article banner

It’s beginning to look a lot like Christmas… for cybercriminals

Raj Tiwari Raj Tiwari

The festive season means shopping, celebrating, and going on holiday – but unfortunately, it’s also Christmas time for the bad guys. When we conduct our business online, we give them more opportunities than ever to steal our money and our information.  

New Zealanders lost $17 million to scams and fraud in 2020, with a 65% increase in the number of incidents reported compared to the previous year, according to CERT. Because so many scam victims are too embarrassed to report their experiences, this is only the tip of the iceberg. Cybercrime is rampant, so as you pay your end-of-year invoices or supercharge your digital presence for the holiday season, now is a good time to ensure your business has the best protections in place. Here’s five ways your business can be more cyber secure.  

1. Take time to scrutinise every invoice your business receives  

Yes – every invoice. Invoice fraud is low hanging fruit for cyber criminals, and it’s been surging over the past two years. 

It’s all too easy to approve an invoice from a trusted supplier without giving it a second thought. For example, we know of an organisation where an AP clerk received a payment request and approval from the CFO for an invoice from a fictious supplier. Fortunately, red flags were raised when the eagle-eyed clerk noticed the ‘Sent from my Samsung’ note at the bottom of the email, and knew the CFO was an iPhone user. Closer inspection of the invoice confirmed it was fake, and the sender was an impostor; the clerk saved the company $50k. 

It is no coincidence the person who approved the invoice was at a conference at the time, and had posted about attending the event on his Facebook page. This is a common scam known as a “Man in the Middle” attack. Cybercriminals will eavesdrop and monitor email flows, social media accounts and other platforms to ascertain when key personnel are out of the office so they can then pose as the absent employee. 

It’s critical to closely inspect email addresses, bank account numbers - and per the example above – even the format used to send the invoice. Businesses consistently paying large volumes of invoices should also be vigilant when it comes to the actual name and bank account details of the supplier. During the busy lead-up to Christmas or over the holiday period, scammers are known to send invoices that appear to be from your suppliers or from non-existent companies; at this time of year, they’re banking on the fact you’re either too busy or too relaxed to pay close attention.  

You can read more about how invoice fraud occurs here and how to protect your business against it.  

2. Take a closer look at any link before clicking

Try to get out of the habit of quickly clicking links you receive via emails and text messages without reading them carefully – it’s so easy to do, and sometimes you realise you shouldn’t have tapped it even before it opens.  

Spelling errors are often a giveaway, although it might be as subtle as a single letter. For example, you might have ordered a package that’s being delivered by DHL, and you get a text about your order from At a glance it looks right, but that letter ‘i’ is a clear giveaway it’s not legitimate.  

By clicking on these links, you are exposing your business to malware and ransomware attacks which are more often than not very costly. 

3. Increase your security  

There are lots of simple ways to increase your protection against cybercrimes:  

  • Use multi-factor authentication for any site or application your business uses like banking or Xero. It gives employees two layers of security for a scammer to pass through; for example, even if they crack your login and password, they’ll be tripped up by the text authentication.  
  • Switch to e-invoicing for your business to prevent invoice fraud scams.  
  • You’ve heard it before, but it bears repeating: use complex passwords, not your birthday, your pet’s name, your kids’ names or birthdays, or anything that would be easy to guess. In the second quarter of 2021, CERT found almost 4,500 device attacks that targeted weak usernames and passwords.  

4. Consider your digital footprint 

So, how do cyber criminals crack your passwords and know things like who your suppliers are? You might be surprised at how much information you’re volunteering online. For instance, the names of your kids, spouse and pets (helpful for those easy passwords), when you’re on holiday, and your business relationships. It’s not uncommon for people to complain online about their bank too, which can tip off a scammer as to which bank phishing email you’re most likely to fall for.  

Perhaps it’s time to change your social media privacy settings to restrict what you share and who you share it with. And in general, think twice before you post – is your digital footprint turning into an entire photograph of your life and leaving you vulnerable to phishing and credential harvesting?  

5. Last but certainly not least - train your team 

It only takes one person in an organisation to click a malicious link and a scammer could have access to all your business’s sensitive information. It’s important your team receives security awareness training and regular refreshers so malware and ransomware scams can be avoided, and those fraudulent invoices remain unpaid. It’s also a good idea to provide cyber security training as part of your onboarding process for new staff.  

Not sure where to start?  

Of course, this article isn’t a comprehensive guide about every type of cyber scam out there, so if it has given you some food for thought, it’s probably time to review the protections your company currently has in place. A good place to start is Grant Thornton’s cyber security maturity assessment – a cost-effective review of how your business operates online, and the effectiveness of your current policies, tools and practices. The key output from the assessment is some high-level advice about any weaknesses in your IT environment and how to prioritise them. We can also dig deeper into your IT security set up with our penetration testing and vulnerability scanning services which identifies all of the weak spots scammers could find in your apps, devices, servers and cloud systems; our experts can identify areas of improvement and outright risk. And of course, we can provide the training team members need to protect your business.