Nigerian scammers used to take a blunt approach that relied on sending a message to millions, and hoping that one of them would believe they really had been picked to help get a multi-million inheritance out of the country.
Now online fraud tends to be a lot more sophisticated and targeted.
This story has a happy ending, but most don't, and one agency head is calling for change, saying New Zealand lacks a clear strategy for dealing with cyber scams.
Late last year, West Auckland couple Robin and Bruce Knox engaged a local company to remodel their bathroom.
Face-to-face visits were mixed with emails. It was agreed the Knoxes would pay in advance - to cover materials - for work that would begin in February.
On October 15, the bathroom company's owner emailed an invoice for a deposit of $13,836.
On October 22, Robin Knox emailed the bathroom company, saying she had accepted their quote, and would pay the $13,836 on November 2.
Up until this point, everything had been legitimate. But now events started to go south.
A few days later, on October 26, an email saying the bathroom company owner's address, saying his firm had switched to Kiwibank arrived. Another email followed on November 2, with a fresh invoice for $13,896 attached, updated with details for the new account.
Robin paid on November 4, thinking nothing of it.
Another invoice followed, for $7000. It was the agreed amount for the second installment, and again Robin paid, on January 5, thinking it routine.
Then on January 11, the bathroom company contacted Robin, querying why no money had been paid. She replied that she had paid, and sent copies of the paperwork.
With creeping dread, Robin established on January 12 she and her husband had been scammed out of just under $21,000.
The change of bank account email, and the two invoices, had been sent from the bathroom company owner's real email address, but after it had been hijacked by a scammer.
What Robin did next was the correct thing: the same day (January 12) she contacted her bank, Westpac and placed a return of funds request.
Her husband contacted Kiwibank. He was told the account in question was still active, but not whether there were any funds in it. The account was subsequently blocked. Kiwibank's advice was to work through their bank (Westpac) and police.
In the days that followed, Robin was able to tap the services of a cyber-security expert and establish that the two fraudulent invoices were associated with an Invoice2Go account called "andrewgiroud69" - a name associated with Nigerian scammers.
Robin filed a report with police on January 15, using an online form. There was no immediate response.
By January 20 Knoxes seemed to be getting nowhere. They had still not heard back from the police. The bathroom company had suggested it was the Knox's who had been hacked (a scenario the cyber-security expert said did just gel with events). The couple had received a phone call from Westpac, but only to say that there were no funds to retrieve and that Kiwibank's fraud team was working on it.
Robin had not initially wanted to approach media, but was eventually persuaded to by a family member, who argued a cautionary tale would at least help others to avoid the same fate.
'Not a typical outcome'
The Herald was in the process running questions by Westpac, Kiwibank and other parties on January 28 when Robin emailed the good news: Westpac had agreed to return the funds to her account. A couple of days later, the 13,896 and $7000 were returned in full.
A Westpac spokesman said in a statement, "After thoroughly investigating their case, we're pleased to have resolved the matter to Mr and Mrs Knox's satisfaction."
Although the equivalent in funds had been returned to the Knoxes, the money had not been recovered, at that point.
"We're still working with Kiwibank to try to retrieve the funds," a Westpac spokesman said on February 2.
The Knoxes were delighted to get their money back, "It's not a typical outcome," Netsafe chief executive Martin Cocker told the Herald.
"Sometimes if the report is made fast enough to enable the bank to recover the money – then they can refund to the customer. But usually the scammers are quick to empty the accounts at the other end," Cocker said.
In the Netsafe bosses' experience of many such cases, whoever made the payment is left carrying the can.
And Cocker said that in his opinion, it would be hard to hold the bathroom company legally liable.
At a time when everyone from Fisher & Paykel Appliances to NZX to the Reserve Bank to McAfee Antivirus part-owner Intel were suffering security breaches, no judge could hold a mum-and-dad small business to a higher standard.
Police could not say how many, if any, business email compromise cases had been successfully resolved since 2017.
