Scam Savvy: How to protect your business from the pernicious 'invoice scam'

  • 29/09/2022
  • Sponsored by - BNZ
Scam Savvy: How to protect your business from the pernicious 'invoice scam'
Photo credit: Supplied

Along with the increasing digitisation of everyday life, the past two years saw many New Zealand businesses forced online to stay afloat, corresponding with a surge of online scamming. 

Research from BNZ shows nearly half of all SMEs in New Zealand have fallen victim to a scam, up from just 21 percent in 2020 and with many scams going unreported, the scale of the problem is far larger than we know. Clicking on a scam link, opening a scam attachment, or replying to a scam is the main way businesses are falling victim, with 38 percent reporting - up from 30 percent in 2020.

"COVID forced us all online, so we were working from home when the lockdowns came. What that does is it gives the bad people out there a bigger tactic to look at because we are spending so much time online," says BNZ Head of Financial Crime Ashley Kai Fong.

And the damage from scams isn't just financial: businesses may experience reputational damage, impairment in workflow or damage to operating systems as part of a scam, making the damage harder to quantify in monetary terms but just as significant.  

The best tool we have in the fight against cybercrime is education, so Newshub and BNZ have teamed up to demystify the murky world of online scams and help New Zealand businesses be 'Scam Savvy' online. 

Let's start with one of the most prevalent business scams in 2022 - the invoice scam.

What's the invoice scam?

The invoice scam is particularly pernicious because it can exploit existing relationships between your business and suppliers, creating a perverse situation where the greater trust, the worse potential for theft. 

If a scammer gains access to the emails of your supplier, they can then update the payment account of an invoice for your business. This invoice is then sent to you to pay as normal and if paid, they make off with the money. Depending on how sophisticated the scammer is, they may even be using your invoice template and logo to try to avoid suspicion.

"The problem with the scam is that the unwitting victim is expecting the invoice," says Ashley. 
"They pay the new account and it's not until the 20th of the following month or the 20th of the month after that the scam gets uncovered. So, you're talking months down the track before it gets discovered and therefore it's extremely difficult to try and recover that money."

How can I keep my business safe from the invoice scam?

Obviously the number one detail is the bank account number, be very vigilant for any attempt to change the bank account you usually pay into. Of course, there are legitimate reasons for a bank account being changed but always double check with a trusted contact at your supplier before making the switch. 

There may be an overly formal language in the request, or it may be unusually worded: keep an eye out for spelling mistakes, new email addresses or strange formatting and tone in the email. 

If it is a relatively new supplier, ensure you call them on a number you already have for them or one published on their website. Don't call the number on the invoice sheet you received because that may have been changed by the scammer. This is also true if you've never dealt with the supplier before, it always pays to be cautious on the first payment.

"When setting up a new account for anyone that you haven't dealt with before, it always pays to check the bank number," advises Ashley.

"I had work done on my house the other day and we'd never dealt with the supplier before, so I rang them to check the invoice number. Just to make sure that I was paying the right account."

Whether it's the invoice scam or any other scam, when in doubt, always verify the identity of the person you are speaking to before taking any requested action - even if on the surface they seem to be from a familiar organisation.  

With most scams there will be a sense of urgency, because no-one is thinking at their best when they're in a hurry to get something done and scammers seek to exploit that. The number one tip for combatting all scams is to slow down, take a breath and ask if there is anything strange about a request coming out of the blue - particularly when it involves payment. 

General tips to keep your business Scam Savvy:

  • Make sure all your systems are up to date. Cyber security is an ever-evolving battlefield and keeping your security updates automated will ensure you're best protected. 

  • Free isn't always 'free': If you use a lot of 'freeware' at your business, such as knock off photo editing software, you may be less protected from scammers who can exploit vulnerabilities in the technology. 

  • It's an oldie but a goodie - make unique passwords for every device. Consider downloading a password manager, which acts a little bit like a digital safe for all your passwords. Of course, this will also require a password so make it a strong one. Sentences are generally best and also easier to remember. 

  • Multi-factor authentication is one of the single most basic yet important tools in your cybersecurity arsenal, adding an extra layer of protection across the business. Consider making it mandatory on all work devices. 

If your business has fallen prey to a scam and particularly if there is already money involved, contact your bank immediately and they will do their best to recover the funds. Don't be afraid to involve the police, the more cyber crime goes unreported, the less we know about the true extent of the problem. You can also help others by reporting any online scams you have experienced to CERT NZ.

For more resources, information and even do some tests to see how scam savvy you are, head to

This article was created in partnership with BNZ.

Any views expressed in this article do not necessarily represent the views of BNZ, or its related entities. This article is solely for information purposes and is not intended to be financial advice. If you need help, please contact BNZ or your financial adviser. No party, including BNZ, is liable for direct or indirect loss or damage resulting from the content of this article.