Emailing invoices is the easiest way to get them to clients — but an invoice scam targeting New Zealand business could see them not getting paid. Here’s what to do about it.
The scam works after you’ve emailed a client their invoice with bank account details for payment. Attackers compromise your email account and find recently sent invoices in your mailbox, copy them and update the payment bank account number to that of a “money mule”. They then send another email with the same layout indicating an updated invoice is attached.
A “money mule” is someone with a New Zealand bank account who can withdraw the funds very soon after the payment is made and send them offshore to a hacker. Sometimes the “money mule” does this knowingly, but often they’re also the victim of a scam.
Although the scam has targeted businesses mainly in the building sector, other industries should stay alert.
Do everything you can to protect your business email accounts and beef up digital security.
Consumer Protection and accounting software company Xero have advice on reducing the risk of fraud or email accounts being compromised.
If your email provider offers Two-Factor or Multi-Factor authentication (2FA/MFA) make sure you use it. This adds another layer of protection to your email account that makes it much harder for attackers to get access, even if your password is compromised.
Tell customers to check with you in person — and not by email — any invoice with a new payment bank account number.
Tell customers to think twice about invoice double ups and check for obvious signs of a scam, eg:
If a customer has made payment to a fraudulent bank account, tell them to report it to their bank straight away, making sure the issue is escalated to the bank’s fraud team. Also advise them to tell the police.
If you’re a Xero customer, send an email about the scam to firstname.lastname@example.org. Include the bank account number from the fake invoice. Xero has procedures in place with the fraud teams of New Zealand banks to notify them of accounts being used for fraud. This is useful even in cases where no payment is made to the fraudulent account — banks are often able to identify the "money mule".
Falling victim to a scam is stressful and can happen to anyone at any time, but there is help for you and your business.
For more information about scams and how to report them, visit Consumer Protection’s Scamwatch page.
Scamwatch (external link) — Consumer Protection