Cyber security logo with padlock: CERT NZ and the compromised business email scam

Earlier this month CERT NZ ran Cyber Smart Week, an awareness campaign about cyber security. CERT NZ is a government agency working to improve cyber safety in New Zealand. As the "first responders" of NZ's cyber security landscape, they receive reports of online threats from businesses, organisations and individuals. Working alongside other agencies - both local and international - CERT NZ use their knowledge of NZ's digital environment to provide support and advice for dealing with, and preventing, cybercrime.

The rapidly-moving and complex world of cyber security means no-one should ever become complacent about online safety. CERT NZ reportedly received more than 2,000 cyber security reports from NZ businesses over the past year alone. These threats resulted in a collective $5.2 million worth of financial losses.

The "business email compromise" scam

One of the online threats reported to CERT NZ involves business email accounts becoming compromised. A scammer hacks the account of a staff member, then uses the sensitive company information for personal gain.

Business email accounts tend to have large contacts lists. The emails also often contain confidential bank account details, sales and billing information. The scammer can use this to send emails from the company's account, tricking contacts into providing information or paying bills into the wrong bank account. They do this by:

  • creating fake invoices
  • editing legitimate invoices to alter banking details
  • sending phishing emails
  • sending malware

Scammers will do their research. They may spend a few weeks monitoring the emails in the hacked account, waiting for a large payment to arise. They then either intercept the company's outgoing email to edit the invoice, or reply to the customer themselves attaching a fake invoice. Because the customer is expecting the company's bill, they are less likely to suspect a scam.

The scammer may set email auto-forwarding rules, in case the customer queries the change in bank account number. This diverts the customer's email away from the company inbox, allowing the scammer to reply without the business knowing.

Scammers may also set up filtering rules on the email account, which will delete all their outgoing emails from the company's 'sent' folder.

This scam could go unnoticed for some time, resulting in potentially large financial losses. Here are some tips on how to check if you've been affected, what to do if you are, and how to safeguard yourself from falling victim to this scam:

    How to check if your email account has been compromised:

  1. Check auto-forwarding rules on email accounts, especially any dealing with debtors and accounts receivable. Look for rules not created or set up by you or your company.

  2. Check auto-filtering rules for any you do not recognise.

  3. Check email access logs for unusual login times and unidentified IP addresses.

  4. If you made a payment which has not been received:

  5. Contact the business to confirm their bank account details match the account number you made payment into.

  6. If the bank details do not match, immediately contact your bank to find out if the payment can be stopped. If reported early enough the money is sometimes able to be recovered.

  7. Report the incident to CERT NZ. Tick the 'share with partners' option so the details can be shared with NZ Police.

  8. If you are expecting a payment which has not been received:

  9. Contact the customer to confirm the payment has been made. Check the bank account they made payment to is your business's account number.

  10. If the customer has made payment to the wrong account, advise them to take steps 5-6 above.

  11. Immediately change the password for the email account which sent the invoice. In the email settings, check if there is an option to close all open sessions.

  12. Follow steps 1-3 above - check for auto-forwarding and auto-filtering rules, and suspicious account access logins.

  13. Turn on 2-factor authentication for your email accounts (see our previous blog post for more about 2FA).

  14. Notify your IT provider, and get them to check your systems and network for installed malware.

  15. Follow step 6 above - report the incident to CERT NZ.

    How to safeguard yourself against business email hacking or scams:

  • Set up 2 factor authentication.

  • Try using long passphrases rather than complex passwords. Don't reuse passwords across multiple sites. Use a password manager to help keep track of your logins.

  • Keep software, apps and programs up-to-date. Install updates as soon they become available - they may include important security patches.

  • Avoid filing/storing emails containing sensitive information in your email account.

  • Save regular suppliers' bank account numbers in your accounting software, to prevent making payments into the wrong account.

  • Confirm invoice and bank account details by phoning your supplier, being careful not to use contact numbers listed on an invoice - these could have been edited.

For other common cyber threats and how to safeguard against them, visit CERT NZ's website. On their site you can also subscribe to CERT NZ's updates, to stay abreast with the latest cyber security alerts.