SMEs lost almost €10m through email-related fraud last year, with average losses of €12,000.
Figures from FraudSMART, the BPFI's fraud awareness initiative show Irish small businesses lost €9.9m to scams such as invoice-redirection and CEO impersonation in 2023.
There was a 23.8% increase in email-related fraud targeted at SMEs last year, and Niamh Davenport, the BPFI's head of financial crime, said the majority of cases were invoice-redirection scams.
These, often start with what appears to be a legitimate email from a supplier known to the business advising of new bank details for payment, but which has been hacked or closely copied by fraudsters," she said.
"This can create a false sense of security and make it difficult for businesses to detect. They usually don’t request any payment upfront but ask for the bank account details on file to be changed for future invoice payments and provide a new IBAN and BIC code for the ‘new account'.
"When a legitimate invoice is issued by the supplier the business ends up paying it into the ‘new account’ controlled by the fraudster and it’s often only some time later when a payment reminder is sent by the supplier that the scam is detected.”
Davenport added that SMEs can be "particularly vulnerable" compared to larger companies due to their more limited resources, lesser investment in security infrastructure and lower financial buffers to withstand any losses.
"Fraudsters take advantage of busy work schedules and create a sense of urgency in the hope that an employee will react without thinking and won’t take the time to do necessary checks," she said.
“Our single biggest piece of advice if you receive an email from a supplier asking to change their bank account details for payments, is to pick up the phone, using a number that you are familiar with or from a trusted source such as the official supplier website, and check directly with the supplier if the request is genuine and the details are correct.
"If you suspect that your business may have fallen victim to fraud, don’t delay, talk to your bank and to Gardaí as soon as possible.”
Minister for Enterprise, Trade and Employment Peter Burke said that SMEs are "the backbone of our economy," accounting for more than two-thirds of employment, and that 92% of them are considered micro-enterprises employing less than 10 people.
"It is vitally important that business owners and employees are aware of the risks that fraudsters pose and put the necessary measures in place," he added.
Neil McDonnell, CEO of ISME, called on SMEs to remain vigilant saying: "Unfortunately, no business is immune to this type of scam and the consequences can be catastrophic.
"I urge all SMEs and their employees to review their current payment policies and procedures. I would also encourage businesses to put training in place for employees to ensure they are constantly aware of current fraud risks and how to avoid falling victim to scammers.
"FraudSMART provides a free guide with information and tips on business fraud and that’s a good place to start.”
Top tips to protect your business from fraud:
- Policies and procedures - ensure a verification process is in place for requests to change supplier bank account details. Use trusted contact details already on record or a contact number on the company’s website. Do not to use the contact details on an email requesting the change as these could be fraudulent or controlled by a fraudster.
- Dual authorisation – ensure that two people from the business are required to complete a third-party payment electronically.
- Fraud awareness and training – ensure staff are given appropriate training on cyber security with a focus on email-related fraud / phishing emails.
- Invoice checking – review invoices thoroughly and ensure there are no irregularities including misspellings and grammatical errors.
- Updated operating systems – ensure that the latest updates for your computer and mobile operating systems are up-to-date and set them to automatically update.
(Pic: Getty Images)