The Herald has chronicled a number of cases recently, from the Far North District Council being duped out of $100,000 after hackers infiltrated an the email system of one of its Auckland supplier to a retired couple left $53,000 out of pocket after making a payment on their dream home in fielding to a scammer posing as their builder to certain America's Cup Team tricked into send millions to a fraudster's account.
Much of the offending happens offshore, however, making stories of arrests rare.
A police spokesman said the Knoxes case was been investigated.
"When the matter is reported immediately, Police through working with banks, Interpol and overseas law enforcement agencies have managed to recover some of the money," he said.
"The money is most often moved through multiple overseas bank accounts in jurisdictions that have limited cooperation with New Zealand authorities, which creates barriers to both investigations and recovering the money,"
Business Email Compromise scams commonly relate to the company doing business with another group and receiving an email advising their bank account has changed.
Money mules: The local players
Netsafe's Cocker said a business email compromise scam is typically executed from Nigeria or somewhere else offshore, but with the assistance of a so-called money mule - a local dupe who is paid a small amount of money to open a legitimate account, under their real name, than transfer any funds that land in that account to an offshore account.
Often funds were shuffled along a chain multiple mules before the money ultimately landed in the account of whoever masterminded the scam.
Cocker said that while money mules were easy to identify, he was not aware of any of these bottom-of-the-food-chain offenders being prosecuted.
"Usually, they genuinely think they have been engaged by a legitimate money transfer operation." (Police requested that the Herald place an Official Information Act request for information on any arrests.)
Steep increase business email compromise
Crown agency Cert (Computer Emergency Response Team) NZ has tracked a steep increase in the type of "business email compromise" attacks like the one that targetted the bathroom company engaged by the Knoxes.
Between July and September last year Cert NZ saw a 101 per cent increase in business email compromise attacks compared to the previous three months. The July to September attacks resulted in $944,000 direct financial loss.
It's likely that figure under-plays actual loses. Some people and companies are often shy of admitting loses (though not that since December 1 last year, an update to the Privacy Act makes it compulsory to report a data breach to the Privacy Commissioner).
And others (like the Knoxes, until alerted by the Herald) are simply not aware that the 5-year-old Cert NZ exists.
As well as collating the stats, the agency acts as a kind of cyber triage unit. It can send you in the right direction for IT advice, and put you in touch with the right contacts at the police's cybercrime unit.
Overall, CERT NZ tracked a 33 per cent increase in cyber incidents last year.
"Australia is hardening itself a great deal against these cyber attacks, partly because of [its] China dispute," AUT computer science professor Dave Parry told the Herald earlier.
New Zealand, by contrast, is seen by some hackers as a "soft touch", so more hackers are looking to this side of the Tasman.
More broadly, the pandemic has seen some traditional organised crime activities dry up amid lockdowns - and some crims have turned to online fraud to fill the gap.
Conveniently, for them, this has coincided with the Covid-19 inspired remote working boom, with many relocating to home offices where cybersecurity is typically far weaker than their usual workplace.
Lurking for weeks
A hacker would exploit a security vulnerability to gain access to a business's email, but weak, guessable passwords, phishing scams (fake emails that ask for log-on details) and "credential dumps" are also common reasons for breaches.
An example of a credential dump is the incident - revealed in 2016 - that saw 117 million LinkedIn emails and passwords stolen. Online thieves buy such lists, figuring - correctly - that quite a few people use the same password for multiple services.
There are also a number of so-called "spoofing" tools that allow hackers to imitate a company's email address, or a close variant.
Or the simplest of tactics can be employed, such as registering an email address that's the same as a legitimate company, bar a single letter - the jape that cost TeamNZ $2.8 million in what became a very high-profile invoicing scam.
The bottom line is that there are many ways in.
"Once an attacker gains access to your business email, they can use it to send emails pretending to be from your business to trick your contacts into sharing personal and financial information," Cert NZ incident response manager Nadia Yousef said.
