Consumer Protection and cloud accounting software company Xero are advising New Zealand business owners to review their email account security following a fraudulent invoice scam.

Sending invoices via email has quickly become a common way of requesting payment for many New Zealand businesses, but it has also opened up a whole new field for scammers looking for easy targets.

A recent scam in operation targets insecure business email accounts, where scammers hack into the email account and access invoices in the ‘Sent’ items folder. The scammer can then easily copy the invoice and change details like the payment bank account number. They then resend the updated invoice from the compromised email account back to the customer asking them to make payment to the new bank account.

Once payment is made to the scammer’s account the money can quickly be moved offshore where the funds become increasingly difficult to retrieve.

In recent months the New Zealand building sector has been affected by this scam, but other industries should stay alert too.

You can keep your business email account safe by following these steps:

  • Use two-factor (2FA) or multi-factor (MFA) account authentication. 2FA/MFA provides another layer of security to prevent an attacker gaining access to your email account, even if they somehow get your password. This significantly reduces the risk of account compromise.

  • Ask your customers to check with you first by phone or in person if they ever receive an invoice with a new payment bank account number.

  • If a customer has made payment to a fraudulent bank account, advise them to contact their bank immediately and report this, making sure it's escalated to the bank's fraud team.

  • Xero customers can also raise a support request via and should include the payment bank account number from the fraudulent invoice. Xero has procedures in place with the fraud teams of NZ banks to notify them of accounts being used for fraud.


In association with: logoXero logo