Protect your email from invoice scams

Emailing invoices is the easiest way to get them to clients — but an invoice scam targeting New Zealand business could see them not getting paid. Here’s what to do about it.

In association with

The scam works after you’ve emailed a client their invoice with bank account details for payment. Attackers compromise your email account and find recently sent invoices in your mailbox, copy them and update the payment bank account number to that of a “money mule”. They then send another email with the same layout indicating an updated invoice is attached.

A “money mule” is someone with a New Zealand bank account who can withdraw the funds very soon after the payment is made and send them offshore to a hacker. Sometimes the “money mule” does this knowingly, but often they’re also the victim of a scam.

Although the scam has targeted businesses mainly in the building sector, other industries should stay alert.

If there is an invoice in your sent email mailbox, it can be copied, updated and sent out to your customer again.

If there is an invoice in your sent email mailbox, it can be copied, updated and sent out to your customer again.

Do everything you can to protect your business email accounts and beef up digital security.  

Consumer Protection and accounting software company Xero have advice on reducing the risk of fraud or email accounts being compromised.

Improve your email security

If your email provider offers Two-Factor or Multi-Factor authentication (2FA/MFA) make sure you use it. This adds another layer of protection to your email account that makes it much harder for attackers to get access, even if your password is compromised.

Check the account number

Tell customers to check with you in person — and not by email — any invoice with a new payment bank account number.

Look for signs

Tell customers to think twice about invoice double ups and check for obvious signs of a scam, eg:

  • an unusual sender’s email address
  • spelling mistakes 
  • demands for payment by a certain date 
  • signs the email is different from ones they usually get from you.

Report it

If a customer has made payment to a fraudulent bank account, tell them to report it to their bank straight away, making sure the issue is escalated to the bank’s fraud team. Also advise them to tell the police.

Xero customers

If you’re a Xero customer, send an email about the scam to Include the bank account number from the fake invoice. Xero has procedures in place with the fraud teams of New Zealand banks to notify them of accounts being used for fraud. This is useful even in cases where no payment is made to the fraudulent account — banks are often able to identify the "money mule".

Falling victim to a scam is stressful and can happen to anyone at any time, but there is help for you and your business.

For more information about scams and how to report them, visit Consumer Protection’s Scamwatch page.

Scamwatch(external link) — Consumer Protection

Security noticeboard(external link) — Xero

Vote form Has your business been the victim of an online scam in the past two years?

We want to understand the major challenges small businesses are facing. Your feedback will help us understand whether our site is delivering the sorts of information you need to succeed.