A complex and growing global fraud is targeting New Zealand businesses, with police estimating an overall industry loss of up to $10 million since late last year.
Forensic accountants at the Financial Crime Unit (FCU) are battling to stop companies unknowingly depositing funds into criminal accounts after a "business email compromise".
In reported crime, the FCU estimates between $5-10 million has been gained or targeted since September last year.
However, the figure could be much higher, with Netsafe estimating only about 4 per cent of all cyber attacks in New Zealand are reported - costing the country between $250-400 million annually.
The email compromise scam sees an email sent to a company's accounts department from a seemingly legitimate client or colleague.
Some fake emails have reportedly come with financial instructions directly from the company's CEO.
The emails ask the accounts department to update or process a normally regular payment with a new or amended bank account number.
Acting Detective Senior Sergeant Bridget Doell, of the Financial Crime Unit, told the Herald when the accounts department processes the request the funds often go to a "mule account" overseas or locally.
Once the funds arrive in the mule account it is transferred to another account - at times instantly.
A more complex email compromise sees a fraudster identify a business which is due to make a payment to a supplier or contractor.
"The fraudster tricks a mule into allowing a bank account to be used for some type of transaction, or gets the mule to open an account for a particular purpose," Doell said.
"The fraudster then registers a domain (website) with a very similar name to the supplier or contractor, which may be only a letter different from the genuine email address of the supplier or perhaps have a different suffix, such as '.co.nz' instead of '.com'."
Doell added the scammer then sends an email, via the newly formed domain, to the targeted business advising its accounts department of an account change and provides new details.
"The money is sent to the mule account by the business, believing they are paying a genuine supplier. The mule then quickly moves the funds," she said.
"Vigilance for people responsible for the money is the key in prevention. With so many email cons and invoicing in modern day business it's too easy for these scams to happen.
"The trust we have in email communication can be costly."
The 'Bob the Builder' case
In March this year a New Zealand property company came close to losing more than $350,000 after it was targeted in an email compromise scam.
The quick and sophisticated scheme used genuine Bank of New Zealand accounts, before the stolen funds were wired to Hong Kong.
On March 7 a scammer lured a mule with a job offer for an email compromise scheme, and asked the mule to register a New Zealand company.
The company was to be named Bob the Builder (Akl) Ltd*, mirroring a real company the property company dealt with, Bob the Builder Ltd*.
Once the mule confirmed the company had been formed it was instructed to open two bank accounts at two banks, including at BNZ.
Once the accounts were active a fake Bob the Builder domain address was created with only the slightest difference to the real Bob the Builder email.
On March 24, the scammer, masking as the property company, called the real Bob the Builder to ask what outstanding payments were due.
Once aware of what was owed, the scammer sent an email to the property company advising of a change in bank account details, and provided the details of the BNZ account.
Completely unaware, the property company promptly paid $354,982 to the mule's bank account on March 24.
The funds were then sent to Hong Kong on March 27.
However, on the same day the property company realised the scam and through its bank contacted BNZ, which were able to repatriate all the funds from Hong Kong.
The FCU believed the scammers were members of an international organised crime group.
*Names of companies changed.
FBI warns of dramatic increase
America's Federal Bureau of Investigation (FBI) warned last December of a "dramatic rise" in business email compromise scams.
Globally, since October 2013, the FBI estimates more than US$3.1 billion ($4.50b) in actual and attempted losses have been reported.
"The BEC scam is one of the fastest growing schemes we've seen over the past few years," FBI Special Agent Harold Shawin said in his warning.
The FBI suggests the scammers are part of international organised crime groups, and email compromise crime have been reported in 100 countries.
Scammers were also using malware to infiltrate company networks, gaining access to legitimate email threads about billing and invoices, the FBI said.
How to avoid business email compromise
• Poor English in the initial email is a common identifying factor.
• Use a simple voice verification or password.
• Call the CEO, or a secondary check through a third person within the company.
• Have a strict rule that no accounts will be altered unless through verbal or face-to-face exchanges.
• Request a phone number of the CFO, or CEO and a name.
• Check reliable sources such as the white pages - or the banking institution.
• Google the email address.
• If in doubt do not pay the money.
By Sam Hurley
6:48 AM Thursday May 18, 2017