implementing backup procedures.
  • Implement strong access and password controls.
  • Implement processes for verifying payments.
  • Educate your staff on the latest scams.
  • Have a response plan for cybersecurity incidents.


We’re here to help keep you and your money safe. If you ever think you’ve been scammed, call us immediately on 0800 400 600