- Almost 25% increase in losses through email-related SME fraud compared to 2022
- Losses averaged at €12,000
- FraudSMART in partnership with ISME urges businesses to review payment policies and put fraud awareness training in place for employees
Friday 12th June – New figures from FraudSMART, the fraud awareness initiative led by Banking & Payments Federation Ireland (BPFI), show that small and medium enterprises (SMEs) lost almost €10m (€9.9m) through email-related fraud in 2023, including invoice-redirection and CEO impersonation scams. The figures come as FraudSMART joins forces with the Irish SME Association (ISME) to urge SMEs to be on the alert and put measures in place to protect their business.
Majority of cases are invoice-redirection scams with what appears to be a legitimate email from a supplier known to the business
Speaking on today’s figures and outlining the type of scams targeted at SMEs, Niamh Davenport, Head of Financial Crime, BPFI said: “We have seen a jump of almost 25% (23.8%) in email-related fraud targeted at SMEs last year. These scams can be devastating for a small company with average losses of €12,000. The majority of cases we’ve seen are invoice-redirection scams. These, often start with what appears to be a legitimate email from a supplier known to the business advising of new bank details for payment, but which has been hacked or closely copied by fraudsters. This can create a false sense of security and make it difficult for businesses to detect. They usually don’t request any payment upfront but ask for the bank account details on file to be changed for future invoice payments and provide a new IBAN and BIC code for the ‘new account’. When a legitimate invoice is issued by the supplier the business ends up paying it into the ‘new account’ controlled by the fraudster and it’s often only some time later when a payment reminder is sent by the supplier that the scam is detected.”
Ms Davenport added: “Unfortunately, while fraudsters target businesses of all sizes, SMEs can be particularly vulnerable compared to larger companies due to more limited resources, less investment in security infrastructure as well as lower financial buffers to withstand any losses. Fraudsters take advantage of busy work schedules and create a sense of urgency in the hope that an employee will react without thinking and won’t take the time to do necessary checks.”
Businesses urged to review payment policies and put fraud awareness training in place for employees
Minister for Enterprise, Trade and Employment Peter Burke stated: “SMEs are the backbone of our economy, accounting for more than two-thirds of business employment in Ireland, according to the CSO. Over 92% of SMEs are what we call micro enterprises, employing less than 10 people, and while these businesses have demonstrated remarkable resilience in the face of recent challenges such as inflation, energy costs and Covid-19, unfortunately, they are often the most vulnerable to business-related fraud. It is vitally important that business owners and employees are aware of the risks that fraudsters pose and put the necessary measures in place.”
Calling on SMEs to remain vigilant, Neil McDonnell, CEO, ISME added: “Unfortunately, no business is immune to this type of scam and the consequences can be catastrophic. I urge all SMEs and their employees to review their current payment policies and procedures. I would also encourage businesses to put training in place for employees to ensure they are constantly aware of current fraud risks and how to avoid falling victim to scammers. FraudSMART provides a free guide with information and tips on business fraud and that’s a good place to start.”
Tips to help protect your business
Ms Davenport concluded: “Our single biggest piece of advice if you receive an email from a supplier asking to change their bank account details for payments, is to pick up the phone, using a number that you are familiar with or from a trusted source such as the official supplier website, and check directly with the supplier if the request is genuine and the details are correct. If you suspect that your business may have fallen victim to fraud, don’t delay, talk to your bank and to Gardaí as soon as possible.”
Top tips to protect your business from fraud:
- Policies and procedures – ensure a verification process is in place for requests to change supplier bank account details. Use trusted contact details already on record or a contact number on the company’s website. Do not to use the contact details on an email requesting the change as these could be fraudulent or controlled by a fraudster.
- Dual authorisation – ensure that two people from the business are required to complete a third-party payment electronically.
- Fraud awareness and training – ensure staff are given appropriate training on cyber security with a focus on email-related fraud / phishing emails.
- Invoice checking – review invoices thoroughly and ensure there are no irregularities including misspellings and grammatical errors.
- Updated operating systems – ensure that the latest updates for your computer and mobile operating systems are up-to-date and set them to automatically update.
Businesses can download a free copy of the FraudSMART ‘Protect your business from fraud’ guide and sign up to fraud alerts on the FraudSMART website where they can also find a wealth of other information on fraud types and prevention advice.
ENDS/
For information contact: Fiona Murphy, Head of Communications, fiona.murphy@bpfi.ie 087 9740046 or Jillian Heffernan, Director of Communications, jillian.heffernan@bpfi.ie 087 9016880.
Note to editors
Definitions:
Invoice re-direction fraud occurs when a business receives a fraudulent email claiming to be from an existing supplier/creditor or in some incidents a staff member within the same company. The fraudster advises that the bank details for the payment of future invoices should be changed or requests that a payment should be made into another account. These approaches can me made over the telephone, by letter, fax and by email. Often there is no immediate request for payment, when a legitimate invoice is issued, the payment will go to the ‘new account’ controlled by the fraudster.
CEO impersonation fraud takes place when an email purporting to be from the Chief Executive Officer or a senior member of the team is sent to the Finance Team requesting that an urgent payment be made to a supplier or another third party or in some cases to the senior member themselves.
Invoice Redirection Case Study David* is the Accounts Manager for a small business and. He received an email from a regular supplier with a ‘change of bank details’ notification. Business procedures were in place that required David to call the supplier and ask them to verify the bank details. The supplier spoke to David but was away from their desk and wasn’t able to confirm over the phone. They asked him to send an email requesting verification, which he did. However, unknown to both David and the supplier, fraudsters had gained access to supplier’s email account. They had sent the original request and were able to intercept David’s email and reply confirming that the request was valid and details were correct. David was satisfied with the response and updated the supplier’s payment details. When the next genuine invoice came from the supplier, the payment was made to the ‘new account’ controlled by the fraudster. It was only when David received a payment reminder for the invoice the following month that he contacted the supplier again and they realised there was something wrong. David then contacted the bank and an Garda Síochána. While the bank attempted to recoup the transfer, the money had already been withdrawn from the fraudsters account, so not only did the business lose the money, but they still had an outstanding genuine invoice to pay the supplier. TOP TIP: Make a phone call to a known and trusted contact within the company that appears to be requesting a change in account payment. If they cannot verify over the phone do not proceed with the change and do not request confirmation over email. Wait until your trusted contact can confirm the details over the phone using a trusted number. *The name and some of the details have been changed to protect the identity of the victim. |
About FraudSMART: FraudSMART is a fraud awareness initiative developed by Banking & Payments Federation Ireland (BPFI) in conjunction with the following member banks, Allied Irish Bank plc, Bank of Ireland, KBC Bank Ireland, Permanent TSB, Ulster Bank, An Post Money and Barclays. The programme aims to raise consumer and business awareness of the latest financial fraud activity and trends and provide simple and impartial advice on how best they can protect themselves and their resources. www.fraudsmart.ie.
About BPFI: Banking & Payments Federation Ireland (BPFI) represents the banking, payments and fintech sector in Ireland. Together with its affiliates, the Federation of International Banks in Ireland and the Fintech & Payments Association of Ireland, BPFI has over 125 member institutions and associates, including licensed domestic and foreign banks and institutions operating in the financial marketplace here.