Far North council scammed out of $100,000 after supplier's email hacked

The Far North District Council paid $100,600.30 into a fraudulent bank account after one of its suppliers was hacked over the holiday period. Photo / File

The Far North District Council has ramped up its cyber security systems after being scammed out of just over $100,000 by computer hackers.

The cyber-attack occurred last December, when one of its Auckland-based supplier's emails was hacked and the council received a request to change the supplier's bank account details.

The council implemented the change and paid $100,600.30 into the fraudulent bank account over the holiday period.

READ MORE:
• Spark warns of scam bill email
• Spark warns about billing scam
• Kiwi scammed out of $30,000 in similar method to Team New Zealand
• Police issue warning following email extortion scam

The scam was reported to police, who say they are still investigating.

Council corporate services general manager Will Taylor said fortunately, the funds were recovered in full.

"Due to early notification by the supplier and quick follow-up by staff, the bank was able to reverse the payment and the funds were recovered in full," he said.

"We have since added extra measures to our verification process and these will significantly reduce the likelihood of this type of fraud occurring again."

Details of the fraud were highlighted in the council's June 17 Audit Risk and Finance Committee agenda following a "fraud lessons learned" report which was presented to the committee on February 12.

The purpose of the report was to seek approval from councillors to provide a response to the NZ Audit fraud questionnaire.

The questionnaire said the incident was reported to police who opened an investigation.

A police spokesman confirmed police received a fraud complaint in January in relation to a "business email compromise scam" involving the Far North District Council.

"The matter has been under investigation and police continue to make inquiries into this case."

Council corporate services general manager Will Taylor said extra security measures have been added to reduce the likelihood of this type of fraud occurring again. Photo / File

Police encourage companies and individuals to check the email address and ensure payment details are correct by phoning the supplier before transferring funds.

Cert NZ works to support businesses, organisations and individuals affected by cyber security incidents.

Director Rob Pope said the organisation regularly receives reports about business emails being compromised by scammers who have issued invoices with false bank account information to their customers.

"This can result in both financial loss and reputational risk for a business.

"These scams often play out over weeks or months, with scammers watching emails being sent from the business account and looking out for invoices.

"When invoices for large sums are sent, they'll change the bank account details so invoice amounts are being paid into the scammers' account, instead of to the business."

Scammers get access to business emails in a number of ways, Pope said, including guessing or "cracking" weak account passwords.

Cert NZ recommends using long, strong and unique passwords on all accounts, and adding an extra layer of security with two-factor authentication.

The organisation also recommended calling the supplier to confirm account details.

"They should also do this if they have received communications about new payment details from existing suppliers," Pope said.

Taylor said the sophistication of hackers increases year-on-year and all organisations must continually raise their game.

"The fraud committed against the council was thoroughly investigated and lessons were learned," he said.

"Like all organisations, we cannot afford to be complacent – hackers and scam merchants are continually upping their game and we are working to stay one step ahead of them."