Company falls victim to international cybercriminals using local people as financial mules

Australia has been the target of increased computer attacks by a foreign entity.

Australia has been the target of increased computer attacks by a foreign entity.

A small business hacked by international scammers says companies and banks need to be more diligent in verifying that payments are going to the correct bank accounts.

The Wellington-based company, which works across the country and has connections to Christchurch, spoke to Things provided you remain anonymous.

“Company Z”, which handles large sums of money, was stung by offshore cybercriminals with local connections in March 2022, when it paid two bills, the total of which was well into the six figures.

Four days later, Kiwibank received a call saying it appeared to have been the victim of fraud. The owner of Company Z said he was initially in disbelief.

* How I almost lost thousands after falling for an email hacking scam
* $500 disappeared from bank account, Generate KiwiSaver member blames hack
* Australian MasterChef finalist caught in hacker attack
* Arrest warrant for former finance employee accused of theft
* Hamilton’s finance company claims $4million from ex-employee
* Hacker robs thousands of Kiwi victims using complex scam

“We have good processes in place and they had to convince me,” he said.

It turned out that Company Z had been hacked, with the hackers modifying bank accounts on invoices paid by the company.

Have you been the victim of a cyber scam? Email [email protected] confidentially.

“What really worries me is that the banks have visibility into some of these things, and there must be a network of people in New Zealand who are being used by criminal gangs overseas and used as financial mules.

“They seem to operate with impunity. We joked that we should become full-time cheats because there are no repercussions and no one comes after you.

He thinks banks should verify that payments to a particular named party match that party’s real bank account, and urged companies to do the same.

It comes amid calls from the Banking Ombudsman for a review of banking processes and consumer protections from scams following a spike in online fraud, particularly so-called ‘romance scams’.

Hackers constantly search the web for vulnerable companies.


Hackers constantly search the web for vulnerable companies.

Last month MPs were told that complaints to the Ombudsman in the previous three months were almost double the same period last year, and the Ombudsman said that banks, social media companies, Government agencies and the police needed to work together urgently to solve the problem.

Company Z’s payments to the suspicious bank accounts were spotted by ASB, which was monitoring one of the questionable accounts. ASB traced the transfer to Kiwibank and sounded the alarm.

The accounts were operated by two payees in Auckland, who were allegedly used by the hackers to receive the money and then transfer it.

One was old and didn’t speak English well and the other was a young woman.

The old man saved Company Z a lot of money. The scammers couldn’t get him to transfer the money fast enough, so the account was frozen and Company Z got half of his money back. The other half was transferred abroad.

The owner of Company Z went to the police a few days later and filed a complaint. He was told nothing could be done, he said, but he refused to accept this and so went back to the police.

“I later spoke to a constable who was friendly but said that although the problem was widespread there was really nothing the police could do and very rarely pursued.”

To access bank information, police had to obtain a production order (like a search warrant) and courts would only grant it if specific information was provided, he says.

Company Z then gave the police more information, but was again told that the police would not investigate.

Lines of code are a hacker's friend when it comes to scamming business.


Lines of code are a hacker’s friend when it comes to scamming business.

Detective Inspector Stuart Mills, who was given Company Z’s complaint case number so he could provide comment, said the “professional courier compromises” were complex to investigate.

“Tracking these offenders, many of whom are based overseas, can be difficult. The funds usually go overseas with a small window to get them back.

“The international dimension makes it more difficult to identify offenders, because the funds can pass through several jurisdictions.

“We recognize that our visibility into the scope of the problem and the linking of related cases needs to be improved. Work is being undertaken in this area by the police to improve reporting.

The owner of Company Z said the banks knew the identities of the local bank account holders and did not buy into the excuse that the case was too difficult.

He said the hackers were so sophisticated that they emailed the party that was to receive the payment saying it would be late due to technical issues.