A complex and growing global fraud is targeting New Zealand businesses, with police estimating an overall industry loss of up to $10 million since late last year.
Forensic accountants at the Financial Crime Unit (FCU) are battling to stop companies unknowingly depositing funds into criminal accounts after a “business email compromise”.
In reported crime, the FCU estimates between $5-10 million has been gained or targeted since September last year. However, the figure could be much higher, with Netsafe estimating only about 4 per cent of all cyber-attacks in New Zealand are reported – costing the country between $250-400 million annually.
The email compromise scam sees an email sent to a company’s accounts department from a seemingly legitimate client or colleague. Some fake emails have reportedly come with financial instructions directly from the company’s CEO.
The emails ask the accounts department to update or process a normally regular payment with a new or amended bank account number.
Acting Detective Senior Sergeant Bridget Doell, of the Financial Crime Unit, told the Herald when the accounts department processes the request, the funds often go to a “mule account” overseas or locally.Once the funds arrive in the mule account it is transferred to another account – at times instantly.
A more complex email compromise sees a fraudster identify a business which is due to make a payment to a supplier or contractor.”The fraudster tricks a mule into allowing a bank account to be used for some type of transaction, or gets the mule to open an account for a particular purpose,” Doell said.”The fraudster then registers a domain (website) with a very similar name to the supplier or contractor, which may be only a letter different from the genuine email address of the supplier or perhaps have a different suffix, such as ‘.co.nz’ instead of ‘.com’.”
Doell added the scammer then sends an email, via the newly formed domain, to the targeted business advising its accounts department of an account change and provides new details.”The money is sent to the mule account by the business, believing they are paying a genuine supplier. The mule then quickly moves the funds,” she said.
“Vigilance for people responsible for the money is the key in prevention. With so many email cons and invoicing in modern day business it’s too easy for these scams to happen.”The trust we have in email communication can be costly.”
FBI warns of dramatic increase
America’s Federal Bureau of Investigation (FBI) warned last December of a “dramatic rise” in business email compromise scams. Globally, since October 2013, the FBI estimates more than US$3.1 billion ($4.50b) in actual and attempted losses have been reported.
“The BEC scam is one of the fastest growing schemes we’ve seen over the past few years,” FBI Special Agent Harold Shawin said in his warning.The FBI suggests the scammers are part of international organised crime groups, and email compromise crime have been reported in 100 countries.
Scammers were also using malware to infiltrate company networks, gaining access to legitimate email threads about billing and invoices, the FBI said.
How to avoid business email compromise
- Poor English in the initial email is a common identifying factor.
- Use a simple voice verification or password.
- Call the CEO, or a secondary check through a third person within the company.
- Have a strict rule that no accounts will be altered unless through verbal or face-to-face exchanges.
- Request a phone number of the CFO, or CEO and a name.
- Check reliable sources such as the white pages – or the banking institution.
- Google the email address.
- If in doubt do not pay the money.
*Thank you Sam Hurley NZ Herald.co.nz for this very informative article