Gardaí have issued a warning and advice over business email fraud after almost €6 million was stolen from Irish companies last year.
Gardaí say people in any business setting should be very wary of sending payments online, especially when asked to send money to “new bank account numbers.”
While the amount of business email compromise fraud has fallen in 2021, more people are working in remote settings (e.g., working from home) and may not be as wary as they may be in a work environment where they can also confer with colleagues close by.
However, reassuringly, the almost 50% reduction in this type of fraud shows that the message is landing yet almost €6 million still reached the pockets of mostly international organised crime gangs.
Business email compromise fraud, also known as invoice re-direct fraud, is where a fraudster sends an email to an individual or a business pretending to be a supplier and asks for an invoice to be paid immediately, usually to a new bank account because “they’ve changed bank”, etc. They provide a new IBAN and BIC code for this new account and often the target does not know that it has been a victim of a crime until sometime later when the legitimate supplier sends a reminder for invoice payment.
To do this, fraudsters might send an email with a spoof email address, a ‘spear phishing’ email (an email that looks like it’s from a trusted source), or use malware to take over a legitimate business email account and send an email from that. In most cases, the money stolen is transferred abroad; in some larger cases, data is also stolen. Another related issue is the proceeds of these crimes abroad being laundered through bank accounts in Ireland.
How to avoid business email compromise fraud?
- Always be suspicious when asked to send money to a new bank account – delay the transfer while you phone the company to double-check if the bank account has changed (and ensure you’re not dealing with a fraudster)
- Any time you are asked to change bank account details on a system, check the location of the IBAN (via a Google search), check the URL and the spelling
- If employees are using personal computers/laptops to work from their homes, it is imperative their antivirus software is kept up to date.
- Businesses should have robust policies and procedures in place to deal with payment requests of this nature (e.g., multiple decision-makers to approve payment or a step to contact a trusted person at the supplier to verify the request. They should also review all existing business relationships regularly and put defensive policies and procedures in place
- Remember, if caught out, ask your bank to do a recall ASAP then report the fraud to Gardaí.
Speaking at today’s briefing Detective Chief Superintendent Pat Lordan of the Garda National Economic Crime Bureau said:
“Unfortunately, no business is immune to this type of scam – the victims of business email compromise fraud range from very small businesses to large corporations. The consequences of falling for a scam such as this can be catastrophic and may even result in the closure of businesses and redundancies. All employees should be aware of this fraud and receive training to avoid this type of scam. If in any doubt, delay the transfer and report any suspected fraud to Gardaí as soon as possible – early reporting can be the difference between recovering most of the funds versus very little.”
Gardaí are advising members of the public who believe they are a victim of business email compromise fraud to contact any Garda Station and report the crime.