"These scams often play out over weeks or months, with attackers watching emails being sent from the business' account and looking out for invoices. When invoices for large sums are sent, they'll change the bank account details so invoice amounts are being paid into the scammers' account, instead of to the business.
"A common tactic is emailing the customer advising them that the business has got new banking details."
In some circumstances, it is possible to get your money back if the activity is picked up immediately, Yousef said.
"Cert NZ works closely with police on these sorts of incidents and, in some cases, payments have been reversed and not made it to the attacker's account.
"The key thing is to act fast. If you've been affected by this type of scam, or something doesn't feel quite right, contact Cert NZ, the Police or your bank immediately. If caught quickly enough, in some cases we can work together to freeze an outgoing payment and investigate whether it legitimate."
'NZ doesn't have a clear strategy'
"New Zealand doesn't have a clear strategy for fighting scams," Cocker told the Herald.
"We have a lot of agencies doing a lot of stuff; a lot of good stuff, but one of them needs to take a lead role," he said.
Although it touches on cybersecurity, Netsafe main role is in cyberbullying as the lead agency for the Harmful Digital Communications Act.
Small businesses are constantly exhorted to embrace online technologies, Cocker said, but many are understandably wary about the risks, and what happens when things go wrong. They needed more education, and more help when things went south (remember that the Knoxes did not even know Cert NZ existed until alerted by the Herald.
And once they did get into the system, victims like the Knoxes often had an impersonal experience, the Netsafe boss said. They filled in online forms and were sent auto-responses.
Robin Knox shared an email sent by the police's Cybercrime unit that said their case had been referred to their local police district, which offered a laundry list of reasons why it might not be prioritised, including "the loss involved; whether there are single or multiple victims; the police resource required to investigate; the credibility of the evidence provided; and whether there is a reasonable prospect of conviction."
After hearing nothing for a fortnight, the Knoxes phoned the police. There was no update.
"There's a lot of scope for investing for better interventions," Cocker said.
"The Australians made some significant investments in fighting cybercrime across multiple agencies and are starting to see real progress, Cocker said.
Transtasman cybersecurity spending gap
Over the past 12 months, a gulf has opened up between Australia and New Zealand in new cyber-security spending. The quick take: The Aussies are adding billions to their cyber-defence budgets, while here the increase can be measured in single-digit millions.
Last June, Australian Prime Minister Scott Morrison announced a A$1.35 billion ($1.4b) boost for efforts to defend the country's public and private networks against hackers - such as the unnamed "sophisticated state actor" that launched a massive attack on government agencies and private businesses that month.
Some pundits fingered China as the state actor. Morrison did not name any specific country.
His 10-year funding plan includes A$470m that will be used to create more than 500 new jobs within the Australian Signals Directorate, the agency responsible for repelling cyber attacks. That will take its total staff to around 2500.
Asked about NZ cybersecurity spending in the wake of Morrison's announcement, then Communications Minister Kris Faafoi pointed to the creation of Cert NZ, which was set up in 2016 (under the National-led Government of the time) with a $22.2m budget. Faafoi said the agency's budget was increased by $9.3m over four years in Budget 2019.
"Also in Budget 2019, the Government allocated $8m over the next four years to help implement Cyber Security Strategy," he said.
What has that $8m yielded so far?
"Initiatives making use of these funds will be announced as they are being implemented," Faafoi said.
Faafoi added that the GCSB's NCSC unit is "in the process of scaling up the availability of one of those defence, capabilities, Malware Free Networks, to a much broader range of organisations."
The NCSC's staff are all within the GCSB's total headcount of around 500.
Budget 2020 included $146m over four years for the intelligence agencies, that is, the domestic-focused NZSIS and the GCSB. That works out to $36.5m per year.
An NZ intelligence community spokesman would not say how much of that annual budget was devoted to cybersecurity, however, at a time when areas like the terror threat were also an increasing focus, post-Christchurch.
"To give specific amounts allocated to particular functions as that may give adversaries an indication of our capability in any one area," he said.
