email security

Invoice Redirect Fraud 2020

With many businesses returning to partial or full operations this week, they are likely to find themselves targeted by fraudsters and cybercriminals. It has been widely reported by many experts including the team at IT.ie that cybercriminals are using the Covid-19 crisis to target businesses all over the world, at a time when their guard may be down. It was reported by RTE, that Gardai in Waterford are investigating after it was discovered that a company was conned out of €65,000 while in the process of buying a machine to be used in the manufacturing of PPE. 

It was found that the Irish company was engaging with a legitimate company in China, however, at some point, the fraudsters tricked the company by sending them an email purporting to be from the legitimate company and making a demand for payment to an account listed in the email. Thankfully the swift actions by the Garda National Economic Crime Bureau and the company’s bank resulted in the successful retrieval of the payment. This company was very lucky as the scam was identified and acted on very quickly. Many more businesses aren’t so lucky and lose large sums of money.     

This type of fraud is referred to as Invoice Redirect Fraud and long before the current health crisis was costing Irish companies millions of euro a year. 

How does it work?

The scammers will contact your business by way of email, letter or phone call purporting to one of your legitimate suppliers. They will inform you that their bank details have changed and request that all further payments should be sent to the new bank account. Of course, the new bank details are not that of your supplier but instead are the details of an account controlled by the criminals.
Inevitably your legitimate supplier will send an invoice in the future for payment of goods or services and you will unwittingly make a payment to the criminals and not the supplier. It may be sometime before you realise that you have fallen victim and it may only come to light when you receive a reminder from the legitimate supplier for non-payment.

What should you do?

All employees and particularly those who deal with accounts and payments should be made aware of this scam and the steps to take to avoid falling victim. At IT.ie we suggest that a safe word or phrase should be used in all correspondence relating to financial transactions both internally and when dealing with suppliers. If this agreed word or phrase is not included in correspondence then a quick phone call to a known contact at the suppliers business address will confirm if correspondence is legitimate or not.

This is a relatively lo-tech scam and yet many businesses are falling victim every day. Employees should be encouraged to question all correspondence relating to financial transactions. 

I recommend reading our post on CEO Fraud, another scam that targets employees with responsibility for accounts and payments and that has cost Irish companies and public bodies millions of euro over the past year.

Share this post