Scammed out of $21,000
Rare happy ending after audacious email fraud
Nigerian scammers used to take a blunt approach: send a message to millions, and hope one of them believes they really have been chosen to help get a multimillion-dollar inheritance out of the country.
Now online fraud tends to be much more sophisticated and targeted.
This story has a happy ending, but most don’t, and one agency head is calling for change, saying New Zealand lacks a clear strategy for dealing with cyber scams.
Late last year, West Auckland couple Robin and Bruce Knox engaged a local company to remodel their bathroom.
Face-to-face visits were mixed with emails. It was agreed the Knoxes would pay in advance — to cover materials — for work that would begin in February. On October 15, the bathroom company’s owner emailed an invoice for a deposit of $13,836.
On October 22, Robin Knox emailed the company, saying she had accepted their quote and would pay the $13,836 on November 2.
Until this point, everything had been legitimate. But now events started to go south.
A few days later, on October 26, came an email saying the bathroom company had switched to Kiwibank.
Another email on November 2 had a fresh invoice for $13,896 attached, updated with details of the new account. Robin paid the sum on November 4, thinking nothing of it.
Another invoice followed, for $7000 — the agreed amount for the second instalment, and again Robin paid, on January 5, thinking it was routine.
Then, on January 11, the bathroom company contacted Robin, asking why no money had been paid. She replied that she had paid, sending copies of the paperwork.
With creeping dread, Robin established on January 12 that she and her husband had been scammed out of just under $21,000.
The change of bank account email, and the two invoices, had been sent from the bathroom company owner’s real email address — but after it had been hijacked by a scammer.
What Robin did next was the correct thing: the same day, January 12, she contacted her bank, Westpac, and placed a return of funds request.
Her husband contacted Kiwibank. He was told the account in question was still active, but not whether there were any funds in it. The account was subsequently blocked. Kiwibank’s advice was to work through their bank (Westpac) and police.
In the days that followed, Robin was able to tap the services of a cybersecurity expert and establish that the two fraudulent invoices were associated with an Invoice2Go account called “andrewgiroud69” — a name associated with Nigerian scammers.
Robin filed an online report with police on January 15, with no immediate response.
By January 20 the Knoxes seemed to be getting nowhere. They had not heard back from the police, and the bathroom company suggested they were the ones who had been hacked (a scenario the cyber-security expert disputed). The couple got a phone call from Westpac, but only to say that there were no funds to retrieve and that Kiwibank’s fraud team was working on it.
Robin had not initially wanted to approach media, but was eventually persuaded to by a family member, who argued a cautionary tale would at least help others to avoid the same fate.
‘Not a typical outcome’
The Herald was in the process of running questions by Westpac, Kiwibank and other parties on January 28 when Robin emailed the good news: Westpac had agreed to return the funds to her account. A couple of days later, the $13,896 and $7000 were returned in full.
Although the equivalent in funds had been returned to the Knoxes, said the bank, the money had not yet been recovered.
The Knoxes were delighted, but “it’s not a typical outcome”, Netsafe chief executive Martin Cocker told the Herald.
“Sometimes if the report is made fast enough to enable the bank to recover the money, then they can refund to the customer. But usually the scammers are quick to empty the accounts at the other end.”
In his opinion, said Cocker, it would be hard to hold the bathroom company legally liable.
At a time when everyone from Fisher & Paykel Appliances to the Reserve Bank was suffering security breaches, no judge could hold a small mum-and-dad business to a higher standard.
Police could not say how many, if any, business email compromise cases had been successfully resolved since 2017.
The Herald has chronicled a number of cases recently, from the Far North District Council being duped out of $100,000 after hackers infiltrated the email system of one of its Auckland suppliers, to a retired couple left $53,000 out of pocket after making a payment on their dream home in Feilding to a scammer posing as their builder, to a certain America’s Cup team being tricked into sending millions to a fraudster’s account.
Much of the offending happens overseas, making arrests rare.
A police spokesman said the Knoxes’ case was being investigated.
“When the matter is reported immediately, police — through working with banks, Interpol and overseas law enforcement agencies — have managed to recover some of the money,” he said.
“The money is most often moved through multiple overseas bank accounts in jurisdictions that have limited co-operation with New Zealand authorities, which creates barriers to both investigations and recovering the money.”
Citing its standard privacy policy, Kiwibank would only confirm that the account the Knoxes’ money was transferred into was blocked.
Money mules
Netsafe’s Cocker said a business email
compromise scam is typically executed from Nigeria or elsewhere offshore, but with the assistance of a so-called “money mule” — a local dupe who is paid a small amount to open a legitimate account, under their real name, then transfer any funds that land in that account to an overseas account.
Often funds were shuffled along a chain of multiple mules.
Cocker said that while money mules were easy to identify, he was not aware of any of these offenders being prosecuted.
“Usually, they genuinely think they have been engaged by a legitimate money transfer operation.”
Steep increase
Crown agency Cert NZ (Computer Emergency Response Team) has tracked a steep increase in “business email compromise” attacks like the one that targeted the bathroom company.
