Businesses warned to be on high alert for fraud ahead of Brexit

Bank of Ireland outlines how fraudsters use uncertainty to carry out email scams

A business email fraud near-miss was intercepted by the Bank of Ireland fraud team along with the Garda this year, with €2.1 million recovered. Photograph: Niall Carson/PA Wire
A business email fraud near-miss was intercepted by the Bank of Ireland fraud team along with the Garda this year, with €2.1 million recovered. Photograph: Niall Carson/PA Wire

Businesses should be on heightened alert for fraudsters who may use the uncertainty of Brexit in the coming weeks to carry out scams, Bank of Ireland has warned.

The bank is advising businesses to be on high alert to the practice of business email compromise, where a company’s email is compromised, resulting in a range of types of financial fraud including invoice redirection and CEO fraud.

Businesses are urged to treat any requests to change bank account details or transfer funds with extreme caution, and, as a matter of course, to verbally check any such requests with a known contact at a known number every time.

In the second half of 2020, a business email fraud near-miss was intercepted by the Bank of Ireland fraud team along with the Garda, and funds to a value of €2.1 million were recovered.

READ SOME MORE

Another business was on the brink of losing €1.1 million when their emails were compromised in an attempted fraud but, due to the actions of the bank’s fraud teams, the majority of the funds were recovered.

It is a persistent problem, with the bank’s fraud teams acting on reports of two to three cases of this type of fraud per week.

Payee details

Invoice redirection fraud is where fraudsters pretend to be a supplier or service provider in order to trick employees into changing bank account payee details.

A common tactic is to tell the business that their bank account details have changed and for all payments to be sent to a new account, controlled by the fraudster.

The bank said fraudsters may write to a company’s finance or payments department either on forged headed paper or by email, pretending to be a supplier.

Typically, they will tell the business that their account details have changed. The payee account may be located either in Ireland or overseas.

The fraudster may ask an employee to either send a pending payment to the new account or, alternatively, to ensure that all future payments are sent to the new account.

CEO impersonation fraud is a type of fraud where the fraudster pretends to be a senior executive from the victim’s organisation.

An email is sent to an employee to try to trick them into doing something, like making a payment to either an existing or new client or supplier.

“The fraudster will try to pressurise a member of staff into acting quickly and without thinking,” said a spokesman for Bank of Ireland.

‘Well crafted’

“The fake emails are well crafted, can be sent from compromised email accounts and may look like they have come from a senior executive at the company in question.

“Typically, the fraudster instructs the staff member to make an urgent high-value payment to a supplier or creditor, and usually includes the payee details, including the IBAN. Often the payee account is located overseas.”

Edel McDermott, head of fraud at Bank of Ireland, said: “We know that fraudsters thrive in periods of change or uncertainty for business, where attention may be focused on other priorities.

“Brexit will bring considerable change to many companies, including new procedures relating to customs or changes in arrangements with vendors or customers. Business email fraud at any time has the potential to have a devastating impact on business.

“We are urging businesses not to drop their guard against email scams over the coming period. Training staff on the warning signs and the basic steps to take will safeguard businesses against these avoidable losses.

“If every business followed a simple step that a request to change account details or to make a payment was always verbally checked with a known contact, at a known phone number, the majority of this type of fraud would be stopped.”

Colin Gleeson

Colin Gleeson

Colin Gleeson is an Irish Times reporter