Cork company lost almost €50,000 as a result of invoice redirect fraud

A Cork company lost almost €50,000 as a result of invoice redirect fraud last year.

Gardaí has detailed how towards the end of 2020, an employee at the company received an email, which they believed was from their employer, requesting payment be made to a new account for an outstanding invoice.

It was when a second request was later made for a figure of around €70,000, that the employee flagged the request to management.

According to gardaí, in 2020, approximately €10.5 million was stolen through invoice redirect /business email compromise (BEC) fraud nationally.

In such cases fraudsters send an email to a business purporting to be from a supplier or similar, requesting the immediate payment of an invoice or transfer of funds.

A garda spokesperson said that fraudsters “may spoof an email address, send ‘spear phishing’ emails or use malware to get the data. They could also take over a business’ email account therefore fraudulent emails are being sent from the real business.” 

The spokesperson said that victims of invoice redirect fraud range from very small businesses to large corporations.

“The consequences of falling for a scam of this nature can be catastrophic for any business and can result in the closure of businesses and redundancies. All relevant employees should receive training in relation to avoiding this type of scam,” the spokesperson said.

The Garda National Economic Crime Bureau (GNECB) has shared the following advice:

• Ensure staff take great care and attention each time they are asked to change bank account details. Check the IBAN number – what country is it in. IBANs can be checked by doing a very quick google search. Check the URL and the spelling 
• A phone call should be made to a representative of the company confirming that the bank account is changed and care needs to be taken to ensure that they are talking to a representative of the company and not the fraudster. Under no circumstances should contact details contained in the email or attachments be relied upon to verify the request whether these consist of a physical address, an email address or a phone number.
• Verify email address is spelt correctly · Has the URL been changed from ".ie” to ".com”?
• Businesses must ensure that they have robust policies and procedures in place to deal with requests of this nature including escalating the decision making function to supervisory positions and making direct contact with a trusted known person in the supplier’s organisation.
• Where a business becomes aware that such a crime has occurred they should ask their bank immediately to do a recall on the money and then report the matter to Gardaí 
• Segregation of duties - Consider how your business issues and accepts payment instructions
• Use banking security systems e.g One Time Passcodes 
• At the moment many people are working from home and some are performing roles, they don’t usually do. They are also working from a more safe and secure environment and could be minding children at the same time. This could mean that they are not as wary as they would be in a work environment and they do not have colleagues close by to confer with.
• It is also imperative that where staff are using private computers/laptop for work purposes from their homes that the antivirus software is kept up to date.
• If a business becomes a victim, all existing business relationships should be reviewed without delay and defensive policies and procedures put in place.
• In many instances the business does not know it is a victim of this crime until sometime later when the legitimate supplier sends a reminder invoice for payment.