New Zealand Internet Task Force
New Zealand Internet Task Force

Improving the cyber security posture of New Zealand

Follow Us on LinkedIn


Stay up-to-date with NZITF news and alerts.

NZITF on LinkedIn

Email invoice fraud proves persistent

Campbell GardinerCampbell Gardiner

Email invoice fraud continues to be a problem affecting small and medium business in New Zealand. But there are some simple, practical actions you can take to reduce your risk.

This type of fraud happens via hacked email accounts, which are used to resend duplicate invoices that look just like the real thing. It works like this:

Hackers access a business’s Sent mail to find a recent customer invoice. They copy the invoice, but alter the payment bank account number. They then email the customer with the modified invoice and ask the customer to instead pay into the new, fraudulent account number. They may offer a dubious reason for the new payment bank account number, such as the original account is being “audited”.

Xero’s Head of Security, Paul Macpherson, says a number of businesses fell victim to this scam last year. Unfortunately, cases are still being reported.

“What we've had reported is mostly targeting the building industry. It's small numbers, but seems to be slowly increasing. We're getting about one report a week. Being the building industry, some of the invoices are for quite large amounts.”

Email invoice fraud is all the more insidious because it has two victims - the business whose email account is hacked, and the customer of the hacked business who receives and pays the fake invoice.

Macpherson says it’s important that all businesses involved in sending and / or paying invoices are hygienic with their accounting and do everything they can to secure their email accounts. The following preventative actions will help mitigate the threat.

Implement bulletproof accounting practices

Be scrupulous in verifying and paying invoices. This involves implementing clearly defined accounting practices.

Scrutinise and match suspicious bank account numbers against existing numbers in your accounting system. ‘Red flag’ and follow up any discrepancies. Treat the arrival of unexpected invoices with the utmost caution.

Verify over the phone any new payee information that you’ve been emailed - both when loading new payees and when making changes to existing payee information.

Educate & communicate

Make your staff aware of the issue. Look out for emails that ask for payment with new bank details. The best thing to do if this happens is pick up the phone to check the authenticity of the invoice you’ve received.

You may want to consider enforcing a policy that any change of bank account number on an invoice is validated through a non-email channel and by at least two of your supplier’s contacts.

Secure your email account

Make sure the latest antivirus and security updates are installed on any computer or device you use to deal with invoices. Having a long, strong email password is also vital.

Use an extra layer of security

If your email provider offers two-factor (2FA) or multi-factor (MFA) authentication, you should use it. 2FA/MFA provides another layer of security to prevent hacking. It significantly reduces the risk of your email being maliciously accessed and used to commit invoice fraud.

Quickly report if you’re affected

If you or one of your customers has paid into a fraudulent bank account, don’t panic. It’s important to contact the banks involved right away, making sure the issue is escalated to their fraud teams. Also advise the Police.

Your customer’s bank needs the details of the bank account the payment was made to so they can advise the receiving bank to put a hold on the money. Invoice fraud payments are typically made into the account of what Macpherson describes as a "money mule," who will withdraw the funds and send them offshore to the hacker.

For their part, Xero customers should additionally contact Xero if they’re targeted. Macpherson says the company has procedures in place with the fraud teams of New Zealand banks to notify them of accounts being used for fraud. This is useful even in cases where no payment is made to the fraudulent account, as banks are often able to identify the money mule.

The upshot is this. Sound email security, accounting hygiene and eagle-eyed vigilance by everybody along the invoice chain is key in avoiding the worst that can happen.

Three hundred years ago, Benjamin Franklin commented that ‘an ounce of prevention is worth a pound of cure’. The advice is worth heeding because nowhere is the adage truer than when it comes to email invoice fraud.