Under one roof - literally
It's not just a budget gap. Australia also seems to have a more tight-knit approach.
During a September Transtasman Business Circle virtual, one of that country's top cybercops detailed the different way they do things across the Tasman.
"Within Australia, the biggest step we've taken is the Australian Cyber Security Centre. It's quite a unique beast. I've spent a lot of time travelling around the world talking to people in cyber crime and cyber security and it's the only one I know where we're literally got everyone in the same building," detective superintendent Brad Marden said.
"You've got the government Cert [Computer Emergency Response Team] capability, the incident response capability from ASD [the Australian Signals Directorate or equivalent of NZ's GCSB]; we've got the Australian Criminal Intelligence Commission [ACIC] providing criminal intelligence; we've got th AFP [Australian Federal Police] providing law enforcement response; you've got ASD's counter-cybercrime capability. Possibly more uniquely, we've got our Home Affairs cyber policy people in the same building as all of the operational agencies - getting realtime access to what's happening in the world," he said.
"So when we were redrafting the cyber security strategy here, I had people from Home Affairs popping into my office and asking questions about the policy changes that they were making, live. It's a unique opportunity. It's a one-stop shop for cyber.
"When a crime's reported, the incident response people can look at it. They can help the victim triage. We can then send it down to Cyber Crime so my guys can investigate it, ACIC can take some of the information and look at it in relation to operational intelligence, feeding up to government for strategic situations - or, we may decide there's nothing we can do from a law enforcement perspective and hand it over to ASD and they can use some of their powers. We can work with telcos and other agencies to turn off problems. It's quite a unique setup and it's working pretty well."
Marden went on to detail successes including the September arrest of two men in Sydney over a phishing scam.
Avoiding business email compromise
Cert NZ has a number of tech suggestions (see bullet points below).
But the agency's director, Rob Pope, has low-tech advice for avoiding the most common threat posed by hijacked business email accounts: fake invoices sent from real email addresses: pick up the phone.
If you're suspicious about any request for money, or request to send funds to a different bank account, call the business concerned to double-check it actually came from them, not a fraudster. Use the number on their website, not the one on the invoice.
"Just pause and think about this before you act. It's very easy in the electronic age just to assume it's coming from business ABC, I've already got some outstanding money owing to them, I'll just push the button. Just pause and think," Pope told the Herald.
"New Zealand's a very trusting society. Within business transactions, people put a lot of trust in email and electronic invoicing these days, so they are used in day-to-day operations. So it is a question of having a qualified trust now."
NortonLifeLock senior director Mark Gorrie said, "Consumers need to look for bad grammar and spelling mistakes. They should also be very suspicious of notices that bank account details have changed, or that an international transfer is needed. These should all be red flags."
He added, "Not every business can afford dedicated IT professionals, so at the least protect all your devices with a comprehensive, reputable brand of cybersecurity software – including company smartphones.
"Next ensure you are using a password manager. These come prebuilt into good security software and shouldn't cost you more. Turn on two-factor authentication on your business accounts such as Office 365.
"Educating staff is one of the more overlooked and critical ways for a business to protect itself. Employees are often very well-meaning weak links when it comes to security. Helping them understand how to recognise spam and phishing emails is a great first step."
Cert NZ's tips for avoiding invoice scams:
• Add an extra layer of security to email accounts with two-factor authentication (2FA) such as a code that's sent to a cellphone to verify a new log-on to an account
• Use long and unique passwords on all accounts. Change them often. Encourage staff to use a password manager to help them remember all their passwords.
• Don't give out personal information online, whether on social media or by email. It can help cyber-scammers answer your security questions
• Verify payments with an SMS or call to the person or business who sent you the invoice.
• If you are hit by a scam, the key thing is to act fast. If you've been affected by this type of scam, or something doesn't feel quite right, contact CERT NZ, the Police or your bank immediately. If caught quickly enough, in some cases we can work together to freeze an outgoing payment and investigate whether it legitimate