Email is now one of the primary sources of communication worldwide for both commercial and personal dealings. However, what is not known by many is that there are an increasing number of fraudsters who have the ability to infect computers with malevolent software which allows them to monitor and intercept email correspondence. These fraudsters then hack into computers and wait for a service provider to issue genuine bank account details for the purpose of discharging an invoice.
These scammers then proceed to issue new fake bank details, often with the excuse that the previous details were issued in error or were from an old bank account which is no longer in existence. In fact, they even have the ability to intercept emails which have been sent requiring payment and change the details in their favour. This is most commonly known as “invoice redirect fraud” or “CEO fraud” and it is on the rise.
Once this issue has come to light, financial institutions will generally freeze the funds in question in the recipient’s account once reported but unfortunately this is often too late. It has been reported that these emails are often strategically sent on a Friday evening as people are less likely to check their bank accounts over the weekend and financial institutions will also be difficult to contact during this period. If the funds are withdrawn without the matter having been reported to the financial institution, the prospect of recovery decreases significantly.
In light of the difficulties faced by victims of this fraud, a necessity may arise to bring an urgent court application seeking a freezing order for the purpose of ensuring that the scammers do not dispose or dissipate of the funds once they have been transferred. Furthermore, once a freezing order has been obtained, the scammers’ details are often identifiable as the beneficiary on the bank account which might positively assist in tracing or recovering funds both inside and outside of the jurisdiction if dissipated by the scammers.
This type of fraud has led to a number of Irish Companies being defrauded of hundreds of thousands of euros. Amongst these organisations is Trinity College Dublin which was defrauded of approximately €800,000 in 2017. Information issued by the Central Statistics Office established that 21% of Irish SME’s were targeted for invoice redirection in 2018. Furthermore, 4,257 Irish Companies found themselves involved in some form of IT scam in 2018 with 72% of this arising from email phishing which remains the most common form of IT based attack to date.
However, it is not only Irish SME’s that are faced with this problem. Many of the world’s tech giants have found themselves the subject of this fraud. Facebook and Google have been defrauded of close to $100 Million (€89 Million) following a series of forged invoices, contracts and letters which appeared to the individuals involved to be signed by executives at the relevant multinational firms.
Steps to ensure that this does not happen to you
- The most obvious solution is to avoid making payments by email and instead make these payments in person or by telephone. Unfortunately, this is not always feasible, but at all times bank details should be verified by telephone by the service provider prior to the transfer of any payment.
- It is always important to notify your new and existing clientele that you have no intention of changing your banking details and if any correspondence is issued on your behalf declaring otherwise, they should contact you by telephone in order to verify the new banking details before payment.
- In addition, it is important to be vigilant as to where emails are coming from and to check that letters and / or numbers have not been swapped, added or deleted. This is a way in which the hackers attempt to deceive you into believing that the particular email is coming from a reliable and genuine source.
- In the event of a suspected fraud, you should immediately make contact with the relevant financial institution and obtain legal advice. The matter should also be immediately reported to An Garda Síochána.
How we can help?
This article is for general information purposes. Legal advice must be obtained for individual circumstances. Whilst every effort has been made to ensure the accuracy of this article, no liability is accepted by the author for any inaccuracies.
Preparing for a Data Protection Audit
Your organisation may find itself subject to a Data Protection Audit by the Data Protection Commission (“DPC”) in...
28 Nov 2019
BHSM Advises on Acquisition of Action Primary Care Portfolio
We were delighted to act for the Valley Healthcare Fund in the acquisition of a portfolio of primary care centres from...
28 Nov 2019