An Garda Síochána is warning people in any business setting to be very wary of sending payments online, especially when asked to send money to “new bank account numbers.”
While the amount of business email compromise fraud has fallen in 2021, more people are working in remote settings (e.g., working from home) and may not be as wary as they may be in a work environment where they can also confer with colleagues close by. However, reassuringly, the almost 50% reduction in this type of fraud shows that the message is landing yet almost €6 million still reached the pockets of mostly international organised crime gangs.
What is business email compromise fraud?
Business email compromise fraud, also known as invoice re-direct fraud, is where a fraudster sends an email to an individual or a business pretending to be a supplier and asks for an invoice to be paid immediately, usually to a new bank account because “they’ve changed bank”, etc. They provide a new IBAN and BIC code for this new account and often the target does not know that it has been a victim of a crime until sometime later when the legitimate supplier sends a reminder for invoice payment.
To do this, fraudsters might send an email with a spoof email address, a ‘spear phishing’ email (an email that looks like it’s from a trusted source), or use malware to take over a legitimate business email account and send an email from that. In most cases, the money stolen is transferred abroad; in some larger cases, data is also stolen. Another related issue is the proceeds of these crimes abroad being laundered through bank accounts in Ireland.
Examples of business email compromise fraud:
In 2019, a suspect was arrested after stealing €177,000. In this case, the fraudster took over a legitimate Solicitor’s email and secured clients funds, which the Solicitor was handling for the purchase of a house.
The Garda National Economic Crime Bureau (GNECB) successfully recovered all but €3,000.
In 2021, because of early reporting, GNECB was successful in freezing accounts in Ireland and recovering €26,000 for a Canadian business that had over €29,000 stolen from fraudsters.
As part of Operation Skein (launched in June 2020 to tackle international business email compromise fraud), GNECB identified an International organised crime group operating from and within Ireland targeting businesses all over the world and have stolen over €26 million in the past few years, resulting in several suspects being charged.
Also in 2020 and due to early reporting to Gardaí, GNECB recovered €2 million from an account in Hong Kong – the entire amount stolen.
How to avoid business email compromise fraud?
• Always be suspicious when asked to send money to a new bank account – delay the transfer while you phone the company to double-check if the bank account has changed (and ensure you’re not dealing with a fraudster)
• Any time you are asked to change bank account details on a system, check the location of the IBAN (via a Google search), check the URL and the spelling
• If employees are using personal computers/laptops to work from their homes, it is imperative their antivirus software is kept up to date.
• Businesses should have robust policies and procedures in place to deal with payment requests of this nature (e.g., multiple decision-makers to approve payment or a step to contact a trusted person at the supplier to verify the request. They should also review all existing business relationships regularly and put defensive policies and procedures in place
• Remember, if caught out, ask your bank to do a recall ASAP then report the fraud to Gardaí.
Speaking at the briefing, Detective Chief Superintendent Pat Lordan of the Garda National Economic Crime Bureau said:
“Unfortunately, no business is immune to this type of scam – the victims of business email compromise fraud range from very small businesses to large corporations. The consequences of falling for a scam such as this can be catastrophic and may even result in the closure of businesses and redundancies. All employees should be aware of this fraud and receive training to avoid this type of scam. If in any doubt, delay the transfer and report any suspected fraud to Gardaí as soon as possible – early reporting can be the difference between recovering most of the funds versus very little.”
Gardaí are advising members of the public who believe they are a victim of business email compromise fraud to contact any Garda Station and report the crime.