Gardai have issued a stark warning over an email scam that saw nearly €6 million stolen from companies in Ireland last year.
Invoice-redirect fraud, also known as business email compromise fraud, involves scammers impersonating a supplier and asking a business or an individual to send money to a new bank account claiming they've changed banks.
They provide a new IBAN and BIC code for this new account and often the target does not know that they have been a victim of a crime until later when the legitimate supplier sends a reminder for invoice payment.
Read more: WhatsApp scammers using devious trick to steal money from worried parents
Scammers might send an email with a spoof email address, a "spear-phishing" email (an email that looks like it’s from a trusted source), or use malware to take over a legitimate business email account and send an email from that.
The stolen money is then transferred abroad and in some cases, data is also stolen.
The proceeds of this crime are being laundered through bank accounts in Ireland.
Thankfully, 2021 saw a massive reduction of up to 50% in this type of scam compared to the previous year but nearly €6 million was still stolen as part of the fraud.
Last year, gardai recovered €26,000 for a Canadian business that had over €29,000 stolen from fraudsters after officers were successful in freezing the accounts in Ireland.
Additionally, a suspect was arrested after stealing €177,000. In this case, the fraudster took over a legitimate Solicitor’s email and secured clients funds, which the Solicitor was handling for the purchase of a house.
The Garda National Economic Crime Bureau (GNECB) successfully recovered all but €3,000.
Also in 2020 and due to early reporting to Gardaí, GNECB recovered €2 million from an account in Hong Kong – the entire amount stolen.
Here is how you can protect yourself from invoice-redirect fraud:
• Always be suspicious when asked to send money to a new bank account – delay the transfer while you phone the company to double-check if the bank account has changed (and ensure you’re not dealing with a fraudster)
• Any time you are asked to change bank account details on a system, check the location of the IBAN (via a Google search), check the URL and the spelling
• If employees are using personal computers/laptops to work from their homes, it is imperative their antivirus software is kept up to date.
• Businesses should have robust policies and procedures in place to deal with payment requests of this nature (e.g., multiple decision-makers to approve payment or a step to contact a trusted person at the supplier to verify the request. They should also review all existing business relationships regularly and put defensive policies and procedures in place
• Remember, if caught out, ask your bank to do a recall ASAP then report the fraud to gardai.
Read more: Businesses must be vigilant as risk of cyber attacks rises amid Ukraine crisis
Read more: ‘Bird poo scam’ warning for Irish tourists travelling to Spain
Sign up to the Dublin Live Newsletter to get all the latest Dublin news straight to your inbox.