Cybercrime is an increasing threat to legitimate commerce, police say.
A small firm hacked by international scammers says businesses and banks need to be more zealous about checking payments are going into correct bank accounts.
The Wellington-based business, which works all over the country and has Christchurch connections, spoke to Stuff on the condition it remains anonymous.
“Company Z”, which handles large amounts of money, was stung by offshore cyber criminals with local connections in March 2022, when it paid two invoices with the combined being well into the six figures.
Four days later it received a call from Kiwibank to say it looked like it had been the victim of a fraud. The owner of Company Z said he was initially disbelieving.
* How I almost lost thousands after falling for email hacking scam
* $500 gone from bank account, Generate KiwiSaver member blames hack
* Australian MasterChef finalist caught in conveyancing hacker attack
* Arrest warrant out for former finance employee accused of theft
* Hamilton finance company chasing $4 million from former employee
* Hacker steals thousands from Kiwi victims using complex scam
“We have good processes in place and they had to convince me,” he said.
It turned out Company Z had been hacked, with the hackers changing the bank accounts on the invoices the company paid.
Have you fallen victim of a cyber scammed? Email email@example.com in confidence.
“What really worries me is that banks have got visibility on some of this stuff, and there must be a network of people in New Zealand who are being used by overseas criminal gangs and being used as money mules.
“They seem to operate with absolute impunity. We’ve joked that we should become full-time frauds because there are no repercussions and no-one is coming after you.”
He believes banks should check that payments to a particular named party match that party’s genuine bank account, and urged businesses to do the same.
It comes amid calls from the Banking Ombudsman for a review of bank processes and consumer protections for scams following a spike in online fraud, particularly so-called “romance” scams.
Last month MPs were told complaints to the ombudsman in the previous three months were almost double the same period last year, and the ombudsman said banks, social media companies, government agencies and police urgently needed to collaborate to tackle the issue.
The payments by Company Z to the suspicious bank accounts were spotted by ASB, which was monitoring one of the dodgy accounts. ASB traced the transfer back to Kiwibank and sounded the alarm.
The accounts were operated by two beneficiaries in Auckland, who it is believed were used by the hackers to receive the money and then transfer it.
One was elderly and did not speak English well and the other was a young woman.
The elderly man saved Company Z a lot of money. The scammers were not able to get him to transfer the money quick enough so the account was frozen and Company Z got half its money back. The other half was transferred offshore.
Company Z’s owner went to the police a few days later and filed a complaint. He was told nothing could be done, he said, but refused to accept that so went back to the police.
“I later spoke to a constable who was sympathetic but who said that although the problem was rife, the police couldn’t really do anything and only prosecuted very rarely.”
For access to bank information, police needed to get a production order (like a search warrant) and the courts would only grant them if specific information was provided, he says he was told.
Company Z then gave police more information but was again told police would not investigate.
Detective Inspector Stuart Mills, who was provided with Company Z’s complaint file number so he could provide comment, said “business email compromises” were complex to investigate.
“It can be difficult to track down these offenders, with many based overseas. The funds generally go offshore with a small window to claw them back.
“The international dimension makes it more difficult to identify offenders, as funds can travel through a number of jurisdictions.
“We recognise that our visibility around the scale of the problem, and linking related cases, needs improvement. Work is being undertaken in this space by police to enhance reporting.”
Company Z’s owner said the banks knew the identities of the local bank account holders and did not buy the excuse the case was too difficult.
He said the hackers were so sophisticated they emailed the party due to receive the payment to say it would be late due to technical issues.