Between July and September last year, Cert NZ saw a 101 per cent increase in such attacks, compared with the previous three months. The JulySeptember
attacks resulted in $944,000 in direct financial loss.
It’s likely that figure underplays actual loses. Some people and companies are often shy of admitting losses.
And others (like the Knoxes, until alerted by the Herald) are simply not aware the five -year-old Cert NZ exists.
As well as collating the stats, the agency acts as a kind of cyber triage unit. It can send you in the right direction for IT advice, and put you in touch with the right contacts at the police cybercrime unit.
Overall, Cert NZ tracked a 33 per cent increase in cyber incidents last year.
Lurking for weeks
A hacker might exploit a security vulnerability to gain access to a business’ email, but weak, guessable passwords, phishing scams (fake emails that ask for log-on details) and “credential dumps” are also common reasons for breaches.
An example of a credential dump is the incident — revealed in 2016 — in which 117 million LinkedIn emails and passwords were stolen. Online thieves buy such lists, figuring — correctly — that many people use the same password for multiple services.
There are also various so-called “spoofing” tools that allow hackers to imitate a company’s email address, or a close variant.
Or the simplest of tactics can be employed, such as registering an email address that’s the same as a legitimate company, bar a single letter — the jape that cost Team New Zealand $2.8 million.
“Once an attacker gains access to your business email, they can use it to send emails pretending to be from your business to trick your contacts into sharing personal and financial information,” said Cert NZ incident response manager Nadia Yousef.
“These scams often play out over weeks or months, with attackers watching emails being sent from the business’ account and looking out for invoices. When invoices for large sums are sent, they’ll change the bank account details so invoice amounts are being paid into the scammers’ account, instead of to the business.
“A common tactic is emailing the customer advising them that the business has got new banking details.
“The key thing is to act fast. If you’ve been affected by this type of
scam, or something doesn’t feel quite right, contact Cert NZ, the police or your bank immediately.
“If caught quickly enough, in some cases we can work together to freeze an outgoing payment and investigate whether it is legitimate.”
Strategy lacking
“New Zealand doesn’t have a clear strategy for fighting scams,” Cocker told the Herald.
“We have a lot of agencies doing a lot of stuff; a lot of good stuff, but one of them needs to take a lead role.”
Small businesses were constantly exhorted to embrace online technology, he said, but many were understandably wary about the risks, and what happens when things go wrong. They needed more education, and more help when things go south.
And once they did get into the system, victims like the Knoxes often had an impersonal experience, the Netsafe boss said. They filled in online forms and were sent auto-responses.
Robin Knox shared an email sent by the police cybercrime unit that said the couple’s case had been referred to their local police district, with a list of reasons why it might not be prioritised. After hearing nothing for a fortnight, the Knoxes phoned the police. There was no update.
The key thing is to act fast. If you’ve been affected by this type of scam, or something doesn’t feel quite right, contact Cert NZ, the police or your bank immediately.
Nadia Yousef, Cert NZ
Transtasman gulf
Over the past 12 months, a gulf has opened up between Australia and New Zealand in new cyber-security spending. The Aussies are adding billions to their cyber-defence budgets, while here the increase can be measured in single-digit millions.
Last June, Australian Prime Minister Scott Morrison announced a A$1.35 billion ($1.4b) boost for efforts to defend the country’s public and private networks against hackers.
Asked about NZ cybersecurity spending in the wake of Morrison’s announcement, then Communications Minister Kris Faafoi pointed to the creation of Cert NZ, set up in 2016 (under a National-led Government) with a $22.2m budget. Faafoi said the agency’s budget was increased by $9.3m over four years in Budget 2019.
“Also in Budget 2019, the Government allocated $8m over the next four years to help implement Cyber Security Strategy,” he said.
Email security
Cert NZ has a number of tech suggestions (see box, left).
But the agency’s director, Rob Pope, has low-tech advice for avoiding the most common threat posed by hijacked business email accounts: fake invoices sent from real email addresses.
His suggestion? Pick up the phone. If you’re suspicious about any request for money, or request to send funds to a different bank account, call the business concerned to doublecheck that it actually came from them, not a fraudster. And use the number on their website, not the one on the invoice.
“Just pause and think about this before you act,” says Pope. “It’s very easy in the electronic age just to assume it’s coming from business ABC, I’ve already got some outstanding money owing to them, I’ll just push the button. Just pause and think.”
NortonLifeLock senior director Mark Gorrie said, “consumers need to look for bad grammar and spelling mistakes. They should also be very suspicious of notices that bank account details have changed, or that an international transfer is needed. These should all be red flags.
“Not every business can afford dedicated IT professionals, so at the least protect all your devices with a comprehensive, reputable brand of cybersecurity software — including company smartphones.
“Next, ensure you are using a password manager. These come prebuilt into good security software and shouldn’t cost you more. Turn on two-factor authentication on your business accounts such as Office 365.
“Educating staff is one of the more overlooked and critical ways for a business to protect itself.
“Employees are often very wellmeaning weak links when it comes to security. Helping them understand how to recognise spam and phishing emails is a great first step.”