Irish firms vulnerable to new generation of email fraud and cybertheft scams
The NCSC said cybercriminals can expertly impersonate legit contacts — like a company executive or a trusted supplier — to trick staff into transferring money or sensitive data.
The State’s cybersecurity agency is warning of a “noticeable increase” in reports of attempts to defraud companies or steal sensitive data from them through email deception.
The National Cyber Security Centre (NCSC) has provided advice to firms to protect themselves from business email compromise.
The centre said it is a type of cybercrime where attackers impersonate a legitimate business contact — such as a company executive or a supplier — to trick individuals into transferring money or sensitive data.
It often involves both an email and what is called “social engineering”, where fraudsters used manipulation techniques to deceive and pressure the recipient to send payment.
The criminals typically carry out homework on their target before launching their attack.
The NCSC said business email compromise “can cause significant financial and reputational damage”. It said common scenarios include:
- : An attacker pretends to be a company executive requesting an urgent wire transfer;
- : A vendor’s email is compromised and used to send fake invoices or change payment details;
- : Attackers trick HR or payroll staff into changing an employee’s direct deposit account;
- : Criminals pose as legal counsel to pressure action on a confidential matter.
The NCSC said business email compromise costs Irish organisations millions every year.
“In 2023, SMEs [small to medium enterprises] alone lost almost €10m to invoice redirect fraud,” it said.
It said organisations of all sizes are vulnerable to this type of attack, which mainly focusses on payment fraud by impersonating trusted contacts such as suppliers, executives, or partners.
Two examples in Ireland include:
- : A local authority paid over €500,000 to a fraudster after receiving a fake invoice from a spoofed supplier email address. The email appeared credible, and payment was made without secondary verification. The loss was not recoverable;
- : A private company had over €98,000 stolen as a result of this type of fraud.
The money was transferred to a bank account in Portugal.
Working with the financial institution, the payment was cancelled, and all the money was recovered.
The NCSC advises companies to have a strict call-back verification process where there is any change in the bank details provided in emails.
Read More
