Scammers intercepting business emails in fake invoice scams
CERT NZ is warning New Zealand businesses to be aware of an upsurge in fake invoices, which are often intercepting genuine payments.
CERT NZ says it has received a spike of reports about invoice scams recently. The best method of prevention is to strengthen email security and verbally confirm and change in bank account details.
Typically scammers gain access to a company's email account, monitor emails and then target customers who owe large payments.
The scammers then use the company's email address to tell those customers that bank account details have changed. Sometimes the scammer will even alter an invoice to include change the bank details.
CERT NZ advises that some scammers are also using auto-forwarding rules on a company's email, so they can respond directly to customers without the business ever knowing about it.
Scammers will also use filtering rules to delete their sent mail so their messages can't be detected.
Are you affected?CERT NZ says there are three main ways businesses can detect unusual activity:
Check auto-forwarding rules on email accounts, especially accounts relating to accounts receivable. Check to see if there are any forwarding rules to accounts you are not familiar with. Check auto-filtering rules on email accounts. Check to see if there are any rules that you did not set up.
Look at your email access logs to look for any unusual login behaviour – particularly odd login times and unexpected or foreign IP addresses.
How to mitigate the problemCERT NZ says that if companies are expecting a payment that hasn't arrived or have made a payment that hasn't been received, it could be a sign of this scam.
Businesses that have made payment:
You should call the intended recipient, confirm bank details and check that the payment hasn't been received. If details don't match, call the bank immediately. The bank may be able to recover the money if it is caught early enough. Businesses should also file a report with CERT NZ.
Businesses that are expecting payments that haven't arrived:You should call the person responsible for the payment and ask them to confirm bank details. If details don't match, the person should contact their bank to find out if the payment can be stopped.
- "Immediately change the email passwords for the email account that sent the invoice. In the email settings, see if there's an option to close all open sessions.
- We strongly recommend you turn on two-factor authentication for your email accounts.
- In the email settings, see if there are any unexpected auto-forwarding or auto-filtering rules. Remove any you find.
- Report the incident to CERT NZ. Make sure you tick the 'share with partners' option so that we can share the details with NZ Police.
Strengthen your email security
- CERT NZ strongly recommends you have two-factor authentication on your email accounts.
- Make sure all email passwords in your business are strong and not used anywhere else. Encourage staff to use a password manager to help remember all their passwords.
- Consider disabling the auto-forwarding configuration. If your business does not use this feature, it can be disabled to prevent these rules from being set up.
- Set up logging on your business' email. These logs should cover log in attempts (both those that are successful and unsuccessful). These should also cover email delivery status, which tracks when emails might have been forwarded or deleted.
Improving invoice payment practices:
- If a business tells you they have a new bank account number, double check it with the business over the phone or text.
- Look on the business' website for their phone number, in case the scammers have changed the phone number on the address as well.
- As general practice, implement processes for managing payments over a certain amount. For example, the process could involve needing two people in your business review the invoice, and to confirm the details over the phone with the business.
- Store the details of regular vendors in your internet banking, so that you have the correct bank details saved.