Small and medium sized businesses lost almost €10m through email-related scams last year.
The number of cases reported by SMEs increased almost 25% when compared with 2022.
The figures published by FraudSMART, the fraud awareness initiative led by Banking & Payments Federation Ireland, show that companies were conned out of an average of €12,000.
The majority of cases involved so-called ‘invoice-redirection scams’, BPFI said.
“These often start with what appears to be a legitimate email from a supplier known to the business advising of new bank details for payment, but which has been hacked or closely copied by fraudsters,” said Niamh Davenport, Head of Financial Crime at BPFI.
We need your consent to load this rte-player contentWe use rte-player to manage extra content that can set cookies on your device and collect data about your activity. Please review their details and accept them to load the content.Manage Preferences
Ms Davenport said this can create a false sense of security and make it difficult for businesses to detect the scam.
“They usually don’t request any payment upfront but ask for the bank account details on file to be changed for future invoice payments and provide a new IBAN and BIC code for the ‘new account’.
“When a legitimate invoice is issued by the supplier the business ends up paying it into the ‘new account’ controlled by the fraudster,” she explained.
She said it’s often only some time later when a payment reminder is sent by the supplier that the scam is detected.
CEO impersonation fraud is another type of scam impacting businesses.
This is when an email purporting to be from the Chief Executive Officer or a senior member of the team is sent to the finance team requesting that an urgent payment be made to a supplier or another third party, or in some cases to the senior member themselves.
Ms Davenport warned SMEs that while fraudsters target businesses of all sizes, smaller firms can be particularly vulnerable.
“This is due to more limited resources, less investment in security infrastructure as well as lower financial buffers to withstand any losses,” she said.
“Fraudsters take advantage of busy work schedules and create a sense of urgency in the hope that an employee will react without thinking and won’t take the time to do necessary checks,” she added.
FraudSMART has joined forces with the Irish SME Association (ISME) to urge SMEs to be on the alert and put measures in place to protect their business.
“Unfortunately, no business is immune to this type of scam and the consequences can be catastrophic,” said Neil McDonnell, CEO of ISME.
“I urge all SMEs and their employees to review their current payment policies and procedures.
“I would also encourage businesses to put training in place for employees to ensure they are constantly aware of current fraud risks and how to avoid falling victim to scammers,” he added.
Tips from FraudSMART to protect your business from fraud:
Policies and procedures – ensure a verification process is in place for requests to change supplier bank account details. Use trusted contact details already on record or a contact number on the company’s website. Do not to use the contact details on an email requesting the change as these could be fraudulent or controlled by a fraudster.
Dual authorisation – ensure that two people from the business are required to complete a third-party payment electronically.
Fraud awareness and training – ensure staff are given appropriate training on cyber security with a focus on email-related fraud / phishing emails.
Invoice checking – review invoices thoroughly and ensure there are no irregularities including misspellings and grammatical errors.
Updated operating systems – ensure that the latest updates for your computer and mobile operating systems are up-to-date and set them to automatically update.