Email fraud: some very useful advice from CERT
New Zealand law firms continue to be threatened by widespread email fraud in which the fraudsters gain access to an email account and advise clients, or their lawyers, of a change in bank account details. Because it is usually connected to expected payments where time is of the essence – such as a property settlement – the fraudsters have a relatively good success rate. Some New Zealand firms have been involved in frauds where hundreds of thousands of dollars are lost.
The Government’s cybersecurity agency CERT NZ is making 8-12 October Cyber Smart Week. This is New Zealand’s national cyber security awareness week and has the theme “Protect your online self”. The current spate of email frauds shows the importance of this. Every organisation should visit the CERT NZ website https://www.cert.govt.nz/ for advice on cyber security and, if things go wrong, to report the problem.
CERT NZ has produced the following advice on “invoice scams”, which is the term used to cover frauds such as those targeting lawyers and their clients.
How it works
Scammers gain access to a business’s email account and they’ll read the emails for a couple of weeks to see when large payments are due. The scammer then sends an email from the business’s email address asking the customer to pay into a different bank account.
In some cases, the scammer will intercept an invoice (or, often with law firms, a property settlement statement) and change the bank account details on the invoice to the scammer’s bank account. They then send the altered invoice with the new bank account details to the customer.
This is usually an invoice or payment the client was expecting, and it appears to come from the business that it’s supposed to. The only visible difference is the bank account number on the invoice.
In other cases, the scammer will quickly reply to the email with their bank account. They will say they forgot to update their invoice and they recently changed their bank account details.
Some scammers are covering their tracks by setting up auto-forwarding rules on the business’s email. This means if a client replies to the email questioning the bank account change, the scammer can reply to them directly without the business knowing.
Scammers are also setting up filtering rules to delete all their sent mail so their messages can’t be discovered.
How to tell if you’re affected
The following steps will help you check if you’ve had unusual behaviour on your email account:
- Check auto-forwarding rules on email accounts, especially accounts relating to accounts receivable. Check to see if there are any forwarding rules to accounts you are not familiar with;
- Check auto-filtering rules on email accounts and check to see if there are any rules that you did not set up;
- Look at your email access logs to look for any unusual login behaviour – particularly odd login times and unexpected or foreign IP addresses.
The best prevention is to strengthen your email security and verbally confirm any change in bank account.
Strengthening your email security
CERT NZ strongly recommends you have two-factor authentication on your email accounts.
Make sure all email passwords in your business are strong and not used anywhere else. Encourage staff to use a password manager to help remember all their passwords.
Consider disabling the auto-forwarding configuration. If your business does not use this feature, it can be disabled to prevent these rules from being set up.
Set up logging on your business’s email. These logs should cover login attempts (both those that are successful and unsuccessful). These should also cover email delivery status, which tracks when emails might have been forwarded or deleted.
Improving invoice payment practices
If a business tells you they have a new bank account number, double check it with the business over the phone or by text.
Look on the business’s website for their phone number, in case the scammers have changed the phone number on the address as well.
As general practice, implement processes for managing payments over a certain amount. For example, the process could involve needing two people in your business to review the invoice, and to confirm the details over the phone with the business.
Store the details of regular vendors in your internet banking, so that you have the correct bank details saved.
If you’re expecting a payment or have made a payment and it hasn’t been received, it’s possible you’ve been affected by this scam.
If you’ve made the payment
Call the business and check it hasn’t been received, and that you have the correct bank account details.
If the bank account details don’t match, immediately call your bank and see if you can get the payment stopped. In some instances, it’s possible to recover the money if it’s caught early enough.
Report the incident to CERT NZ (at "Report an issue" under "Businesses and individuals"). Make sure you tick the ‘share with partners’ option so that CERT can share the details with New Zealand Police.
If you’re expecting the payment
Call the person making the payment and check the bank details they sent the money to.
If the bank account details don’t match, advise the person to immediately contact their bank and see if they can get the payment stopped.
Immediately change the email passwords for the email account that sent the invoice. In the email settings, see if there’s an option to close all open sessions.
CERT NZ strongly recommends you turn on two-factor authentication for your email accounts.
In the email settings, see if there are any unexpected auto-forwarding or auto-filtering rules. Remove any you find.
Again, report the incident to CERT NZ.
If you’ve been affected by this type of scam or need further support, submit a report on CERT NZ’s website www.cert.govt.nz/businesses-and-individuals/report-an-issue/ or contact them on 0800 CERTNZ.
Last updated on the 5th October 2018