Kiwi tradespeople are being urged to be vigilant following rising losses linked to business email compromise scams.

Figures from Netsafe show the amount of money reported being lost to the scams has rocketed up from $246,000 in the first nine months of last year to $2.2 million in the same period this year.

The scam involves a person hacking into the email systems of a company and sending out altered invoices to clients with new account details which trick the payer into sending the money to a fraudster.

Globally the FBI estimates business email compromises are costing US$10 million a day.


Bronwyn Groot, fraud education manager at the Commission for Financial Capability, said she had seen three cases of it in the last week alone and most were happening between tradespeople and their clients.

Groot said in one case a man sent $35,000 to the company who was building his house - only to find the money had been siphoned to an offshore account.

"He'd been tricked because he'd received an initial invoice from the company, but then another asking him to hold off paying because the company was being audited.

"A subsequent email followed saying the audit company had asked them to open a new account and could he send the money there instead."

Groot said the second email and invoice looked the same as the original.

"It was only when the builder rang to query why the money hadn't been paid that they discovered the scam."

In another case a woman who was building her first home lost $25,000 in the same way.

Groot said she managed to trace the money to an elderly man who had been caught out in a romance scam and was very upset to find he had unwittingly sent the woman's money to fraudsters.

"Businesses need to have better controls in place."

Groot said builders should consider putting a clause in their contract saying that if a client is notified about an account change they should contact the company to confirm it as well as giving warnings to clients about the scam.

"The trouble with addressing this type of scam is that neither the companies involved nor the banks want to claim responsibility.

"The companies don't necessarily accept that their email has been hacked, saying the hack must have happened to the client's email."

Groot said banks could also do more by matching account names with account numbers so mismatches are not processed.

Her warnings come at the start of Fraud Awareness week.

Earlier this year Banking Ombudsman Nicola Sladden warned that scammers were targeting home deposits through real estate agents and lawyers.

In July Sladden told the Herald real estate agents and lawyers are being targeted in a sophisticated "invoice scam" in which people hack into the email of those companies and then send out legitimate-looking invoices.

Instead of the invoice having the bank account of the law firm or real estate agent it is replaced by a scammer's account number and the money goes straight to them.

"We are getting lots of queries about it over the phone lines and banks are also saying they are seeing it."

The Real Estate Institute of New Zealand put out a warning to its members and the Law Society reiterated a previous warning to its members urging lawyers to be vigilant.

ANZ bank also warned its customers after a woman in Morrinsville lost her $28,500 deposit after she was sent bank account details by what she thought was the real estate agent who was managing the listing.

It turned out later the email came from a scammer.

The woman only managed to complete the house purchase after another real estate company, who she had also been dealing with, stepped up and paid the deposit.


• Be cautious when making payments to bank accounts that you have not paid before.
• Making a call to the company's registered address to verify their bank account number is recommended.
• Examine sender details carefully, watching for similar domain names or characters that have been swapped for other letters.
• Be wary of last minute changes to payment instructions, especially if made outside normal business hours.
•For business owners, ensure staff handling payments are trained to recognise suspicious emails.
Source: ANZ Bank