You’ve been in a business relationship with a supplier, either in New Zealand or overseas, for many years now. They’ve invoiced you for goods and/or services at the same time every month, and you’ve paid them at the same time every month. Your relationship is established, trusted and working perfectly.
Then your supplier emails you one day to advise that their bank account is being audited and there is a different account number they want you to use for now. It makes sense and you remit payment for the current invoice to the newly provided account.
Sometime later, your supplier contacts you again to advise that their records show an outstanding invoice from the previous month. You immediately check your records, but they show you paid it on the due date to the new account they asked you to. What’s gone wrong here?
In its simplest form, the ‘Invoice/Supplier’ scam works like this:
1. A buyer and legitimate supplier (domestic or international) have an established relationship.
2. Supplier’s email account is compromised (hacked) by an offender without their knowledge.
3. Offender sends a fraudulent invoice or email to the buyer requesting payment to a different bank account.
4. Buyer remits payment to an offender’s bank account instead of their supplier.
Our key message here is awareness. The ‘Invoice/Supplier’ scam is a particularly difficult type of fraud because it requires vigilance and double-checking to expose its presence, which is something that busy people and businesses may not always have time for (something that offenders count on). Once payment is made to an offender’s bank account, the money can be quickly moved overseas, and is then very challenging to retrieve.
To keep yourselves safe, we strongly recommend the following:
1. If you ever receive an invoice with a new payment bank account number or an email advising of a new or temporary bank account number, validate it by telephone or in person (not over email) before making payment.
2. Think twice about double-ups of invoices and check for obvious signs of a scam, for example, an unusual sender’s email address, spelling errors, demands for payment by a certain date, or signs the email is different to what you would normally receive.
3. For your email account, use two-factor (2FA) or multi-factor (MFA) account authentication. 2FA/MFA provides an extra layer of security to prevent offenders from gaining access to your email account, even if they somehow get your password. This greatly reduces the risk of account compromise.
If you believe you have made a payment to a fraudulent bank account, contact us immediately at BNZ on 0800 ASK BNZ (275 269) or + 64 4 470 9021.