Online scammers go to incredible lengths as they fleece NZ company for $300,000

The government's Computer Emergency Response Team includes a cautionary tale every business should read.

Everyone's seen amateurishly executed invoicing scams.  

But the latest quarterly report from the government’s still relatively new Computer Emergency Response Team (Cert) highlights that some outfits can be extremely professional – and go to huge lengths not to raise suspicions.

Cert received a report from a small company in the retail, trade and accommodation sector, which had lost a lot of money to an invoicing scam.

The New Zealand company had a supplier in China it used regularly. Scammers had managed to get enough information about the Chinese supplier to imitate their emails, including using a very similar email address, and even copying the signature in the email, Cert says.

The scammers then sent fake invoices to the New Zealand company at a time they were expecting to pay and as a result, paid the fake invoices, resulting in losses of over $300,000 (a visitor from Mars might find everything so neat that it looks suspiciously like an inside job). The case was referred to the NZ Police for investigation.

Overall, Kiwis lost $1.1 million to cybercrime between July and September, compared to the previous quarter’s $732,000.

Not much should be read into the numbers at this early stage of Cert’s existence. The increase can probably be put down to a growing awareness that the new agency exists (the 20-person Crown agency was set up late last year with a $22 million budget to cover its first four years; it’s headed by ex-deputy police commissioner Rob Pope).

Cert’s aim is to be part triage provider and part co-ordinator. When you or your company are hit by a cyber-threat, Cert ( won’t offer you hands-on assistance but it will give you a backgrounder on the threat you’re facing, and point you to the right government agency.

In the September quarter, Cert fielded 390 reports of incidents. Cert itself responded to 297, 78 of which were judged to be cybercrimes and referred to police, and 15 incidents deemed to be online bullying and referred to Netsafe, the approved agency for dealing with incidents that fall under the Harmful Digital Communications Act.

Login in or Register to view & post comments