A retired couple have been left $53,000 out of pocket after they made a payment on their dream home - only to find the invoice they thought their builder had sent was in fact from a scammer.
Ross and Judy Charlton had hoped to move into their new Feilding home debt-free this week, but will now have to pay off a mortgage while living off government superannuation.
"We were going to retire with a new house and car. Now we have a $20k mortgage and that basically leaves us with not much money at all."
GJ Gardner began work on the couple's new house in February, and in early April the couple received the first invoice purporting to be from the company, for $53,000 with seven days to pay.
A reminder email the next day asked that the invoice be paid as soon as possible, but turned out to be from a scammer posing as a GJ Gardner employee.
Despite feeling the second email was "a bit cheeky", Ross Charlton urged his wife to pay the money.
The Charltons paid through online banking. They got a confirmation email from from the scammer, thanking them for the payment and even expressed sympathy for Ross, who had been receiving hospital treatment for a blood clot in his leg after having pneumonia.
The Charltons received a second invoice in mid-April, for the frame up payment, and paid the same day through online banking.
But when their bank, Westpac, rang to query the transaction - which was for another $53,000 - the couple contacted GJ Gardner by phone, only to find their first and second payments had not gone to the company.
They managed to cancel the second payment through their bank, but their hearts sank after they were told the first payment had gone into an ASB account and was probably gone if the money had been sent offshore.
"We immediately contacted Westpac bank and had the payment made on the 16th April reversed," said Ross Charlton. "The Hawera bank manager contacted Westpac fraud and told us the money paid on the 4th April had gone to an ASB account and if the money had gone overseas, specifically to Africa or an Eastern bloc country, there was little they could do. We also informed the police what had happened."
Judy Charlton said police had since told them the the money went into the ASB account of a woman in Whangarei who banked $3000 and then transferred the remaining $50,000 into two Australian accounts.
A police spokeswoman said it was aware of this invoice scam, an investigation was underway and enquiries were ongoing.
But the situation has left the couple feeling bitter towards their building company.
The Charltons believe GJ Gardner's Manawatu franchise, which is run under the company Palmer & Low Construction, had its email hacked and should take some responsibility for the scam.
"I think they have got some moral responsibility," Judy Charlton said.
But franchise owner Trevor Low said the scam had nothing to do with Palmer & Low Construction and blamed it on the Charltons. "In fact, it was the client's email account that was hacked, which they confirmed to us," Low claimed.
"We use a professional, external IT service provider which has strict security protocols in place and, after we made them aware of this incident, they thoroughly reviewed our system and have no concerns about its integrity or security."
Judy Charlton said straight after discovering the scam they checked with their internet provider Spark, which told them it was not a problem with their email.
She said they had received emailed invoices from other companies and none of those had been targeted by the scammer.
Low said it was very unfortunate the couple were defrauded and said the company had referred this matter to the police. "It is undoubtedly stressful for them to have been the victim of a scam and their bank made arrangements to cover the shortfall.
"We do have every sympathy for the Charltons and are happy to talk them personally if they have any further concerns."
Sean Lyons, director of education and engagement at Netsafe, said it was possible that either party could have had their email hacked and the only way to find out would be through a forensic examination.
But he said it was more important to focus on the person who did wrong - the originator of the scam.
"I completely empathise with the parties - that both are saying it is not me.
"But neither party was trying to scam each other."
Lyons said it was up to police to decide whether a crime had been committed and whether any prosecution would be made.
Lyons said the scam may have used a money "mule" in New Zealand - a person who allowed someone to transfer money into their account for a fee, in exchange for sending the money elsewhere.
He said there could be up to three or four money mules involved in moving the money around different countries and finally get it out of the banking system and into cash, where it could be transferred to the perpetrator.
If that had already happened, the odds of getting the money back were not high, he said.
Lyons said it was a difficult scam to be wary of. "What you are saying, to some degree, is trust no one."
But he urged anyone transferring a significant amount of money into an account for the first time to stop and check the details by calling the company.
"Ring and check if the account number is correct. If they say it is not our email, not our invoice don't pay it. That is people's only defence."
A spokesman for Westpac New Zealand said it was unable to comment on individual customers for privacy reasons, but protecting customers from scams was something it took very seriously.
"For this reason, we advise customers to verify bank account details before making large payments.
"A good way to do this is by telephoning the recipient. Where customers have authorised a transaction themselves to a fraudulent party, we will try to recover funds on their behalf where that is still possible."
The spokesman said that in general, payments were processed using an account number, not the payee name.
He said technical constraints and issues with privacy and confidentiality meant that banks were unable to let other banks have access to their customer information and infrastructure to allow account numbers and account holder details to be matched before payment.
"The main purpose of entering a payee name is so the account name shows up in the depositor's records so they know where the funds have gone."
Last month Banking Ombudsman Nicola Sladden warned of a scam targeting home buyers which tricks them into paying their deposit money to fraudsters instead of a legitimate trust account.
Sladden said real estate agents and lawyers were being targeted in a sophisticated "invoice scam" in which people hack into the email of those companies and then send out legitimate-looking invoices.
Instead of the invoice having the bank account of the law firm or real estate agent, it is replaced by a scammer's account number and the money goes straight to them.
The real estate industry body REINZ and the Law Society have sent out warnings to their members.
How does an invoice scam work?
Sean Lyons, Netsafe's director of education and engagement, says it sees invoice scams "all too commonly."
In the first six months of last year it had 37 reported cases of invoice scams - but in the first six months of this year it jumped to 110.
Kiwis lost over $865,000 just in the first half of this year on this type of scam, up from $159,000 in the same period last year.
According to a warning on Netsafe's website an invoice scam occurs when a fraudster sends someone an invoice for goods or services they haven't requested or received.
This could be either a paper invoice or an email that looks like it has come from a legitimate business.
"Often these scammers target the office administration or accounts functions of a business and will attempt to intimidate by threatening legal action.
"They may also request changes be made to the usual billing arrangements."
It says there are also some instances where scammers have hacked systems or emails to intercept information about legitimate payments.
"The scammers then impersonate the legitimate organisation that the payment is meant to be going to.
"They will contact the person/organisation that is meant to be making the payment and give fake bank account or payment details."
Netsafe says these types of scams can be difficult to detect and it encourages anyone who is making a large payment to double check with the source that the payment details are correct.
How can you avoid the scam?
• Be on the lookout for invoices for goods or services that you didn't order or a call from someone claiming to be your regular supplier.
• If you notice a supplier's usual bank account details have changed, call them to confirm that the invoice is legitimate.
• Make sure you call the supplier using the phone number you have on file, or look it up on their website or in the phone book.
• Don't call the telephone number on the email or invoice, as this will likely be the scammers' phone number.
• If you are making a large payment, double check with the source that you have the correct payment details.
• Always confirm if goods or services have been requested and received before paying an invoice e.g. use a purchase order number system or confirming with employees.
• Limit the number of people in your business who are authorised to make orders or pay invoices.
• Immediately cut contact with scammers who attempt to bully or intimidate you.
• If the bank account looks like it's an overseas bank account, or you have any suspicions about the payment details sent to you, investigate further.