Dempsey Wood is warning its customers to be on the lookout for fraudulent invoices sent in its name following a "cyber incident".
The Auckland-based civil construction firm says one of its staff members was caught out by a phishing email - that is a message from a scammer with a link designed to harvest personal details, including logins to various accounts.
"The compromise of this Microsoft365 account resulted in further account compromise and subsequent emails being sent from these accounts without our control, which emails may have sought to extract information from you or may have solicited payment of fraudulently-issued invoices," chief financial officer Angela Chiu said in an update to clients.
The phishing attack occurred on July 18.
The hacker was then able to log on to several Dempsey Wood accounts and send fraudulent invoices from real Dempsey Wood email addresses. Such cases typically see a real-looking invoice, but with bank payment details changed to an account controlled by cybercriminals.
"We discovered the issue on the morning of July 22 and by early the following week, we had contained the issue by following best practice from Microsoft, including the resetting of all passwords across our organisation," Chiu said in her update.
The CFO told the Herald she was unaware of any customer who had paid a fraudulent invoice.
There was no immediate explanation for why the customer alert was only sent this morning when the breach was discovered on July 22.
Chiu advisers any customers who gave out personal information after receiving a fake invoice should contact their IT team or IT service provider, or ID Care - the Ministry of Justice-backed organisation that advises people who have been hit by identity theft (see links to ID Care and other agencies that can assist here).
If you do pay a fraudulent invoice by mistake, banks say to inform them as soon as possible. In February last year a West Auckland couple who paid a fake invoice for $21,000 after the company renovating their bathroom was hacked - and almost lost the money after the two banks involved initially said they had been too slow to report the incident.
"We want to assure you that we have always taken cyber security very seriously. Unfortunately, cyber incidents such as this are increasingly common and very sophisticated," Chiu said in her customer update.
"A team of forensic IT specialists are following an industry best practice response plan, working quickly to understand how this happened and exactly what personal and other information may be impacted."
The Privacy Commissioner's office had been informed (now a legal requirement for any breach, following a December 2020 update to the Privacy Act).
"Our internal systems quickly identified the issue, and we immediately engaged external cyber security experts to support our rapid response. This work includes ensuring our own system is as secure as possible going forward," Chiu said.
The latest quarterly report by the Government's Computer Emergency Response Team (CertNZ) said Kiwis are losing record amounts of money to cybercriminals, with phishing scams one of the most popular ploys.