Warning as Irish firms lose millions in sophisticated invoice scams

Two firms lost €650,000 recently in the so-called invoice redirection fraud

Irish business owners have been warned of an internet email scam which has seen fraudsters steal €650,000 from two firms recently.

The companies lost the money after responding to what looked like legitimate invoices from suppliers.

One company lost €200,000 and the other €453,000, gardaí said on Monday.

The scam sees criminals send emails to businesses and individuals purporting to be a legitimate supplier.


These emails contain a request for the firm to change the bank account details on record for the supplier to new bank account, controlled by the criminals.

These requests can also come by way of letter or phone call.

In many instances the business does not know it is a victim of this scam until the legitimate supplier sends a reminder invoice seeking payment, gardaí said.

Internet securities expert David Waldron of Radius Technologies said the invoice redirection scam has “scaled up significantly in recent times” as has the amounts of money involved.

Mr Waldron, who advises the Irish Small and Medium Enterprises Association (ISME) about internet security, said two firms contacted the organisation recently after scammers made off with €38,000 and €35,000 in separate fraud attacks.

He said the those behind the scam were able to compromise the email system to make it look like the scammers were sending a legitimate invoice.

Mr Waldron said fake invoicing is more effective and lucrative for criminals than ransomware attacks - so called because criminals shut down computer systems and will only restart them once a ransom is paid.


Chief Supt Pat Lordan of the Garda National Economic Crime Bureau said the impact of such fraud on small businesses can "be catastrophic and result in the closure of businesses and redundancies".

He urged businesses to pick up the phone and speak to somebody in the invoicing company.

One businessman who was scammed urged other businesses not to trust emails.

He said fraudsters can see incoming and outgoing mails which can be blocked or redirected without people being aware of what was happening.

“Assume all emails incoming and outgoing in your company are always being read by fraudsters for extended periods of time and that those responsible for payments within your company are a special target for hackers and their email history is being monitored,” the businessman added.

He said all incoming email addresses should be checked. Simple changes, such as swopping, adding or deleting letters in a mail address are commonly used to fool a business into thinking the invoice is coming from a genuine source.

He said change requests for bank payment details are a “red letter warning” and should not be countenanced.

Earlier this year gardaí estimated at least €4.4 million had been stolen in such scams with €1.28 million recovered by gardaí.

How to avoid being duped by the scammers:

1. Check if the request is from a recognised contact in the customer firm?

2. Even if it has, check is the email address used correct. Check the email for basic English mistakes.

3. Contact your customer directly to ensure the contact details are correct.

4. Start with a trial transfer of a nominal amount to the new account, of say €0.10, and contact their accounts receivable to check the sum has landed in their bank account. If not, do not proceed.

5. (This is a useful check of a legitimate bank account change, as people sometimes make mistakes copying IBAN numbers. It’s best to cut-and-paste them).

6. Report all incoming fraudsters to the gardaí, and to your internet service provider if it has come electronically.

7. Block them in your email system. Screengrab dubious emails and circulate them to your staff

8. Do not forward the original email from the scammers- even if you use the word scam in the header!

Ronan McGreevy

Ronan McGreevy

Ronan McGreevy is a news reporter with The Irish Times