A Nelson man and his family nearly lost half their life savings to hackers running a sophisticated fraud scheme.
The man, who asked to remain anonymous, was set to put down a deposit for "several tens of thousands of dollars" to buy a house in Nelson a week ago.
He said the bank told him the sale had gone unconditional, and he emailed his lawyer for the trust account details to make the deposit.
"I received an email within a couple of hours, back from him I thought. I made the payment straightaway, via internet banking through my bank account."
Two hours later, he received another call – this time from the Bank of New Zealand fraud department.
They told him the funds hadn't been sent to his lawyer's trust, but were instead destined for a hacker who had managed to break into the lawyer's email account.
Before the money changed hands, the BNZ had managed to stop the transaction and lock the hacker's account.
"At that point my jaw dropped," the man said.
"I consider myself reasonably savvy as far as technology is concerned – I've spent nearly 20 years in IT and software development – and I was quite astounded this had happened."
He was told the hacker had also set up a BNZ account, which was being monitored by BNZ's fraud team due to suspicious activity around it.
"As soon as a large transaction went through they flagged it and got hold of me ... I think the only reason I got away with it is because [we both had BNZ accounts]."
The man said the fraud team explained to him it was likely the hacker/hackers had got access to the lawyer's account details through an email phishing scam, and had then been able to monitor and hack into their email.
"When they replied it looks like the lawyer is replying. It's his email address, his signature, everything – even the preceding email thread is intact.
"It was exactly the same, there's no way I was detecting anything different. Because they have basically got his credentials, using his email servers, monitoring and taking control when they want."
He got in touch with his lawyer straight away, who did not have any idea the hacking had taken place.
"He didn't freak out, he panicked only a little bit, but within half an hour he got an IT expert in and had locked all his accounts.
"He spent the entire weekend going through everything, making sure no-one else had been affected. One other person had been phished, but they were able to recover the money as well."
He said the IT expert contracted by the lawyer had traced the hacker or hackers to an African organisation.
When his own account was unlocked on Monday, he was able to put his house deposit down – but this time he took a cheque to his lawyer's office.
Later on in the week he found out he would have been covered for the deposit through insurance for cyber crimes, but he said it had been scary situation.
"I'm still flabbergasted, I woke up at night with a bit of a cold sweat thinking 'hell that was just about my life completely turned upside down', I was in a legal contract to buy the house, and I wouldn't have had the money otherwise.
"The family was looking forward to everything – it would have been absolutely devastating. We've been looking forward to this for years, haven't owned a house all together, this was a lifetime of savings and half of it would have been gone – it was a really big deal."
BNZ Head of financial crime Ashley Kai Fong said invoice scams were rarer than others, but they were on the rise.
"As a customer, if you see the bank account number on an invoice has changed from the one you normally pay, give the company a call to check if the change is legitimate.
"Make sure you call them on the number you have, not the one on the invoice, in case this has been changed too."
Fong said these incidents were also a reminder for businesses to be extra careful about clicking on links in emails or downloading strange attachments.
"Being vigilant and keeping your software and antivirus up-to-date is crucial to protecting your systems and your customers."
For the family at the centre of the ordeal, it had made them think twice about making purchases online.
"I feel it is just such a trap, I want everybody to be aware that if bank account details are sent to you by anyone, even if you've got a rock-solid internet presence, you can't be sure the person you're dealing with does.
"Ring up and find out, use a cheque – but don't use email."
Original story by Tim Newman, Stuff.co.nz