TLDR
CERT NZ reports BEC in 2024 cost NZ businesses NZ$13M+, predominantly law / accounting / property firms whose clients receive a 'change of trust account' email mid conveyance. Indicators: M365 mailbox compromised via consent phishing,...
How it works
CERT NZ reports BEC in 2024 cost NZ businesses NZ$13M+, predominantly law / accounting / property firms whose clients receive a 'change of trust account' email mid conveyance. Indicators: M365 mailbox compromised via consent phishing,...
Red flags
- Urgent pressure to click, pay, or share codes immediately.
- A link or sender that does not match the official organization.
- Requests for card data, passwords, OTPs, wallet signatures, or bank transfers.
What to do
- 1CERT NZ reports BEC in 2024 cost NZ businesses NZ$13M+, predominantly law / accounting / property firms whose clients receive a 'change of trust account' email mid conveyance.
- 2WHAT TO DO: enforce CERT NZ's Critical Controls 2024 (MFA, hardware tokens for legal/accounting), publish 'we never change bank details by email' on engagement letters, callback verification.
- 3IF VICTIM: notify bank (NZ Faster Payments allow same day recall window), file CERT NZ report, audit M365 audit log for sign ins from foreign IPs, notify Law Society / NZICA, comply with Privacy Act 2020 breach notification within 72h.
Source
CERT-NZ
Source reviewed by Mythos Forensic Team
https://www.cert.govt.nz/individuals/common-threats/scams-and-fraud/business-email-compromise/FAQ
Is BEC against NZ professional services — invoice substitution a real scam pattern?
Yes. Treat the message, call, or payment request as suspicious until you verify it through an official channel.
What are the first warning signs?
Urgent pressure to click, pay, or share codes immediately.; A link or sender that does not match the official organization.; Requests for card data, passwords, OTPs, wallet signatures, or bank transfers.
What should I do first?
CERT NZ reports BEC in 2024 cost NZ businesses NZ$13M+, predominantly law / accounting / property firms whose clients receive a 'change of trust account' email mid conveyance.; WHAT TO DO: enforce CERT NZ's Critical Controls 2024 (MFA, hardware tokens for legal/accounting), publish 'we never change bank details by email' on engagement letters, callback verification.; IF VICTIM: notify bank (NZ Faster Payments allow same day recall window), file CERT NZ report, audit M365 audit log for sign ins from foreign IPs, notify Law Society / NZICA, comply with Privacy Act 2020 breach notification within 72h.
Can LegalAudit check my case?
Yes. Start a free chat and paste the message, link, sender, or payment details for triage.