Main menu


Scam Savvy: How to protect your business from malicious "invoice fraud"

featured image

With the increasing digitization of everyday life, many New Zealand businesses have been forced to stay online in response to a surge in online fraud over the past two years.

Nearly half of all small businesses in New Zealand have been scammed, according to BNZ research, up from just 21% in 2020. And with so many scams going unreported, the scale of the problem is much bigger than we know. Clicking on scam links, opening scam attachments, or replying to scams are the main ways businesses fall victim, with 38% reporting this, up from 30% in 2020 .

“The coronavirus has forced us all online, so when the lockdown came, we were working from home. Because we spend a lot of time in , it’s about giving the bad people out there bigger tactics to focus on,” said BNZ’s chief financial officer. Crime Ashley Kai Fong.

Also, the damage caused by fraud is not only financial. As part of the fraud, businesses may experience reputational damage, workflow disruptions, or damage to their operating systems, and while the damage is difficult to quantify in monetary terms, it is just as important.

The best tool we have in fighting cybercrime is education. That’s why Newshub and his BNZ are working together to demystify the dark world of online fraud and help New Zealand businesses become ‘scam savvy’ online.

Let’s start with invoice fraud, one of the most prevalent business frauds of 2022.

What is invoice fraud?

Invoice fraud is particularly pernicious because it can exploit existing relationships between businesses and suppliers, creating a dead end where the greater the trust, the greater the likelihood of theft.

If scammers get access to your supplier’s email they can update your business invoice payment account. Make money. Depending on the sophistication of the scammer, they may even use invoice templates or logos to avoid suspicion.

“The problem with this scam is that the unwitting victim expects a bill,” says Ashley.
“They pay for the new account, but the fraud isn’t discovered until the 20th of the next month or the 20th of the month after that. and get the money back.”

How can I protect my business from invoice fraud?

Obviously, the most important detail is the bank account number. Be very careful of attempts to change the bank account you normally pay to. Of course, there are valid reasons for changing bank accounts, but always double check with a trusted contact at the supplier before making any changes.

The request may contain overly formal language, or may be worded differently than usual. Watch out for spelling errors, new email addresses, or changes in email format or tone.

If you are a relatively new supplier, call the number you already have or the number published on their website. Do not call the number that is This is true even if you have never dealt with a supplier before. Always be careful with your first payment.

“When setting up a new account for someone you’ve never traded with before, it’s always a good idea to verify the bank number,” advises Ashley.

“I was working from home the other day and had never dealt with a supplier before, so I called to verify the invoice number, just to make sure I was paying to the correct account. ”

Always verify the identity of the person you are talking to before taking any requested action, whether it is bill fraud or any other type of fraud, if in doubt.

Most scams have a sense of urgency. No one thinks for the best when they are in a rush to get something done, and scammers try to exploit that. The number one tip for fighting all scams is to slow down, take a breather and ask if there’s anything strange about the sudden request.

General tips for keeping your business scam-savvy:

  • Make sure all systems are up to date. Cybersecurity is an ever-evolving battlefield, and automating security updates ensures maximum protection.

  • Free isn’t always ‘free’: If your business uses a lot of ‘freeware’, such as copycat photo-editing software, you’re inadequately protected from scammers who exploit technology vulnerabilities may become.

  • Good old feature, but create a unique password for each device. Consider downloading a password manager that acts like a digital vault for all your passwords. Of course, this also requires a password, so make sure it’s strong. Sentences are generally optimal and easy to remember.

  • Multi-factor authentication is one of the most basic and important tools in your cybersecurity arsenal, adding an extra layer of protection across your business. Consider making it mandatory for all work devices.

If your business falls prey to fraud, contact your bank immediately, especially if money is already involved. They will do their best to recover the funds.Don’t be afraid to get the police involved. The more cybercrime goes unreported, the less we know the true extent of the problem. You can also help others by reporting any online fraud you experience to her CERT NZ.

Visit for more resources, information and even a test to see if you are familiar with the scam.

This article was produced in partnership with BNZ.

The views expressed in this article do not necessarily represent the views of BNZ or its affiliates. This article is for informational purposes only and is not intended to constitute financial advice. Please contact BNZ or your financial advisor for assistance. No party, including BNZ, accepts liability for any direct or indirect loss or damage resulting from the content of this article.