Here, we present three recent examples of fraud along with tips on how to protect your business against cyberattack, spear phishing and false invoices.
Cyberattacks
Businesses in Aotearoa New Zealand are increasingly being targeted in cyberattacks. An attacker can target your systems – or those of your information technology (IT) supplier – to lock down or steal data and prevent you accessing your systems. CERT NZ responded to 1,968 cybersecurity incidents in Q1 2023, up 12% from Q4 2022. Direct financial losses were up 66% to $5.8 million.
In 2022, a New Zealand business lost its operational IT systems, customer-facing website, payroll systems and employee data when the business that looked after its IT was attacked. Back-ups were also compromised so no data recovery was possible. Staff and contractors spent hundreds of hours rebuilding the information and systems and dealing with disruption to the business.
Cyberattack protection
- Keep regular back-ups entirely separate from your main systems so they can be restored in the event of an attack.
- Invest in quality cybersecurity measures that are proportionate to your risks. Two-factor authentication is one example of an easy and effective safeguard.
- This is a fast-moving and specialist area, so get expert advice. Also report any suspicious activity or attacks to CERT NZ straight away.
- Consider insuring against cyberattack. The cost of recovery can be substantial.
Spear phishing
A spear-phishing attack is highly targeted and can seem credible enough to fool even careful staff who are alert to fraud risks. The fraudster may already know enough information about the business and the individual targeted to make a plausible request.
Recently, a charity administrator was targeted with an email, supposedly from the CE, asking them to buy gift cards to be used as competition prizes. The request was urgent and there was no time for the usual processes and approvals.
The staff member did as asked, forwarding the serial numbers of the gift cards by return email. Sadly, it was a scam and $500 was irrecoverably lost.
Protect against spear phishing
- If you receive an unusual request, confirm it with the person who purportedly sent the email. Do this without replying to the original message (which might be a scam) and instead phone or text them to check.
- As a leader in your business, don’t disregard internal controls and processes for convenience. An apparent request from you to bypass approvals should set alarm bells ringing. If you routinely bypass controls, a scammer’s request might seem like something you could have sent.
False invoices
This is an oldie but still a favourite of fraudsters. By creating fake invoices or changing supplier details on real invoices, scammers can obtain payments from businesses for goods and services they haven’t provided. The perpetrator is sometimes a staff member, sometimes a stranger. These types of fraud can be extremely expensive and devastating for staff morale if they continue for a long period undetected.
A charity worker appeared in court in Wellington in June 2023 accused of misappropriating more than $1 million through fake supplier invoices and direct payments from the charity’s bank account. The timing of the losses coincided with rapid growth in activity for the charity, which saw revenue and spending increase four-fold over a 2-year period. Those periods of change can be risky for businesses because unusual spending might be harder to detect.
False invoice protection
- Enforce segregation of duties so that no one staff member can authorise spending without another colleague’s oversight.
- Protect supplier data in your payments system. Any change in a supplier’s bank account should be checked directly with the supplier.
- Consider checking periodically whether any of your suppliers have the same banking or contact details as any of your staff.
- Closely check outcomes against your budget and spending – are you seeing the results of your regular subscriptions and purchases?