Afriend of mine, who is the internal accountant at a charitable organisation, recently almost fell for a scam email. It looked to be from the CEO and had an invoice that needed paying. Thankfully, he noticed that the way the email was signed off was different than normal. He checked with the CEO and found the email never came from him. It was a scam.
Recent media reports have revealed that New Zealanders are increasingly being targeted by overseas criminal syndicates for scams. Authorities estimate that cybercrime is now costing New Zealand individuals and businesses $400 million to $500 million every year.
But even with this rapidly growing problem, a surprisingly large number of government departments and businesses are making a simple website mistake that is significantly increasing the risk to themselves and their customers of being targeted in a scam.
Thanks to scammers bombarding us over the years, people have heightened awareness of some of the more obvious scams.
We’ve all received emails purportedly from PayPal or a bank informing us that we need to login to check something – by simply clicking the “Login” button in the email. We’re wise enough, however, to know that, while the email may look legitimate at first glance, the link won’t take us to the proper site. Inspecting the link may well reveal that it directs to something like paypal.com.xyzltd.com/login – a simple enough swindle to spot for those who are remotely tech savvy.
But where medium and large organisations can be vulnerable is simply our reliance on email.
Like with my friend’s situation, the accounts department receives an email from the CEO with an invoice he has received.
“I’ve agreed with XYZ supplier that we’ll pay this invoice immediately. Can you please arrange for it to be processed by tomorrow?” the CEO says in the email. Only in this situation the accounts person fires back a quick email asking a clarifying question. The CEO then replies, and the accounts team get the invoice loaded and paid.
Little did the accounts team know that the “CEO” sending the emails was actually a scammer.
Alternatively, an accounts person receives an email from a manager in their company saying, “XYZ supplier have been in touch with me this morning to say they’ve changed banks and would like us to make payment to their new account this month please. I phoned back to confirm, and Jenny in accounts confirmed it. See her email below with the new bank account number.”
Again, this type of scam email could dupe even the most attentive accounts person and the scammers would end up receiving the invoice payments instead of the legitimate creditor.
The one trick to making this possible is that the scammer needs to purchase a domain name that looks very similar to the real domain. This enables them to send and receive emails from that domain, enabling them to reply to the question from the accounts team.
For example, if you worked at Waikato DHB and received an email from firstname.lastname@example.org, you probably wouldn’t think twice. But, at the time of writing, the domain waikatodhb.nz is not owned by Waikato DHB at all. The same is true of reservebank.co.nz.
Government departments aren’t the only ones making this mistake. Many New Zealand businesses are in the same boat.
Instead of targeting your company directly with this approach, a scammer could email your clients, pretending to be you, and let them know your bank account number has changed. How would they know who your clients are? Simply by first emailing the accounts person on your team, pretending to be the manager/owner with the request, “Can you send me a full list of our accounts receivable? Preferably in an Excel file please”.
The good news is there’s one easy step to prevent this particular type of scam: Buy the “.nz” versions of your domain names, and other main versions that are available.
There are, or course, a myriad of domain endings nowadays – we call these “top level domains” or “TLDs” for short. We have the traditional ones of .co.nz, .org.nz, .govt.nz and the less common .net.nz. Plus the new ones like .nz .kiwi, .geek.nz and more.
Unless you’re an enormous business, like Google, there is no point registering all of the domain names that could contain your organisation name. However, owning the .co.nz and .nz domains for your brand is an essential foundation for protecting your organisation from being an easy target of these types of scams.
.nz domain names can be registered by anyone in the world, making it easy for overseas syndicates to purchase them. So, if the .nz version of your domain name is available, and you haven’t registered it yet, take action today. It costs just a few dollars per year and, alongside protecting your brand, can help protect you from these types of scams too.