The scam scene is set...please commit your lines to memory

You’ve been in a business relationship with a supplier, either in New Zealand or overseas, for many years now. They’ve invoiced you for goods and/or services at the same time every month, and you’ve paid them at the same time every month. Your relationship is established, trusted and working perfectly.

Then your supplier emails you one day to advise that their bank account is being audited and there is a different account number they want you to use for now. It makes sense and you remit payment for the current invoice to the newly provided account.

Sometime later, your supplier contacts you again to advise that their records show an outstanding invoice from the previous month. You immediately check your records, but they show you paid it on the due date to the new account they asked you to. What’s gone wrong here?

In its simplest form, the ‘Invoice/Supplier’ scam works like this:

  1. A buyer and legitimate supplier (domestic or international) have an established relationship.
  2. Supplier’s email account is compromised (hacked) by an offender without their knowledge.
  3. Offender sends a fraudulent invoice or email to the buyer requesting payment to a different bank account.
  4. Buyer remits payment to an offender’s bank account instead of their supplier.

Our key message here is awareness. The ‘Invoice/Supplier’ scam is a particularly difficult type of fraud because it requires vigilance and double-checking to expose its presence, which is something that busy people and businesses may not always have time for (something that offenders count on). Once payment is made to an offender’s bank account, the money can be quickly moved overseas, and is then very challenging to retrieve.

To keep yourselves safe, we strongly recommend the following:

  1. If you ever receive an invoice with a new payment bank account number or an email advising of a new or temporary bank account number, validate it by telephone or in person (not over email) before making payment.
  2. Think twice about double-ups of invoices and check for obvious signs of a scam, for example, an unusual sender’s email address, spelling errors, demands for payment by a certain date, or signs the email is different to what you would normally receive.
  3. For your email account, use two-factor (2FA) or multi-factor (MFA) account authentication. 2FA/MFA provides an extra layer of security to prevent offenders from gaining access to your email account, even if they somehow get your password. This greatly reduces the risk of account compromise.

If you believe you have made a payment to a fraudulent bank account, contact us immediately at BNZ on 0800 ASK BNZ (275 269) or +64 4 924 0499.


I work as a Systems Administrator for an Internet Service Provider. I have worked in this role for 18 years and have intimate knowledge of the setup and operation of email severs starting from a blank hard drive all the way up to real world clients using it for their personal and business email.

The only access method for email which supports 2-factor authentication, or anything other then a username/password combination, is webmail.

Now, webmail is just a pretty web based front end to conventional email infrastructure which has always worked by username/password authentication.

Because of this, even if you choose to use extended authentication options like OTP (One time password) for webmail, this is unlikely to provide any additional account security if your provider allows POP3, IMAP or authenticated SMTP (SASL) access.

See: Security theater (Wikipedia)

While I speak entirely for myself here, clients who hand over their password via phising attacks etc are a right pain in the arse and should not be allowed to use a computer. Moral of the story is don’t hand over your password.